Research suggests that each day we see more than 200,000 NEW flavors of malware, that antivirus simply cannot detect.
So, what is the answer? Unfortunately, we are unable to conduct one
sweep to block the ‘bad guys’, we cannot identify them quickly enough?
Let’s consider what we do with physical access control – access to restricted areas of a building is granted only to the holder of a relevant security badge. Access control isn’t based on the black listed names – access control system grants access to a list of approved or ‘allowed’ names. Adopting the same process in IT Systems is paramount, – whitelisting of applications. Only applications and processes granted permission should be allowed to run. We can do this using Microsoft AppLocker function, which is a free solution which works very well – (unfortunately very few system administrators know about it). We grant permission for certain apps/ systems to run, e.g. Only Microsoft, Autodesk, Sage and Adobe products families to run, nothing else will start. (Another product providing similar functionality is RES Workspace Manager.
Is whitelisting enough? Well, it depends on what we want to achieve. Realistically, if we want to have a reasonably sound and secure IT system we also need the following two items as standard:
- No local admin rights for users
- Unified Security Management USM approach – monitoring and maintenance of all aspects of the system e.g. behavioural monitoring, vulnerability management, network intrusion detection, host based intrusion detection and log analytics.
No local admin rights appear obvious. But what about a Unified Security Management (USM) approach – we cannot talk about a secure network, without correlating all apsects of the operation. No system administrator can look into all logs, traces, netflows etc. however, ignoring it, is not an option. There are solutions on the market e.g. AlienVault which include automatic analysis and correlation logs, traffic, vulnerabilities and threat intelligence, tougher with asset management, providing a set of actionable alerts. It filters hundreds of thousands of events, creating alerts about the events that require further exploration.
In conclusion, we have determined that the following tools/ actions we have discussed need to work together with antivirus and firewall for an IT System to be relatively sound and secure.
- Application whitelisting
- No local admin rights
- Unified Security Management
It is interesting to note that as well as the topics we have discussed, it is imperative that all organisations have and use an actionable Information Security Management System, this is a topic in its own right and should not be confused with the USM approach.
Author: Derek Mizak
Derek Mizak is a cyber security consultant working on application of Artificial Intelligence to cyber security practice. Digital Forensic Investigator, ISO27001 lead auditor. Read more posts from Derek Mizak