Amrit Williams, BigFix CTO discusses application control with Tom Murphy of Bit9, and how to avoid endpoint lockdown.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter. Today I am joined by Tom Murphy. Tom Murphy is CMO, Chief Marketing Officer, with Bit9. Tom, thanks for joining me today.

So I wanted to just sort of drill into something you said, which is around the tuning, the impression, especially as folks have worked with HIPS based technologies on the endpoint, is that the tuning aspect of it becomes fairly heavyweight. So when you say tuning, I mean, as we know, there is a lot of things that go into application management and large enterprises, some have thousands of applications. What is the expectation that organizations should have in terms of having to tune application control technology?

Tom Murphy: When we approve software, and the key to whitelisting is software approvals, so it’s not really locking down an endpoint so no new software can run, most companies could probably implement that in some form. The key to whitelisting is to allow legitimate software to get on the endpoint.

So when you think about tuning, what you are doing is you are tuning the legitimate sources of software to get on the endpoint to ensure that users are not disrupted, and to ensure the company can operate as intended. So Bit9 has established in the industry more ways of tuning, more ways of approving software for the endpoints.

I will give you a couple of examples. Some of them are relatively broad, and what I mean by broad are, they can take a large number of applications and software, and allow that to be approved, and some of them are right down to the file level. So I will start with the broader approaches first.

One is the concept of a trusted publisher. A trusted publisher is when software is digitally signed, just look for the digital certificate. If it’s from someone, for example, like Microsoft, allow it to be installed.

A second would be a trusted directory. Most software distribution products have a staging area with a put software before it gets picked up and pushed out to the endpoints. Then I can watch that staging area to pick up and see the new software that’s been put there and say, okay, automatically approve that, when the software distribution product puts it on the endpoint, it’s automatically approved.

Those are just two examples of broad brushes of approval that make the tuning, big chunks of tuning get automatically added to the whitelist. Therefore, you are taking out 90% of the software that goes to the endpoint by looking at those broad brushes.

The other comes down to corporate policy. What do they allow and not allow in the endpoints. Bit9 does have — we think about this thing as locked down, only approved software can run, there’s other policy enforcement on the endpoint as well, where users can be in more of an audit mode, which is, don’t lock down the machine, just tell me what’s on the machine, tell me when they run new applications, when they are installed, and mirror use of applications.

Another is block and ask, where we actually put the enforcement in the user’s hands. We ask the end user anytime something new ones to install, do you actually want this to run? So there is a spectrum of controls and policies, and we try to map the corporate entity as trying to enforce on their endpoints.

Amrit Williams: You said something, I think, that’s very important, and I want to circle back on that and clarify it for those listening, because, I think, the impression is, with technologies like application control that it’s a lock down technology, that, that is the approach. I think that’s what gives people all the consternation about application control that you essentially take a static point in time, you then lock down the machine, and you try to inhibit any deviations from that, whether it’s coming from the user or somewhere else.

But what you stated is very important, is that, the success of application control is really around the software distribution process. It’s really around, how does applications get on the endpoint and how do you integrate technologies so that, that becomes part of how an organization develops and deploys software. So part of software distribution, as you mentioned, the capabilities for a software distribution component, as they distribute software for that process, that software payload distribution to be included into the whitelisting thing in an automated way is really powerful.

Do you think that there is enough people that understand that nuance, because it’s very different to say, the key to this, the key to managing application control and being effective with it really is in trying to implement and integrate as part of your normal software distribution process, versus trying to lock down and inhibit users from doing things? I am not sure that’s fully understood. What are your thoughts on that?

Tom Murphy: Well, I have been here four years, and I definitely see more and more, as time goes on, people understand that whitelisting our app control isn’t locked down. I would say four years ago when I came on to the scene at least and started evangelizing the concept of whitelisting, it was really focused more on just absolutely stop new, unauthorized malware targeted attacks.

What people are realizing more and more is that there are so many other benefits to whitelisting, based on just understanding configurations and understanding how to control them.

So there’s been a lot — Windows 7 comes out with AppLocker, and a lot of the endpoint protection vendors refer to software reputation services as a way of assessing the trustworthiness of software and then making a decision on the software.

If you think about these, these are really just derivatives of what Bit9 has been doing for a while, and that is, go in, understand whether the software should be allowed to run, and then enforcing a policy.

So in a roundabout way what I am saying is, four years ago, I would say absolutely, there was very little distinction or, I guess, expansion of the definition of, 6:00 include things like software approvals, it was just more of a lock down. Now with Gartner’s exposure, Neil MacDonald, John Pescatore, with — there was an article that was put out yesterday by InfoWorld, talking about whitelisting, and the keys to whitelisting, and Bit9 was — there was a product review with six different vendors, and Bit9 came out on top, and a lot of it had to do with the ability to assess the trustworthiness of software, using that global software registry to identify software.

So, I think, we have moved beyond, the whitelisting equates to lock down, and I do think people do understand that it’s about approving legitimate software for the endpoint.

Amrit Williams: I agree with you. I think there is that shift happening, and that’s good to see. I think there is another shift that has to happen as well, which is around the concept of operationalization of application control, and that it’s not just a technology that supports and enables the security program, but it is really beneficial to the operation side of it, especially as it relates to application management, software asset management, license controls. There is a huge impact to an organization if they are unable to properly or effectively perform a license true up, if they are either under or over compliance, and I think there is great tie in for application control to support those licensing and the application management aspects that organizations struggle with today, especially since you guys have some visibility into how those things occur on a fairly continuous basis.

Tom Murphy: That’s right.

Amrit Williams: So have you seen sort of the operations guys looking at application control in a way that isn’t just about inhibiting bad stuff, but also just trying to find efficiencies and how they run asset management?

Tom Murphy: Yeah. What we see is, as you can imagine with emerging technology, the early adopters of this technology are, in a lot of cases, people with the most pain. And people with the most pain, from an endpoint perspective, with regard to whitelisting, have been traditionally the security, people that have experienced a breach, or their brand needs to be protected, ultimately it has had a security angle at first.

Over time, when people understand, as we just discussed in the previous section, when they understand that, it can be used to get that vast perspective of what’s on the endpoints.

Has it ever run before? When they start to realize that there is something about looking at an endpoint, establishing a baseline for an endpoint, how much has the endpoint drifted from the baseline, and when you look at the drift, layer on top of that drift either a threat or trust perspective.

People start to realize they can look at it from a license perspective. They can look at it from an operational perspective. What machine is at risk? What machines will probably generate the most trouble tickets? Trying to reduce the number of reimaging.

We have a phrase that we say internally, where desktops are polluted with unauthorized software, and it causes, as we know, three headaches. One is, security risk. If you are under compliance regulations, it’s kind of a threat in that. And the third would be operational costs of just making sure — rule of thumb, for every 1,000 desktops, there is a desktop administrator. Ideally we can impact that, both Bit9 and BigFix can impact that number.

Amrit Williams: Well, I am always amazed at how many applications organizations run. I mean, when we do application inventories for organizations, even ones that are not terribly large, you see thousands of applications running. And when you look at some of the applications running — I mean, we were in a large enterprise, and there was an application for how to cut your hair. I don’t know where this application came from, no one did, who knows how it got on the computer, and you are right, there is lot of bad stuff, but it has impact in other areas. It has operational impact on the organization, not just security impact.

One of the things that, I think, is really interesting about application control is, unlike some of the other security technologies, which tend to be reactive and responsive to threats, there is definitely an element of that in application control. But application control has some very sophisticated, complimentary aspects to the technology for the IT operations folks that may not be focused on security, but are much more focused on how to find efficiencies and effectiveness in the organization itself.

For that, I think, it’s really important that organizations look at how application control can not only support their security programs, but also can support their operations programs, whether it’s license management, asset management, or just general configuration management, and trying to ensure that there is not a lot of turn in support group, or not in the ways coming through the other tech organizations itself.

Tom, thanks for joining me today. For more information on Bit9, you can go to Bit9.com.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this Podcast are the personal opinions of Podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.