How to get started with LANDESK Endpoint Security - Application Control

Version 13

    Verified Product Versions

    LANDESK Management Suite 9.5LANDESK Management Suite 9.6LANDESK Management Suite 2016.x

    Introduction

     

    This document is designed to give a LANDESK Administrator the ability to create an Endpoint Security application behavior for their organization using LANDESK Security Suite in LDMS 2016. This is not the only way to do implement Endpoint Security, but this will get you started so you have a solid starting place to build upon.

     

    Endpoint Security is an advanced security tool that give the corporate security team the ability to set application behavior. This helps protect the environment from external and internal security breaches.

     

    LANDESK Endpoint Security application behavior (Host Intrusion Protection System) settings is part of a comprehensive layered security model. This security model should include a process for patching vulnerabilities (OS and third party), Endpoint Security application behavior, application blocking, application control, and/or Antivirus. Along with this is training employees about security.

     

    The corporate policy should keep in mind that users should not have administrative rights on the end device, or that the users do not log in as administrator. If end users have these rights, then they could inadvertently, or knowingly open their devices to a breach.

     

    Also, remove unnecessary software. Sometimes software is installed as part of the OS, or other applications that increase the attack surface on the client devices.

     

    Utilize application whitelisting that is part of LANDESK Security Suite. While application whitelisting does require a paradigm shift for many companies, it is an important way to protect the end devices. This does take planning and work to create a list of approved applications, but it is well worth the work.

     

    Assumptions

     

    A LANDESK core server is installed with internet connectivity. The core server has been activated with a valid license for LANDESK Security Suite.

     

    It is also assumed that there are existing LANDESK agents deployed and that the agents have access to the LANDESK core server.

     

    It is also assumed that the administrator has a working knowledge of LANDESK Management Suite and an idea of what the end security posture should look like.

     

    Endpoint Security Basics

     

    LANDESK Endpoint Security is the base control for Application Control, Device Control, and LANDESK Firewall.  At a base level Endpoint Security can be installed on clients and offer some protections without configuring any of the three sub-components mentioned:

     

    • Application Control
    • Device Control
    • LANDESK Firewall

    Endpoint Security Policy - Application Control

     

    LANDESK Application Control uses file reputation information from Kaspersky to determine if files are to be trusted, unknown or are bad and not to be trusted.

     

    This file reputation information is imported by LANDESK to help the administrator determine if they should allow files/applications to run in their environment. This information is downloaded to the core server as part of the Security Suite subscription.

     

    The LANDESK administrator can determine what files are allowed to run.

    Planning - What rights should be given to applications?

     

    Application Control technology allows administrators the ability to approve which processes are allowed to run. This is completed by identifying the process and approving attributes, or process name, file name, digital signature.

    We need to plan about how to get the library of approved applications for the environment. This can be completed by:

    1. Creating a known good or clean device in which to create a baseline
    2. Determine what devices have the most exposure. Like for instance are there devices with client data on them?
    3. Get Stakeholder buy in. This is hugely important when implementing something like application whitelisting\blacklisting. This can impact production and stakeholders need to be aware of exposure.
    4. Start with Endpoint Security on your lab devices to start building your trusted file list.
    5. When ready, start with a phased approach by implementing Endpoint Security one department or location at a time. and Do not roll this to the entire company at one time as this can cause an influx of calls into the helpdesk.
    6. Train employees about their part in a security policy. Training end users about security awareness will help reduce calls into the help desk and also help with the ongoing security of the company.

     

    Setting up Endpoint Security

    Create Endpoint Security Settings

    Ok, now that we have discussed how Application Control works, and some thoughts around planning, let’s look at getting started.

     

    The first thing that we want to accomplish is to create the security settings for how our agents will behave. This includes what Policies we will assign to the agents, rights for the end users, popup balloons and more.

     

    General Settings

    1. Go into Tools - Security and Compliance – Agent Settings
    2. Expand “Public agent settings”
    3. Expand “Security”
    4. Expand “Endpoint Security”

      EndpointSecuritySettings.png
    5. Right click on Endpoint Security and select New.
      GeneralSettings.png
    6. Name this setting to something meaningful. As always, we should test these settings to make sure that we are getting the results that we were intending.
      • Check the “use a password for Administrator” – This is for testing.
      • Check “Enforce LANDESK Endpoint Security protection while in Safe Mode”.


    Digital Signatures

    1. Click on Digital Signatures.
      DigitalSignatures.png
    2. Trust only the companies that are important for your organization.  It is import to understand that if we trust the installer for a specific company, LANDESK will trust any installer from these companies.


    Default policy

    We are focusing on Application Control only:
    DefaultPolicy.png


    Default Policy - Application Control Settings


    1. Select Application Control and then select the browse button. "..."
    2. Select New application control setting.
      Newselect.png
    3. Name the new setting to something meaningful like “PreProduction” for the test configuration. Then the setting can be copied and renamed for production.
    4. Select “Enable application behavior protection” and “Use buffer overflow protection.
      ApplicationBehaviorBufferOverflow.png

      Windows DEP (Data Error Protection) offers buffer overflow protection.  However it's protection only applies to Windows system processes by default.  LANDESK EPS Buffer Overflow protection is compatible with Windows DEP and works for all applications.


      Some advantages to LANDESK HIPS Buffer Overflow Protection:

      • Manageability & reporting through LDMS console.
      • Protection of all processes (not just Windows system processes)
        • Integration with HIPS learn mode

      Buffer overflow protection can be turned off globally, or per application.  This may be necessary for programs that have known buffer overflow issues that don't imply security risks. 

    Mode Configuration


    Mode Configuration.png

    Leave these settings until we are confident in our settings.  Then we can deselect "learning mode".  This will effectively turn on application behavior when the agent is installed.

     

    File Protection Rules

     

    These are sets of rules that help protect the endpoint. The rules are ran in order. So, if we are protecting word documents from ransomware, we will want to place the rule to allow documents to be modified by winword.exe before the rule to block other applications from modifying the documents.

     

    1. Click on File Protection Rules
      FileProtection.png


      Let's add our Office Documents to the list:

    2. Click on Add and name the rule Office Documents.

       

      1. Click on Programs named "winword.exe" and "excel.exe".
      2. Click on Files Named and click on Add
      3. Type in "*.doc" and click OK
      4. Repeat and add in *.docx, *.xls, and *.xlsx or any other file extensions that are important to your company are in the list.

        3. Add in a new rule to block applications from modifying the word or excel documents. Call this one "Block Access to Office Documents"

       

      1. click on Files named: and add in the file extensions for word and excel documents.
      2. Be sure that rights are restricted and click OK
      3. the rules should look like the following

       

     

     

    Trusted Folders

     

    These are any files location in a folder that are trusted. Keep in mind if a malicious file gets copied into this folder, we will trust that file.


    Monitored Folders


    New for Management Suite 2016 is Monitored Folders – LANDESK will monitor files and child folders in this directory for any changes. This activity will be reported in the “Security Activity” > “Application Control” > “Activity”. Add any folders here that need to be monitored.

     

    ClickSave.png

    Click Save to save your newly created Endpoint Security Settings with Application Control sub-component configured.


    Deploy Endpoint Security Settings


    Now we need to deploy our test Endpoint Security Settings to our test client workstations and test the settings.


    1. Click on the Calendar icon and select Install/Update Security Components
      InstallUpdate.jpg
    2. Name the configuration
      SelectEndpointSecurity.png
    3. Select Endpoint Security
    4. Select the correct Endpoint Security Setting
    5. Add Target devices to the task

      When starting with EPS, add the known good device to the task.  We will import and trust the applications from this device later.

    6. Start the task.

     

    Trusted File List

     

    This is a list of files or applications that you as the security officer will trust in your environment. These files are gathered through multiple different ways. We can learn trusted file behavior on client workstations, we can trust files manually, and we can gather file reputation data from trusted sources like the Kaspersky file reputation database, or other file sources.

    LANDESK Application Control uses file reputation information from Kaspersky to determine if files are to be trusted, unknown or are bad and not to be trusted.

    This file reputation information is imported by LANDESK to help the administrator determine what files\applications should be trusted to run in their environment. This information is downloaded to the core server as part of the Security Suite subscription, content download. The clients update their trusted file list whenever a security scan is running.

    The LANDESK administrator can determine what files are allowed to run, and the behavior of that file. The administrator can create a known good device with applications that are allowed in the organization. Then we can import the trusted applications from that device.

    To access the trusted file list;


    1. Navigate to Agent Settings -> My Settings -> Security -> Endpoint Security -> Application File Lists

              ApplicationFileLists.jpg

    To import files from a trusted device; (please note, this should be a new trusted file list as we are trusting everything that is being added to this list.)

    1. Right-click and select New
    2. Name the new Application File List
      NewApplicationFileList.png
    3. Click on the Import button and select Import from Trusted Devices.
      Import.jpg
    4. Select the devices that you had previously set up as trusted devices and select import files from specified devices.
      ImportFromTrustedList.jpg
    5. This will bring up a dialog to ask if we should scan the device or import without scanning. If the device has been scanned, then just select No and import the file list, otherwise, select scan.
    6. Then update the Endpoint Protection with the new trusted file list.


    File Reputation Content


    Now that we have a handle on the End Point settings, we need to update the file reputation data on the core server.

    LANDESK has partnered with Kaspersky for access to their massive file reputation database. So when the server updates content, we compare the files we have found on the client workstations against the Kaspersky database. We return the reputation data and update the trusted file list. The clients will then update their list whenever the client runs a vulnerability scan.


    To access the content download:


    1. Click on the Download Updates Button on the toolbar:
      downloadupdatesbutton.jpg
    2. Click on the Updates tab and select the File Reputation Updates under the Windows -> Security section.
      FileReputationsCategory.jpg
    3. Click on Download Now

     

    Monitoring Security Activity and taking action

     

    Now, we need to monitor and take action on the Security Activity.

    1. Click on the Security and Compliance tab at the bottom of the console
    2. Click on Security Activity
      SecurityActivity.png
                                                          This brings up the Security Activity Center
    3. Expand Application Control
      This shows restricted application activity on managed devices. It is important to refer to this screen when rolling out new Application behavior settings. If an application is found that is unknown, it is the administrator’s responsibility to determine if the application should be allowed or denied access in your environment.

     

    When an activity is found that is unknown the steps the Administrator should take are:

     

    1. Update the file reputation data on the core
    2. Check the trusted file list to see if the application was updated.
    3. If the application was updated as a “Good”, then the clients will pick up the updated file list at the next vulnerability check.
    4. If the application is still unknown, then the administrator will need to search the internet for sites like virustotal.com to see if the file is good, bad or still unknown.
    5. Manually update the file reputation information to good or bad depending on the information that the administrator has found on the internet.

     

    Ongoing Support

     

    Now that we have an understanding of creating and updating an Endpoint Security setting for HIPS, we can utilize the same steps to create other settings for different departments inside of the same company. We can also monitor and take action against incoming security threats by allowing or denying specific behaviors by applications.


    Diagram of file reputation flow


                         (Click for full size)

    Conclusion

     

    Host Intrusion Prevention System (HIPS) is part of a comprehensive layered security model. This model may/should include Patching, Antivirus, limiting installed applications, removal of administrator rights for the end users and even end user security training. So the end users understand how hackers can get into their systems.


    By creating a known good device with the applications that your company uses, we can start by creating a trusted file list that is specific to your company, or department. It is important to talk with business units to understand your organization Risk Tolerance. Then we can create an Endpoint Security setting for your company. This is a living setting and may change with new departments needing new security settings.


    There will be new security threats that may need new or updated settings. Like the “.locky” virus, we may need to protect new applications in the environment. 


    This is a start or Best Practice to get a handle on your organizations’ endpoint security settings. By getting started, documenting and putting the EPS into practice, this will reduce your attack surface.