Calibre 1 Essential 8 Series: Application Control
This blog is part of a series of blogs on the essential 8 and how you can implement each in a cost-effective way.
Previous Blogs in the Series
Application control, formerly Application Whitelisting is a foundational control in the Essential 8. It’s mentioned and required for a lot of the other steps to be able to effectively manage the operation of your systems. This single function is one that will actively stop attackers in their tracks if well put together. Afterall, how do you cause damage if you’re not able to run anything? The exercise of implementing this, while relatively simple conceptually, is one that can be highly disruptive if just enabled without appropriate auditing, as such a 3-month auditing period is recommended to ensure all applications are appropriately captured, assessed, and blocked. Maturity 1 can be implemented more swiftly with a single month used to audit the running applications.
Movin’ to the country, gonna eat a lot of peaches
At the first step we need to lock down the execution of applications from within user profiles and temp folders, a different way to look at it, is locking execution of these things to program files and the windows directory, in theory, everything in those directories is going to be legitimate. At maturity 1, this is only workstations. The best recommendation is to use a tool like Airlock Digital Application Control (Calibre 1 can supply and manage this for you) to manage the folder level restrictions. Alternatively, you can use the Microsoft option at no additional cost which is Windows Defender Application Control, which has a little less control for the features it has available. This doesn’t provide great central management but is a serviceable alternative. At Maturity 2 and 3, we add Internet Facing Servers to an organisation approved set, and finally all Servers at Maturity 3.
Millions of Peaches, Peaches for me
At Maturity 3, we add the configuration of Microsoft’s recommended block rules, and driver block rules, these are freely available on the Microsoft website, and are a series of registry modifications that can be implemented via group policy, or Microsoft Endpoint Manager (MEM), for the most part these are set and forget. Microsoft review and update this as time goes on, so regular review is a requirement at this stage. Reviews should occur no less than annually, and the applications whitelisted on servers and workstations should be included in this regular audit.
As with many of the other steps in the essential 8 maturity 2, logging is an important part to consider. Allowed and blocked executions on Workstations and Internet Facing Servers are logged. At Maturity 3 this is extended to capture logs from all servers and the use of a SIEM solution like Azure Sentinel.
For Maturity 2 Calibre 1 recommend setting up an Azure Log Analytics workspace as a bastion host to capture and retain logs in this way, should any portion of a network be compromised, the logs are stored remotely in a safe and hardened location for review. This presents the option to enable Sentinel in the event of a security incident, to help better comb logs for the source of the security event, and at Maturity 3, this function is always enabled, presenting more real time options to potentially capture the security events in progress and prevent any major event from occurring. Calibre 1 offer security services to monitor and action events from Sentinel as tuning and handling the alerts takes significant effort.
There we have it – 8 Essential Cyber Security recommendations from the Australia government, spanning 3 levels of security maturity for 24 recommendations, 10 different tools to get there and 6,500+ words hopefully turning the 8 into something a little more consumable. As outlined the 8 don’t have to be impossible huge task for IT staff out there, but importantly, Calibre 1 is here to help you in the journey, please reach out to us for assistance with set up, or just for advice on how to go!
Airlock Digital/Windows Defender Application Control
Microsoft 365 Business Premium
Microsoft Defender Plan 2 – mostly covered by Business Premium
Microsoft Endpoint Manager – covered by Business Premium
Azure Active Directory Plan 1,2 – Mostly covered by Business Premium
Backup Software like Azure Backup
Azure Log Analytics Workspace