Application Whitelisting



Similar documents
Process Solutions. Staying Ahead of Today s Cyber Threats. White Paper

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Effective Use of Assessments for Cyber Security Risk Mitigation

Process Solutions. Mitigating Cyber Security Risks in Legacy Process Control Systems. White Paper

Protecting Your Organisation from Targeted Cyber Intrusion

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Defending Against Data Beaches: Internal Controls for Cybersecurity

Application White Listing and Privilege Management: Picking Up Where Antivirus Leaves Off

Application Whitelisting - Extend your Security Arsenal? Mike Baldi Cyber Security Architect Honeywell Process Solutions

Endpoint Security: Moving Beyond AV

Data Management Policies. Sage ERP Online

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Ovation Security Center Data Sheet

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk

Verve Security Center

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

SANS Top 20 Critical Controls for Effective Cyber Defense

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

The Protection Mission a constant endeavor

Seven Strategies to Defend ICSs

Ovation Security Center Data Sheet

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Cyber Security for NERC CIP Version 5 Compliance

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

Is Your Network a Sitting Duck? 3 Secrets to Securing Your Information Systems. Presenter: Matt Harkrider. Founder, Alert Logic

DHS ICSJWG Fall Conference Maintaining Necessary Information Paths Over Unidirectional Gateways

Why should I care about PDF application security?

CDM Software Asset Management (SWAM) Capability

Endpoint Security 2.0: The Emerging Role of Application Whitelisting Solutions. Todd Schell

How To Secure Your System From Cyber Attacks

McAfee Server Security

Closing the Antivirus Protection Gap

Building A Secure Microsoft Exchange Continuity Appliance

Persistence Mechanisms as Indicators of Compromise

Choosing Between Whitelisting and Blacklisting Endpoint Security Software for Fixed Function Devices

Developing A Successful Patch Management Process

Symantec Endpoint Protection Analyzer Report

Getting real about cyber threats: where are you headed?

Document ID. Cyber security for substation automation products and systems

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

Top five strategies for combating modern threats Is anti-virus dead?

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

The Four-Step Guide to Understanding Cyber Risk

Enterprise Cybersecurity: Building an Effective Defense

Devising a Server Protection Strategy with Trend Micro

How To Protect Your Network From Attack From A Virus And Attack From Your Network (D-Link)

Industrial Cyber Security. Complete Solutions to Protect Availability, Safety and Reliability of Industrial Facilities

October Application Control: The PowerBroker for Windows Difference

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

How To Protect Your Cloud From Attack

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

GE Measurement & Control. Cyber Security for NERC CIP Compliance

Industrial Security for Process Automation

Carbon Black and Palo Alto Networks

5 Steps to Advanced Threat Protection

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Desktop Security. Overview and Technology Guidance. Michael Ramsey Network Specialist, NC DPI

Cybersecurity Health Check At A Glance

INTRODUCING isheriff CLOUD SECURITY

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

How to Secure Your Environment

Towards End-to-End Security

THE TOP 4 CONTROLS.

Xerox Next Generation Security: Partnering with McAfee White Paper

Securing OS Legacy Systems Alexander Rau

Management of Change: Addressing Today s Challenge on Documenting the Changes

By John Pirc. THREAT DETECTION HAS moved beyond signature-based firewalls EDITOR S DESK SECURITY 7 AWARD WINNERS ENHANCED THREAT DETECTION

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

Developing Secure Software in the Age of Advanced Persistent Threats

External Supplier Control Requirements

PCI DSS Reporting WHITEPAPER

Ohio Supercomputer Center

Critical Security Controls

Assurance 360 Performa. Ensuring a Secure, Reliable and High-Performing Control System

Software Asset Management (SWAM) Capability Description

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

G- Cloud Specialist Cloud Services. Security and Penetration Testing. Overview

Network/Cyber Security

An Analysis of the Capabilities Of Cybersecurity Defense

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Best Practices for DanPac Express Cyber Security

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

(Self-Study) Identify How to Protect Your Network Against Viruses

Practical Steps To Securing Process Control Networks

Guideline on Vulnerability and Patch Management

The self-defending network a resilient network. By Steen Pedersen Ementor, Denmark

North American Electric Reliability Corporation (NERC) Cyber Security Standard

NetDefend Firewall UTM Services

ADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper

Integrated Threat & Security Management.

Business Risk Assessment - A Primer

Symantec Protection Suite Enterprise Edition for Servers Complete and high performance protection where you need it

Defending Against Cyber Attacks with SessionLevel Network Security

GE Measurement & Control. Cyber Security for Industrial Controls

Securing the Intelligent Network

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

End-user Security Analytics Strengthens Protection with ArcSight

Transcription:

White Paper Application Whitelisting Executive Summary The increasing complexity and volume of applications, and the issues stemming from threats to these applications, is resulting in the requirement for new or improved security tools. As the security threat landscape continues to evolve so too must our response to security tools and best in class products and support of your infrastructure. One of the more recent developments in security protection is the concept of Application Whitelisting. Application Whitelisting is one of the latest tools offered to enhance your Defense in Depth security strategy. With increasing numbers of attempted intrusions, cautionary tales of security breaches and the potential for resulting damages at your site, Application Whitelisting can be an important addition to your security arsenal.

Application Whitelisting 2 Table of Contents Application Whitelisting in Control Systems... 3 Application Whitelisting 101... 3 Managing the Whitelist... 5 Critical Functions... 5 Where Does Whitelisting Fit... 6 Industrial IT Solutions and Lifecycle Overview... 6 Application Whitelisting in the Lifecycle... 6 Conclusions... 7 Is Whitelisting a Silver Bullet?... 7

Application Whitelisting 3 Application Whitelisting in Control Systems Defense in Depth is a fundamental building block for providing a more secure infrastructure and is the most widely accepted approach recommended for today s control systems. When ubiquitous flash drives can become precision guided munitions, we quickly conclude that the more in-depth the defense mechanisms, the better. Understanding the various tools that can enhance your security strategy is key to successful implementation. Physical Cyber Electronic Industrial IT focuses on the layers of potential vulnerability that surround the control system. Application whitelisting is an emerging approach to combating viruses and malware, allowing software considered safe to run and blocking all others. This approach is in contrast to the blacklisting approach used by anti-virus software, which is a standard signature-based approach that blocks or removes known harmful software. There are positive attributes to both approaches, and they are not mutually exclusive. One of the major characteristics of the blacklisting (anti-virus) approach is that it blocks known bad actors leaving a time gap between the detection of a new piece of malware and the inclusion of its signature in the latest update from the anti-virus vendor. During that time gap, there is a window of exploitation where your system may be vulnerable to the new malicious code. Figure 1: Defense in Depth The blacklist is growing at a rapid rate. Malware examples, such as the Storm i and Conficker ii worms, utilize signature-morphing methods that can quickly outpace our ability to adapt. In Q1, 2012, McAfee reports that this period shows the largest number of malware detected per quarter in the last four years! iii and goes on to suggest the total number of pieces of malware in their database should exceed 100 million by the end of this year. Because malware has become such a growth industry, an additional defense approach is needed whitelisting. Application whitelisting permits only applications and executable files which are on the approved list and blocks everything else. The onus, then, is on the administrator of the whitelisting system to determine what is safe, and to ensure that critical applications are not omitted from the approved list. While both blacklisting and whitelisting approaches are being employed in many industries, perhaps none is as cautious as the control systems industry. Exploitations may range from the annoying, merely irritating to financially harmful in traditional information systems, and even approach levels of national security. For control systems, these exploitations can have safety issues, with potential loss of life or damage to the environment. Application Whitelisting 101 The basic concept behind application whitelisting is to permit only good known files to execute, rather than attempting to block malicious code and activity. Application whitelisting accomplishes its objectives by creating a list of approved hashes and allowing only files with approved hashes to execute. The general concept is quite simple, but the application of the concept can be complex. In general implementation, conflicts can arise in today s open creative workplace. Control systems are less tolerant of the limitations that can result from an application whitelisting implementation. Why white list? Perhaps your first introduction to the white list approach was for email management specifically, for eliminating spam and allowing messages you want to receive. We see it today as a way to prohibit unapproved software/applications from running on the protected system. Good software makes its way onto the white list, while unauthorized software is prohibited from executing. Whitelisting is a good defense against certain types of zero day intrusions, but cannot protect against all zero day defects.

Application Whitelisting 4 Application whitelisting can be applied in a monitor only mode, and is used in this manner typically by organizations that cannot lock down systems due to operational issues. When used in this manner the whitelisting system can provide visibility as to the executables running on a system and can be used to detect, confirm and respond to attacks. Whitelisting does put in place a capability to enable better change management, protecting against unauthorized changes to the system configuration an approach that might have provided some defense against Stuxnet. Some asset owners are now implementing whitelisting in response to NERC-CIP requirements. Forward-thinking whitelisting advocates are looking at advancements in whitelisting as a way to quarantine unauthorized software upon discovery, quarantine after blocking, enhance whitelist management, and as a way to produce a file system inventory that can accelerate verification of software on a hardware platform. Application whitelisting is designed to prevent unauthorized applications from running, and should: Enforce a list of approved applications, Include an administration tool that allows for adjustment to the whitelist, and Monitor and report attempts to violate the policy. For control systems, whitelisting solutions must undergo the same level of scrutiny that was used on anti-virus solutions over the past several years. Much of the experience with security tools has been at the Business Information Technology (IT) level. When it comes to security, the focus of Business IT is different from industrial control systems. This point of discussion has been documented in many publications, including the National Cyber Security Division of the Department of Homeland Security. Figure 2: Level of Importance The simple way of stating the differences is CIA Confidentiality, Integrity, and Availability and the level of importance associated with each area. According to the referenced report iv, Business IT ranks Confidentiality and Integrity with high importance, and Availability with lower importance. You might guess that industrial control systems have a different view, with Availability at the very high importance level, Integrity at medium importance, and Confidentiality ranked as low importance. More easily stated, industrial control systems rank the importance of these three elements in reverse order from Business IT s ranking. As you might expect, whitelisting was designed and architected for the enterprise environment (Business IT). Industrial control systems provide some unique challenges for whitelisting products, including: Availability and access for downloading the latest updates, Processing requirements that prohibit rebooting except at specific times, Legacy systems that have limited resources available, High importance of stability, Importance of meeting Critical Infrastructure Protection (CIP) standards set forth by NERC for the electricity industry and similar standards in other industries. This list of challenges applies not only to whitelisting, but to most mechanisms that are deployed for industrial control systems. That is why Honeywell tests any and all new technologies extensively on its core control systems. We understand the Industrial IT perspective that Availability is most important.

Application Whitelisting 5 Managing the Whitelist One of the major considerations when implementing an application whitelisting solution is how to manage the whitelist. Available whitelisting solutions provide a variety of management options. Most application whitelisting products will include one or more of the following management methods. The Gold Image This option is a good solution for situations where software is relatively static and not subject to a lot of change. The idea is that a standard workstation image is hashed and becomes the gold image. For user workstations, this gold image is only the starting point and changes often in most organizations. After building the workstations to the first whitelist, keeping it up to date becomes a challenge. Digital Certificates This option is one of the most effective techniques because it can recognize certain publishers of software, since most software vendors digitally sign their applications. The digital signature can then be used by the whitelisting software to approve software automatically from a trusted vendor list. This approach can be of great help in a Microsoft environment on patch Tuesday, where updates from Microsoft with the trusted digital signature will automatically be accepted. This approach can be very helpful in enabling organizations to create general policies to trust certain software publishers while still blocking malicious code. Trusted Update Methods This method is based on a set of pre-defined accounts, processes or network locations that are trusted automatically. For instance, a key process that needs to be trusted is patch management. Rather than go through a time-consuming process of recalculating hashes against a known good image, most organizations will opt to trust updates from their patch management systems. Other options in the method include trusted network shares and trusted user accounts, where installation files may be placed for approved programs, and the associated file hashes are added automatically to the whitelist. Manually approve updates to the system This method carries the most overhead, but has lower risk if implemented properly, with adequate checks of all files added to the system before approving them. Hence, we can conclude that administration of the whitelisting system is a key function that must be understood and planned. Critical Functions When considering application whitelisting software, keep in mind the critical functions that you expect that software to perform. A great deal of discussion in the marketplace has resulted in lists of these functions, and there are some variations in what some consider to be critical. However, there is a basic set of functions that should be present, including: Accuracy/Effectiveness The application whitelisting software should accurately identify and fingerprint applications and services on a given platform using one or more of the management methods discussed above. Coverage Coverage entails the breadth of file types covered by the solution. Whitelisting solutions can cover executable files, scripts, macro modules, and even write-protect any text or configuration file. Many whitelisting tools only cover executables (.exe files) and dynamiclink libraries (DLLs), not addressing code such as Java, ActiveX and specialty code such as drivers and kernel components. Most AWL solutions inspect the file header of all files on the system to determine which files are of interest based on the likelihood that they could be executed. AWL solutions do not typically rely on file extensions. Administration Administration addresses the level to which administrators can manage the system, the flexibility of the interface (allowing administrators to define trusted updaters, configuration in either audit or enforcement mode, etc.). Reporting Reporting can take on the added benefit as a prevention tool. The mechanisms that monitor and report on the actions of the tool within an environment vary, but it is important to understand what provisions are available with the tool, to determine if those provisions are adequate for your operation, and to evaluate how the tool will help in detecting, confirming and responding to attacks. Value While value may not be considered a critical function, the benefits upon which it is based entail certain functions that, if not present, devalue the solution. Value, then, is based on the cost of the tool measured against benefits to the operation. These benefits may vary by organization, but would include such measures as ease of integration, ease of deployment, and enhancement to the defense in depth strategy. An additional measure of value for certain industries is how whitelisting might fit into compliance strategies (such as NERC Critical Infrastructure Protection sections focused on change and configuration management; patching, malware prevention and privilege control; and incident handling and reporting).

Application Whitelisting 6 Where Does Whitelisting Fit? Industrial IT Solutions and Lifecycle Overview Honeywell s Industrial IT Solutions offers a logical approach to securing your critical infrastructure, with distinct phases outlined in the process. Industrial IT clarifies the actions in each phase of the lifecycle. Figure 3: Industrial IT Lifecycle Phases Taking a logical approach to managing the Industrial IT lifecycle is key to securing your critical infrastructure. Each phase in the lifecycle is important, and the Assess phase is perhaps the most revealing. Assessing assets and vulnerabilities against industry standards and best practices provides a roadmap to eliminating or diminishing revealed areas of risk. During the assessment phase, the applicability, deployment strategy and proper selection of technologies like AWL will come to light. In future assessments the effectiveness and value of your AWL solution will be evaluated to ensure your solution evolves over time in line with security needs. The Remediate phase begins by addressing vulnerabilities and misalignment with industry standard and best practices. A customdesigned security program is one of the deliverables from this phase. If you are just starting out with AWL and do not currently use it anywhere, this is the phase of the security lifecycle in which you will likely deploy AWL. Once remediation has occurred, it is necessary to keep the network and security programs at their optimum level. This activity occurs in the Manage phase of the Industrial IT lifecycle. In this phase, the focus is on preserving and enhancing the investment made in Industrial IT, primarily network security, by applying services and training. Ongoing management of systems and technology would include workflow implementation, anti-virus and patch management services, network perimeter management, testing, and change management programs. Extending our discussion on AWL, it is the management phase that will make or break your investment and therefore your return on an investment in technology like AWL. The Assure phase relies on a compliance manager that provides a single, interactive portal for managing and tracking compliance such as NERC CIP compliance. This activity requires the integration of multiple data sources along with the tools and functions that enable the ability to manage and to react to change. Real-time data should enable accurate reporting with minimal effort. Consulting services and system monitoring are included in this phase. It is important that the design of an AWL technology be configured in such a way as to allow for easy visibility into the reporting tools AWL has to offer. Application Whitelisting in the Lifecycle Application whitelisting is an addition to the arsenal of tools in used to implement your defense in depth strategy. Its greatest value to your organization comes from the Manage phase of the Industrial IT lifecycle. System hardening, virtualization requirements and implementation considerations are included in this area. Included is the wide selection of Commercial off the Shelf (COTS) products, and the determination of which are the best fit for a given area of risk. These tools perform functions that include: Anti-Virus Patch Management Application Whitelisting Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) Vulnerability Management Network Management Log Analysis

Application Whitelisting 7 Conclusions Cormac Herley, a principal researcher at Microsoft Research, argues that the existing data on the estimated losses from cyber attacks is wildly inaccurate to the point that analysts have no idea what the problem s economic impacts are. v The discovery of the Stuxnet worm in 2010 brought the potential of cyber attacks to the attention of the industrial control system community like no other previous event. 2011 was the year that most organizations demonstrated their readiness to develop and deploy cyber tools. Stuxnet was designed to carry out acts of sabotage. Other cyber weapons, used to destroy data at a given time, are likely to be more widely used. Programs such as kill switches, logic bombs, etc., can be developed on a regular basis and deployed systematically. The challenge for industrial control systems is one of preparation, vigilance, and agility. Is Whitelisting a Silver Bullet? Vendors of whitelisting products, who tend to be highly optimistic, are likely to say that whitelisting is indeed a silver bullet. Is it a replacement for AV software tools? Honeywell s position is that whitelisting should be used as a "complementary" security defense. Whitelisting application control does detect attacks that AV and other Intrusion Prevention System technologies don t, but there are attacks like buffer overflows, SQL injection and cross-site scripting that tools like AV do detect and are (so far) not addressed by application whitelisting vi. Whitelisting can be quite restrictive and requires compatibility and interoperability testing by industrial control system vendors (much like AV tools have required). When implementing whitelisting for control system endpoints, allowing only certain applications to run, you need to understand the execution environment. For instance, if an approved executable that creates a new file that must be executed, such as a batch or script file, that new file must also be allowed to run. Therefore, Application Whitelisting must be tailored / tweaked for all use scenarios when used on an Industrial Control System. This understanding of the implications of whitelisting is particularly important on a mission critical server. Regardless of the depth of initial usage in control systems, whitelisting is a technology that provides another layer of defense and will be available for process control systems. i Storm is a backdoor Trojan Horse distributed through an email message, with a subject line about weather and storms. It is suspected to be of Russian origin and accounts for as much as 8% of global malware infections. ii Conficker is a computer worm targeting Microsoft Windows operating system, first detected in November 2008 that exploited a software flaw and propagated, while forming a botnet. Its combined use of many advanced malware techniques made it particularly difficult to counter. Conficker is the largest known computer worm infection since the Welchia worm in 2003. iii (PDF) McAfee Threats Report: First Quarter 2012. Page 6 http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2012.pdf iv (PDF) Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies, Control Systems Security Program, National Cyber Security Division, Department of Homeland Security, October 2009. Page 5. v Cybercrime statistics wildly inaccurate, says researcher, Homeland Security Newswire, June 29, 2011. vi Automation World article: What about Whitelisting?, March 31, 2012

White Paper For More Information Learn more about how Honeywell s Industrial IT Solutions and how they can enhance the security of your operations, visit our website www.honeywellprocess.com or contact your Honeywell account manager. Honeywell Process Solutions Honeywell 1250 West Sam Houston Parkway South Houston, TX 77042 Honeywell House, Arlington Business Park Bracknell, Berkshire, England RG12 1EB Shanghai City Centre, 100 Junyi Road Shanghai, China 20051 www.honeywellprocess.com WP-12-19-ENG July 2012 2012 Honeywell International Inc.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information