Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Application Explosion How to Manage Productivity vs Security


Published on

Windows users today are more application oriented than ever, but that hunger often leads them to unsafe choices. In this presentation you’ll learn about the attributes of both free and commercial …

Windows users today are more application oriented than ever, but that hunger often leads them to unsafe choices. In this presentation you’ll learn about the attributes of both free and commercial application security tools. You’ll also learn the key steps you need to follow to effectively accommodate user application needs without giving malefactors a foot in the door to your enterprise.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Application Explosion How to manage productivity vs. securityMel Beckman Chris Merritt David Murray Senior Director of Senior ProductTechnical Director Solution Marketing Manager Penton Lumension Lumension
  • 2. Agenda• Application vulnerabilities• Key application control points• Application identification trickiness• Application control flow• Microsoft’s default tools: SRP & AppLocker• AppLocker limitations & gotchas• Free application security controls• Attributes of commercial application control• The value of integration
  • 3. Application Vulnerabilities What Weʼre Up Against1. Undesired Applications 5. Bloatware Social networking, VoIP, Installed along with legitimate chat, shopping, games software, such as Adobe Reader Twitter, Skype, eBay, WoW Adobe DL Mgr, Google Chrome2. Unauthorized Packages 6. Ad/Spy/Scare/Zombieware Personal utilities, hacking Apps users want that have tools, unlicensed software ulterior motives iTunes, WireShark, PhotoShop WeatherBug, SystemFix, Gator3. Liability Software 7. Malware, Bots, and Trojans Peer-to-peer, copy cracking, Malicious code out to steal network scanners contacts, data and identities Limelight, freeme2, nmap Qhost, ZeuS, Trojan-BNK4. Resource Hogs 8. Rootkits and Back Doors Distributed computing, file Programs that modify the OS sharing, streaming media to permit future hacker re-entry seti@home, bittorrent, NetFlix TDSS, StormWorm, Stuxnet
  • 4. Key Application Control Points • Software installation - .msi, .msp, .zip • Binary program execution - .exe, .com • Scripts - .bat, .cmd, .jar, .js, .jse, .mdb, .pif, .ps1, .scr, .vb, .vbe, .vbs • DLL & ActiveX - .dll, .ocx
  • 5. Key Application Control Points • Control approach: default permit or deny? - There are an infinite number of applications that you don’t want to authorized - Only a finite number of applications you do • Default deny is the only viable approach - Explicitly permit specific positively identified applications - Vulnerabilties are resilient** so it’s critical that you don’t let them in in the first place! - Anti-virus blacklists known threats, but AC rules primarily specify which applications are permitted, they are collectively termed a whitelist • But there are exceptions - Privileged users (e.g., local admin) - Subdirectories - Trusted publishers **Secunia Yearly Report, February 14, 2012
  • 6. Application Identification Trickiness• How to reliably identify an application? - Name? File Size? Path? Contents? Source? - What about changes: patches (good), hacking (bad)• Known application identification methods - Path (including name) - Hash (numeric signature of contents) - Publisher (via digital signing) - Source (during installation) - Registry paths - A combination of the above• A single application can exist within a userpopulation in dozens of variations
  • 7. Application Control Flow Whitelist ApplicationInventory Audit Control Assess Automation Tools Enforce
  • 8. Microsoft’s default tools:SRP & AppLocker • Software Restriction Policies (SRP) - Windows XP, Windows 2003, Windows 2008, Vista, and Windows 7 below Ultimate - Implemented via Group Policy Objects (GPO) and registry path restrictions - Simple rule structure • AppLocker - Window 7 Ultimate & Enterprise only - Also uses GPO - Built into Windows 7 kernel - Extended rule structure (e.g., exceptions) (but no registry path restrictions) - Whitelist wizards (default and analysis) • SRP & AppLocker are mutually exclusive (when AppLocker rules exist, they supercede SRP)
  • 9. AppLocker Control Flow
  • 10. AppLocker Limitations • Capability limitations - Supports only Win7 Ultimate & Enterprise - Computer-based, rather than user-based • Security limitations - Local admin can circumvent (e.g., stopping appld srv) - Scripts vulnerable to exploitation • Reliability limitations - Application updates break rules • Usability limitations - Generated whitelists are large and complex - Default rules too permissive - DLL filtering impacts performance - Event logs exist only on local machine (LogsMicrosoftWindowsAppLocker) - Limited reporting
  • 11. AppLocker Gotchas • Can inadvertently lock user out of Windows • DLL filtering can break applications in mysterious ways (ergo, it’s off by default) • WindowsInstaller objects can execute even when unsigned • WindowsTemp is world write-able, world- executable • Inadvertently grant permissions by crea5ng an excep5on to a Deny rule • LOAD_IGNORE_CODE_AUTHZ_LEVEL exploit - • SANDBOX_INERT exploit -
  • 12. Free Application Security Controls• Open source and free tools - Ad Hoc blocking of installed apps - Application inventory • OCS Inventory NG ( • CFEngine Nova ( • Open PC Server Integration ( • Uranos (• Example: Windows Application Blocker ( ) - Per-application password lock - Must be manually configured - No central administration
  • 13. Free Application Security Controls • Uranos open source: software inventory only • No application control capability
  • 14. Attributes of Commercial App Control • Full Windows spectrum: - XP, Vista, 2003, 2008, all Win7 editions • Cohesive whitelist generation - Driven by site-wide application discovery - Automatically optimize rules • Flexible whilelist policy structure - Multiple filter types - User-based policies for consistent desktop and laptop enforcement - Extend coverage to local admin user • Ability to approve trusted patches and identify patched applications • Situational awareness - Centralized event monitoring - Comprehensive reporting
  • 15. The Value of Integration • Application control is an endpoint problem • Other endpoint problems - Network Access Control (NAC) - Antivirus remediation - Patch management • Integrated endpoint tools have frameworks that: - Deliver a consistent, cohesive user interface - Consolidate client enumeration and agent tracking - Provide a centralized database for objects and events - Streamline auditing and reporting • Integrated tools deliver better overall protection - Event correlation provides early warning of trouble - Situational awareness provides defense in depth
  • 16. The story so far... • Bad application are a prime source of endpoint vulnerabilities in the enterprise • Applications must be controlled at installation, and then by positive identification • Applications come in many forms and change frequently, making them hard to identify reliably • Application control has a procedural flow • Microsoft’s SRP & AppLocker don’t do the job • Free security tools are not enterprise-grade • Select commercial tools based on key features • Integrated endpoint security tool sets ultimately deliver more capability and are easier to administer
  • 17. More Information•Overview of Lumension® Intelligent Whitelisting™ » Protection.aspx•Application Scanner Tool » 0.aspx•Whitepapers » Think Your Anti-Virus Software is Working? Think Again. • Software-Is-Working-Think-Again.aspx » Intelligent Whitelisting: An Introduction to More Effective and Efficient Security • Introduction-to-More-Effective-and-Efficient-Endpoint-Security.aspx17