Call: 1300 422 542

Calibre 1 Essential 8 Series: Application Control

application control

Calibre 1 Essential 8 Series: Application Control

This blog is part of a series of blogs on the essential 8 and how you can implement each in a cost-effective way.

 

Previous Blogs in the Series

Backups
MultiFactor Authentication (MFA) Maturity 1
Patch Operating Systems
Restrict Administrative Privileges
User Application Hardening
Microsoft Office Macro Settings
Patch Applications

 

Introduction

Application control, formerly Application Whitelisting is a foundational control in the Essential 8.  It’s mentioned and required for a lot of the other steps to be able to effectively manage the operation of your systems.  This single function is one that will actively stop attackers in their tracks if well put together.  Afterall, how do you cause damage if you’re not able to run anything?  The exercise of implementing this, while relatively simple conceptually, is one that can be highly disruptive if just enabled without appropriate auditing, as such a 3-month auditing period is recommended to ensure all applications are appropriately captured, assessed, and blocked.  Maturity 1 can be implemented more swiftly with a single month used to audit the running applications.

 

Movin’ to the country, gonna eat a lot of peaches

At the first step we need to lock down the execution of applications from within user profiles and temp folders, a different way to look at it, is locking execution of these things to program files and the windows directory, in theory, everything in those directories is going to be legitimate.  At maturity 1, this is only workstations.  The best recommendation is to use a tool like Airlock Digital Application Control (Calibre 1 can supply and manage this for you) to manage the folder level restrictions.  Alternatively, you can use the Microsoft option at no additional cost which is Windows Defender Application Control, which has a little less control for the features it has available.  This doesn’t provide great central management but is a serviceable alternative.  At Maturity 2 and 3, we add Internet Facing Servers to an organisation approved set, and finally all Servers at Maturity 3.

 

Millions of Peaches, Peaches for me

At Maturity 3, we add the configuration of Microsoft’s recommended block rules, and driver block rules, these are freely available on the Microsoft website, and are a series of registry modifications that can be implemented via group policy, or Microsoft Endpoint Manager (MEM), for the most part these are set and forget.  Microsoft review and update this as time goes on, so regular review is a requirement at this stage.  Reviews should occur no less than annually, and the applications whitelisted on servers and workstations should be included in this regular audit.

 

Lookout!

As with many of the other steps in the essential 8 maturity 2, logging is an important part to consider. Allowed and blocked executions on Workstations and Internet Facing Servers are logged.  At Maturity 3 this is extended to capture logs from all servers and the use of a SIEM solution like Azure Sentinel.

For Maturity 2 Calibre 1 recommend setting up an Azure Log Analytics workspace as a bastion host to capture and retain logs in this way, should any portion of a network be compromised, the logs are stored remotely in a safe and hardened location for review.  This presents the option to enable Sentinel in the event of a security incident, to help better comb logs for the source of the security event, and at Maturity 3, this function is always enabled, presenting more real time options to potentially capture the security events in progress and prevent any major event from occurring.  Calibre 1 offer security services to monitor and action events from Sentinel as tuning and handling the alerts takes significant effort.

 

Conclusion

There we have it – 8 Essential Cyber Security recommendations from the Australia government, spanning 3 levels of security maturity for 24 recommendations, 10 different tools to get there and 6,500+ words hopefully turning the 8 into something a little more consumable.  As outlined the 8 don’t have to be impossible huge task for IT staff out there, but importantly, Calibre 1 is here to help you in the journey, please reach out to us for assistance with set up, or just for advice on how to go!

 

Tools

Airlock Digital/Windows Defender Application Control
Microsoft 365 Business Premium
Microsoft Defender Plan 2 – mostly covered by Business Premium
Azure Patching
Azure Automation
Microsoft Endpoint Manager – covered by Business Premium
Azure Active Directory Plan 1,2 – Mostly covered by Business Premium
Backup Software like Azure Backup
Azure Log Analytics Workspace
Azure Sentinel

Share This Post
Subscribe To Our Newsletter
Name*
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

More To Explore

Find out what our team can do for your business.

Let us know how we can help

Contact Us
Name*
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.