App locker

  • View
    1.233

  • Download
    3

Embed Size (px)

DESCRIPTION

 

Text of App locker

  • 1. Eliminating Malware, Inappropriate Software, and Most IT Problems with AppLocker Greg Shields, MVP, vExpert Head Geek, Concentrated Technology www.ConcentratedTech.com
  • 2. This slide deck was used in one of our many conference presentations. We hope you enjoy it, and invite you to use it within your own organization however you like. For more information on our company, including information on private classes and upcoming conference appearances, please visit our Web site, www.ConcentratedTech.com . For links to newly-posted decks, follow us on Twitter: @concentrateddon or @concentratdgreg This work is copyright Concentrated Technology, LLC
  • 3. Agenda
    • Part I: Today s IT is All Backwards. AppLocker Puts the Horse Before the Cart.
      • Discuss: What security tools are you using today?
      • Discuss: How then could you protect yourself against something you know nothing about?
      • Discuss: So, was this guy crazy, or brilliant?
    • Part II: Implementing AppLocker (without Completely Screwing Up Your Network!)
  • 4. DISCUSS: What Security Tools are You Using Today?
    • What types of products do you use today to keep your systems secure?
    • Do they work?
    • When do they fail?
  • 5. Part I: Today s IT Security is All Backwards. AppLocker Puts the Horse Before the Cart .
  • 6. Anti-Virus, Anti-Malware, Anti-Oh My!
    • We in IT are always looking for the anti- solution for protecting our computers.
      • Anti-virus protects us against viruses.
      • Anti-malware protects us against malware.
      • Firewalls protect us against incoming worms.
    • These have been great solutions for years, and are used by nearly 100% of environments.
      • But, in a way, they re all backwards .
  • 7. Anti-Virus, Anti-Malware, Anti-Oh My!
    • Browser-based attacks, worms, viruses, there s a common thread in virtually all forms of malware
    • Their code has to be processed if it is to run!
    • This begs the question:
    • If virtually all malware requires processing to be dangerous, could I protect myself by simply preventing that processing from occurring in the first place ?
  • 8. The Dreaded Zero-Day
    • Let s look at this a different way:
    • POSIT: You cannot protect yourself against the dreaded zero-day attack.
  • 9. The Dreaded Zero-Day
    • Let s look at this a different way:
    • POSIT: You cannot protect yourself against the dreaded zero-day attack.
    • Reasons for this include:
      • A zero-day means that the attack arrives before the protection from that attack arrives.
      • Signature- and even heuristic-based solutions requirewellsignatures and heuristics.
      • The time distance between vulnerability and attack must be exceptionally short.
      • Secrecy is critically important. Yet no-algorithm-secrecy is also one of the tenets of cryptography. Bad.
  • 10. DISCUSS: So How Then Could You Protect Yourself Against Something You Know Nothing About?
    • What are the protections against the zero-day?
      • You can t write a signature
      • You can t define a heuristic
    • Are your security vendors really just taking your money ?
  • 11. AppLocker Changes the Mindset
    • With AppLocker, you no longer care about signatures or heuristics.
      • You care about what you ve specifically allowed to run.
      • and you don t care about everything else.
    • AppLocker creates an environment of approved execution for many types of code.
      • Executable files (.exe and .com)
      • Scripts (.js, .ps1, .vbs, .cmd, and .bat)
      • Windows Installer files (.msi and .msp)
      • DLL files (.dll and .ocx)
  • 12. Blacklisting, the Old Way
    • Most anti-Anything solutions are examples of blacklisting.
      • I dont want the following code to execute on my system.
  • 13. Blacklisting, the Old Way
    • Most anti-Anything solutions are examples of blacklisting.
      • I dont want the following code to execute on my system.
    • With blacklisting solutions, you must constantly update the blacklist with those applications which shouldn t run.
      • Viruses shouldn t run
      • Malware shouldn t run
      • Browser Helper Objects shouldn t run
      • Bad applications shouldn t run
  • 14. Blacklisting, the Old Way
    • Anti-Anything solutions are examples of blacklisting.
      • I dont want the following code to execute on my system.
    • With blacklisting solutions, you must constantly update the blacklist with those applications which shouldn t run.
      • Viruses shouldn t run
      • Malware shouldn t run
      • Browser Helper Objects shouldn t run
    but the problem arrives when someone writes a piece of code that you haven t seen before. Now, you have to figure out what it is and what it does so you can prevent it.
  • 15. Whitelisting, the New Way
    • With whitelisting, you instead identify which executables are allowed to run on your systems.
      • Does this sound like a hard thing to do?
  • 16. Whitelisting, the New Way
    • With whitelisting, you instead identify which executables are allowed to run on your systems.
      • Does this sound like a hard thing to do?
    Hey Greg: Tell the story now about that one guy at your very first TechMentor! You know, the guy who needed to personally approve every application!
  • 17. DISCUSS: So, was this guy crazy, or brilliant?
    • This fellow IT Professional at my first TechMentor, the one who needed to approve each application
    • was this draconian?
    • or early brilliance?
  • 18. Whitelisting, the New Way
    • With whitelisting, you will specify the executables and scripts which you ve tested and approved.
      • Windows Installer and DLLs are also possible, but very, very challenging (and a performance hit).
      • New malware will likely never get executed in your environment, because it can t .
    Interestingly enough: AppLocker s older brother Software Restriction Policies highlighted both blacklisting and whitelisting. With Applocker, focus on the white .
  • 19. Whitelisting, the New Way
    • Also good for
      • Not-quite-malware . You know, those stupid apps that users install that invariably self-destruct their system.
      • License assurance . You won t get hit with a license violation for software you didnt approve, because it cant run.
      • Version assurance . Versions that you haven t specifically approved wont run. Thus, users who cant or wont upgrade (or accept WSUS updates) cant run software until they do.
    Some will argue that these are even more exciting than anti-malware!
  • 20. DEMO: Timeout for a Quick Where is AppLocker Demo.
    • Let s take a quick spin through AppLocker.
      • So you can get familiarized with it before moving on.
  • 21. Part II: Implementing AppLocker (Without Completely Screwing Up Your Network!)
  • 22. What you Need
    • AppLocker has high-end requirements
      • W