Amrit Williams, BigFix CTO discusses Whitelisting with Tom Murphy of Bit9, and what practices can embolden endpoint security without disturbing work flow.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome, this is Amrit Williams, your host on Beyond the Perimeter. Today I am joined by Tom Murphy. Tom Murphy is CMO, Chief Marketing Officer, with Bit9. Tom, thanks for joining me today.

Tom Murphy: You are welcome Amrit.

Amrit Williams: So Tom, I wanted to talk a little bit about, obviously whitelisting and Application Whitelisting at Bit9. Maybe, perhaps, we could start with what is whitelisting?

Tom Murphy: Sure. So Amrit, for 20 years the security industry has been chasing; I say chasing bad software, malware, in a form of, let’s build a signature as a defense against the bad software. In the past, I would say, few years it has grown exponentially; whether it’s trying to get credit card information, personal identification information, it really has become kind of a black market in the business.

So what Bit9 has done, has said, as an industry, let’s take a different look or perspective at how people will stop that software. We have come to the conclusion that we cannot keep up with the bad software, we can’t keep up with that explosion, so why don’t we define a set of approved applications and a set of approved sources of software. As new software comes to the endpoint, let’s look at that software itself or where it came from, and if it’s on the approved list, it’s allowed to run, and by default if it’s not trusted, not approved, it’s not allowed to run.

Amrit Williams: I think there is nobody in the world that would question right now anyway who even understands the space that the current blacklisting approach to anti-virus is unattainable, especially against the backdrop of the explosion of malware that we have had. But there are modifications that the anti-virus, anti-malware guys are doing for behavior-based monitoring and everything. But they don’t always look at some of the transient aspects of applications, as they move through an organization, as they go through upgrades and what not. How do you guys deal with just the general concept of whitelisted applications that are allowed to run, becoming infected themselves?

Tom Murphy: There are two ways. First is, when we look at the application and we take three cryptographic hashes of the file. Cryptographic hashes represent kind of a DNA like view of the file. And by taking three of them, we are ensuring that we have got three different layers and methodologies for ensuring the integrity of a file. By trusting a file, we are trusting those three hashes. If something changes in that file, anything tampers with a file, anything at all that goes in and changes one single bit, it changes the DNA for the file, and ultimately changes the integrity of the file, therefore it would no longer be trusted.

In the case where you don’t know what a file is, what Bit9 has done has built a Global Software Registry. This Global Software Registry is, I like to phrase it as, it’s like running a background check on a piece of software, just like you would on an employee, if you don’t know what a piece of software is. We take the hash on the endpoint. We see what the file is. We leverage that hash. We pass it up to our hosted service.

What the service does is it provides you background information, what is the application, what is the version, what is the product, a threat level for that application, and a trust factor for that application that we are deriving from the Global Software Registry.

So to answer your question, two main ways are protecting the integrity of a whitelist. The first is to do hash-based to ensure that it’s not tampered with, and the second is to leverage the Global Software Registry to do the background checks on the software at all times.

Amrit Williams: Are there techniques that allow organizations to deal with internally developed applications? Obviously it’s one method to deal with a known good or the known bad, but what about those things that fall into the gray area, internally developed, vertical applications, web-based applications?

Tom Murphy: Sure. The approach that Bit9 has taken is, leveraging the experience of working with hundreds of customers, we have watched how people build internal applications, how they consume applications from the web, how they update toolbars, ActiveX controls, JavaScript, it comes from many different sources, as you can imagine. What Bit9 has done is said, let’s figure out each one of those sources.

So to come back to your example, if someone has internally developed code, what we have done is we have tried to figure out what ways that they push out that code, for example. And one way they might push it out is through BigFix. They may take the BigFix Software Distribution capabilities or Patching. And when they push out the application to the endpoints what would happen is, that application obviously would go through the BigFix platform. We would actually watch the application coming through the BigFix platform and say, if it does come through the BigFix, either a process or a directory, used as a staging area, approve the software based on the fact that it’s coming through BigFix. That’s just one example of how we would trust internally developed applications.

Amrit Williams: Just for those listening, in terms of disclosure, BigFix and Bit9 do have a relationship and a partnership, and the ability for systems management companies to work with application vendors is, I think, something that drives and provides a lot of value to organizations.

I wanted to switch gears just a little bit to talk about some of the difficulties or challenges that organizations may face when they deal with application control. Just in general, with any type of endpoint security technology that impacts something that the user may do; whether it’s a port or a protocol that may be opened, whether it’s walking ingress/egress traffic, whether it’s trying to control the installation or the execution of an application, there is always some hit that an organization takes in terms of users being impacted.

What are some of the methods that organizations can go through to limit the impact on the end users, but also to maximize the ability for them to manage the solution as they go through all of the various application, life cycle management, processes that most organizations do on a fairly dynamic and regular basis?

Tom Murphy: What we have seen is that customers, when they deploy application whitelisting, as you can imagine, it is a different lens at looking at how to manage an endpoint. As you can imagine as well, when we go in and do an inventory or we do any kind of a perspective of what’s running on the endpoint, we also discover the sources of where software comes from, as much as, whether it’s desktop, Windows server, administrators, as much as they think they know where software is coming from, they are always surprised by the new sources.

With that said, what we do is, when we go through deployments is, we have a learning phase, where the product doesn’t necessarily lock down on day one, or perform a whitelist on day one, of what is allowed to run, because that, as you said, could have a significant impact on end users if the people defining a whitelist don’t know the sources, don’t know the applications that are supposed to run.

So by default when the product is installed, it’s in more of a learning mode, and then over time, we roll out common groups that use common applications. And then what we do is, we can put the product in what’s called a block report only mode, which really implies that when the product is flipped into this mode, it would have blocked a newer application, because it was not in the whitelist, it identifies it to IT, but at the same time the end user is not impacted.

So we have built technology into the product that allow people to understand, educate themselves on where software is coming from, tune their whitelists, eventually to the point where they have got a good feel for where software is coming from, what’s supposed to be on the endpoint, and then they migrate into a lock down state.

Amrit Williams: Okay. Tom, thanks for joining me today. For more information on Bit9, you can go to Bit9.com.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this Podcast are the personal opinions of Podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.