The software I use has an "endpoint analysis" mode, kinda like a passive mode, that creates whitelists for you. Using this, you should be able to ensure everything works before going live. Add to this the alerting is very good so false positives get quickly dealt with.
Sent from my Blackberry, which may be an antique but delivers email RELIABLY -----Original Message----- From: Ken Schaefer <[email protected]> Date: Wed, 17 Apr 2013 00:27:19 To: NT System Admin Issues<[email protected]> Reply-To: "NT System Admin Issues" <[email protected]>Subject: RE: Dropsmack Malware C&C via Dropbox What happens when the business relies a lot on Access DBs, Excel spreadsheets etc.? Do I have to whitelist every macro? Am I still at risk of data loss/corruption/exfiltration? Cheers Ken From: James Rankin [mailto:[email protected]] Sent: Wednesday, 17 April 2013 12:54 AM To: NT System Admin Issues Subject: Re: Dropsmack Malware C&C via Dropbox Whitelisting can be a lot of work, if you haven't got a flexible technology. There are various vendors in the space and some of them take a lot of the donkey-work out of it for you, whilst still maintaining (as far as I've seen) decent security. But I totally agree that it's still at the whim of the person with their fingers on the controls - if the admin allows a bad executable, then you're in trouble. That can only be mitigated by belt-and-braces approaches, really, relying on old-style reactive AV or IDS/IPS or whatever to catch the bad executable that's somehow bypassed your processes and controls. There is another load of tech springing up around MDM, MIM, MAM or whatever TLA you choose to describe it. It's another big set of challenges though. At the moment I am concentrating on extending the agents I have to MacOS devices rather than worrying about tablets and mobiles yet. I can avoid some of the pain at the moment by deploying Windows apps and desktops via Citrix to the mobile devices rather than letting users manipulate corporate data directly, but it's something I will no doubt get asked to get involved in sometime in the future :-) But it's all so fun keeping up with user trends, isn't it? Maybe if we try really hard to get on top of the possibilities right now we can approach BYOD from a security perspective rather than just getting bullied into making it happen too quickly and having to catch all the security issues while firefighting :-) Cheers, JR On 16 April 2013 15:36, Ziots, Edward <[email protected]<mailto:[email protected]>> wrote: James, I agree on the application whitelisting front. But its a lot of work and its still based on trust. ( If you trust something bad) then you have still let the determined attacker in the door, but the caveat is if you control the code execution on your endpoints, then you change the game into your favor. Other aspects to think of: Will application whitelisting work for mobile devices: (Iphone, Android, Tablets, all of which can act like storage devices in a way. Questions to be answered: Which devices do you allow to be attached to your systems to transfer data? (Policies, procedures, enforcement with technical controls and auditing and followup with administrative controls for compliance? (Do we allow the Apple devices, but not the Android, or do we allow just Ironkey devices, and whom should have them and what data should they be able to take ( DLP/DRM etc etc) And we all should know by now that AV is next near worthless against current malware trends, so why does the compliance regulations still require this ( PCI-DSS especially). Working on App whitelisting right now, its been interesting and complex at the time, but at the end I feel it will be worth it. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
