White Cloud Security Trust Lockdown Version 1.5.0
Description | DCA Documentation |
Table of Contents
How It Works ↵
Trust Lockdown System Overview
How It works
White Cloud Security Trust Lockdown employs a Cyber-Metric Handprint Technology utilizing 6-Factor Authentication (SHA-1, SHA-256, SHA-512, MD5, CRC32, and file length) to uniquely identify each file, ensuring only files on a pre-approved Trust-List can run. Combined with its Default-Deny methodology, this approach effectively blocks all malware and unauthorized software by only allowing explicitly pre-approved software to execute.
The Trust Lockdown Security Groups Inheritance Tree manages administrator access and software policies hierarchically, with child groups inheriting policies from parent groups to ensure consistency across an organization. This structure simplifies and scales the management of both administrator access and software policies.
Trust Lockdown System Components
- Endpoint Security Agent
- Centrally Managed Service
General Flow of App Security Policy operations
- The end user or a process initiates the loading of software.
- The Trust Lockdown Security Endpoint Agent applies a local policy if it exists
- Otherwise, the Agent requests Approval from the Trust Lockdown Service
- The Service returns any applicable Policy, otherwise approval is always denied
- For Endpoints using Monitor Mode, unknown software is logged but allowed to run
System Components Interaction Diagram
graph BT
user[End User Runs Software] --> execve
subgraph Protected Computer
execve[Operating System\nKernel Executive]
whack[Kernel\nSecurity Module\nApplies App Policies]
execve --> whack
whack --> kmcache[Kernel\nMemory Cache]
kmcache --> whack
whack -- req --> whacker[Security\nAgent]
whacker --> diskcache[Local\nPersistent Cache]
diskcache --> whacker
whacker -- ack --> whack
whack --> execve
end
whacker -. Verify\nApp .-> dca
dca -. App\nPolicy .-> whacker
subgraph Trust Lockdown Service
nfs[NFS\nFilesystem]
mysqld[MySQL\nDatabase]
dca[Data Center Appliance]
nfs <-- DB\nAccess --> dca
mysqld <-- File\nAccess --> dca
end
Key Features:
-
Default-Deny Execution Control: Trust Lockdown implements a Default-Deny Security Model that blocks the execution of all unauthorized and unknown software, allowing only those applications, libraries, and scripts that are explicitly approved for the endpoint to run.
-
Zero-Trust App Security Enforcement: Each time software tries to load, its 6-Factor Authentication Identity is re-computed to verify it is on the approved software list.
-
Zero-Trust Admin Access Enforcement: Each time any account owner tries to access information or admin controls their role-based acess rights are applied to that request, even if already logged in.
-
Zero-Trust Folder Protection: Instead of whitelisting folders used by tools to run dynamically generated scripts, Trust Lockdown only allows scripts run by the parent process. This prevents the misuse of whitelisted folders to run unauthorized and malicious software.
-
Efficient Trust Verification: By leveraging memory-based caching for approval lookups and caching the policy responses in kernel memory, Trust Lockdown minimizes the performance overhead associated with approval verification.
-
Comprehensive Coverage: Trust Lockdown hooks into critical points of the operating system's kernel file operations API, using established security hooks for executable programs and memory-mapped files, and monitors software file write operations to invalidate memory cache records, ensuring comprehensive execution control.
-
Flexible Operation Modes: Trust Lockdown supports multiple operating modes, Blocking, Monitoring and Learning modes, providing flexibility in how execution control policies are enforced, monitored and created.
Using Security Groups
Trust Lockdown Security Groups
What are Security Groups?
Similar to Windows Active Directory, Trust Lockdown uses Security Groups to collect organizations, accounts, computers and software policies into manageable units.
Types of Security Groups
Each organization has its own "main" Security Group at the root of its Security Groups Tree. This group can have one or more child Security Groups that can be:
- a Security Group (for App Policies, Trust Profiles or associated Endpoints)
- a Software Profile Groups
- an Admin Group
Policy Inheritance
An Inheritance Tree
Children of a Security Group inherit the App Policies and Admin Access rights of this Security Group, unless the Child Security Group has disabled "Inheritance" in its Profile Settings.
Disabling "Inheritance" in a Security Group defines it as the root of a new "Inheritance Tree".
New Inheritance Trees
Disabling Inheritance in any Security Group establishes that group as the root of a new independent Security Group Tree. Any App Policies, Software Profiles or Admin Groups trusted in this Security Group will be inherited by all of the subgroups beneath, down to where any of them disable their own "inheritance".
Using Inheritance anywhere
Similarly, any App Policy, Software Profile or Admin Group trusted in any part of an "Inheritance" tree will be inherited by all of the subgroups beneath it, down to where any of them disable their own "inheritance".
Simplified Management
Using "Inheritance" simplifies management of App Policies, Software Profiles and Admin Access Rights for an organization or any part of it.
"Inheritance Tree" Policies
Policies that should be applied across an entire group of Endpoint only need to be applied once at the top of that "Inheritance Tree" a single time.
Removing that Policy later removes it from the entire tree with a single operation.
Narrow Policy Usage
When a Policy only needed for a portion of an organization or inheritance tree, it can be trusted at just those points in the Security Groups Tree that require it.
Changing Inheritance
When conditions require that an "Inheritance Tree" be divided, the Admin can "select" just the policies that should be continued into the new inheritance tree, and then disable inheritance where the necessary policies have been trusted directly.
Inheritance for Admin Groups
Admin Groups give the Administrators (trusted in the Admin Group) access to any Security Group that inherits trust for that Admin Group. To use Admin Group Inheritance:
- Create an Admin Group (e.g. "WCS Admins")
- Trust Administrators in the Admin Group (e.g. Mike, David)
- Trust the Admin Group (e.g. "WCS Admins") in a Security Group
Now Mike and David have admin access to that Security Group and any of its subgroups inheriting the trust for the "WCS Admins" admin group
Zero-Trust App Security Model
Trust Lockdown enforces a Zero-Trust Model for the following:
- App Security
- Admin Access
- Folder Protection
Zero-Trust App Security
Every time that software tries to load, whether an executable (EXE), dynamically linked library (a DLL or SO file) or a script, Trust Lockdown intercepts the loading of that file in the operation system kernel and verifies that the software is authorized to run on that specific computer. If the software is unauthorized or unknown it is blocked.
Approval Lookup Process
- The end user or a process initiates the loading of software
- The Trust Lockdown Kernel Security Module intercepts the loading of the code
- A policy is applied if it exists in the kernel memory policy cache
- Else the Local Service applies a policy from the Trust Lockdown Policy Lookup Service
- If the Trust Lockdown Service is unavailable, it applies a policy from its Persistent Cache
Approval Flow Diagram
graph LR
execve(End User or Process\ntries to\nLoad Software) --> whack(Kernel\nSecurity Module\nApplies App Policies)
whack --> kmcache((Policy\nCache))
kmcache --> whack
whack -- req --> whacker(Local Service)
whacker -.-> wcs
wcs[Trust Lockdown\nPolicy Lookup\nSerivce] -.-> whacker
whacker --> diskcache((Local\nPersistent\nDisk Cache))
diskcache --> whacker
whacker -- ack --> whack
whack --> execve
See More Details
Zero-Trust Admin Access
Every time that any Admin operation is attempted, (a create, read, update or delete operation), Trust Lockdown's Zero-Trust Admin Access model verifies that the Admin has access to view or modify that specific settings or control for that Security Group or Org. If an Admin's access is reduced or removed, even while logged in, that admin will be properly restricted instantly on the very next admin operation.
Zero-Trust Folder Protection
Software (such as RMM tools) that dynamically generate scripts can't run with traditional application control because the script's hash is different on each invocation. To allow these kinds of dynamically generated script to run, traditional application control requires a allow policy that whitelists the folder the scripts run from. This kind of default-allow policy allows any software or malware to be run from that folder.
Trust Lockdown only allows scripts run by the parent process that launches the dynamically generated script. This prevents the misuse of whitelisted folders to run unauthorized and malicious software.
How Trust Lockdown 6-Factor Zero-Trust Works
The White Cloud Security (WCS) Zero-Trust App Security applies its U.S. Patent No. 9,589,130 cyber-metric handprint technology, utilizing six-factor authentication to ensure robust security for both software components accessing computer resources and the data files being targeted. This method involves the use of five hashes (or fingerprints) along with file length (referred to as a "handprint") to accurately identify software, thereby applying applicable policies at endpoint agent in the Trust Lockdown system. This approach provides both Zero-Trust App Security.
WCS Blocks AI Generated Polymorphic Malware
Due to Trust Lockdown's methodology of protection, it blocks next-generation AI-generated polymorphic malware. It uniquely identifies each file based on its exact filestream content rather than patterns that can be changed by polymorphic techniques. Using this with a Default-Deny strategy, only files that match approved "handprints" are allow to run, everything else is blocked. By matching these factors against a Trust-List, White Cloud Security ensures that only approved files can execute, effectively preventing malware, including AI-generated mutations. This also prevents the use of unauthorized sofware and IT tools, even by Windows administrators with root level privileges.
flowchart TD
A[Software Component Request] --> B{6-Factor Authentication}
B -->|SHA-1| C[Generate Hash]
B -->|SHA-256| D[Generate Hash]
B -->|SHA-512| E[Generate Hash]
B -->|MD5| F[Generate Hash]
B -->|CRC32| G[Generate Hash]
B -->|File Length| H[Check File Length]
I[Compare with Trust List] --> J{Trusted?}
C & D & E & F & G & H --> I
J -->|Yes| K[Apply Appropriate Policy]
J -->|No| L[Deny Access]
K --> M[Allow Access]
L --> N[Block Access]
Key Aspects of the Zero-Trust App Security Model
Trust-Listing Technology
Unlike traditional blacklisting or even whitelisting methods, trust-listing involves a more dynamic and precise way of controlling which applications can run and which files can be accessed. This method involves maintaining a list of trusted software, with strict control over what can be added to these lists and who can change them.
6-Factor Authentication Using Hashes and File Length
The system employs a combination of five different hashing algorithms (SHA-1, SHA-256, SHA-512, MD5, and CRC32) along with the file length. This multi-hash approach increases the accuracy of identifying software files. Hashing algorithms generate unique digital fingerprints for files, making it extremely difficult for malicious software to mimic or alter files without detection.
Hashing Algorithms:
- SHA-1, SHA-256, SHA-512: Part of the Secure Hash Algorithm family, widely used for secure data integrity verification.
- MD5 and CRC32: Older but still common hashing algorithms, offering additional layers of verification.
Application of Appropriate Policies
Once the system accurately identifies software files, it applies predefined policies to control how these entities can interact. This includes determining which applications are allowed to run on the endpoint, even by privileged users.
Zero-Trust App Security
The principle of "Zero Trust" in application security means that no software is trusted by default, even if it is inside the network perimeter. Every application must prove its legitimacy before it can execute or access resources.
Benefits of the Multi-Layered Zero-Trust Approach
This multi-layered, zero-trust approach to application security helps significantly reduce the risk of data breaches, insider threats, and malware infections, including sophisticated ransomware attacks. By rigorously controlling and monitoring which applications can run, WCS's Zero-Trust App Security provides a robust security framework for protecting critical digital assets in an organization.
Data Center Appliance (DCA) Overview
Trust Lockdown Service Architecture
System Components
The Trust Lockdown DCA consists of 4 components:
- an Application Server Cluster
- a MySQL Database
- a Network File Storage (NFS) shared filesystem
- an email gateway
Application Server Cluster
The Trust Lockdown Service consists of a cluster of web application servers that procees App Approval Requests from Endpoint devices via HTTPS.
The Application Service can use a single domain name: - wcs.dca.domain.tld
or provide two sub domain names, one for endpoints and the other for admins: - ep.dca.domain.tld - admin.dca.domain.tld
Using two separate subdomain names ensures that the requests being serviced for protection is not disrupted by admin access to the service cluster.
Application Service Functionality
This web application service controls:
- Zero-Trust App Security on each endpoint device
- Zero-Trust Admin Access for App Policy and Endpoint Management
- Zero-Trust Account Access to Security Events, Endpoint Status and Reports
- App Policy Violation Monitoring
- Reports on System Activity
- Syslog Event generation for Remote System Monitoring
Trust Lockdown Components
Trust Lockdown Service Components
- Organizations
- Login Accounts
- Deleted Login Accounts
- Admin Groups
- Authorized Administrators
- Security Groups
- Endpoints
- Events
- Blocked Apps
- Policy Exceptions
- Run History
- Host Events
- Events
- Endpoints
- Organization Policies
- Organization Members
- Password Requirements
- 2-FA Usage
- Login Accounts
Organization Components Diagram
graph
subgraph Organizations
org[Organization]
subgraph op[Org Policies]
members[Members]
pass[Password\nRequirements]
mfa[2-FA Usage]
end
org --> op
u[Login Accounts]
du[Disabled Login Accounts]
ag[Admin Groups]
members --> u
org --> sgs
u --> ag
u -. Disable .-> du
ag -.-> sgs
org --> ag
subgraph sgs[Security_Groups Tree]
subgraph sg[Security Groups ...]
subgraph eps[Endpoints ...]
subgraph events[Events ...\n\nBlocked Events\nPolicy Exceptions\nRun History\nHost Events\n]
end
end
end
end
end
Security Policy Components Diagram
Policy Components
- Software Sources
- App Security Policies
- Policy Profile
- Code-Signing Certificates
- App Handprints
- Trusted or Monitored Children
- Secure Folder Management
- Policy Profile
- App Security Policies
Security Policy Component Relationships
graph TD
ss[Software Sources]
aps[App Security Policies]
subgraph ap[Policy Profile]
certs[Code-Signing Certificates]
hands[App Handprints]
tcm[Trusted or MonitoredChildren]
fold[Secure Folder Management]
end
ss --> aps
aps --> ap
System Activity Information
-
Org Admins
- Manage Org Policies
- Add and Remove Org Members
- All Org Viewing Privileges
- Manage Org Policies
-
Org Viewers
- View Org Reports
- View Security Group Events
- View Pivot Tables
-
Group Admins
- All Viewing Operation for Security Groups they access
- Security Group Management
- Trust and Untrust Profiles
- Add and Remove App Policies
- Change Security Controls and Inheritance
- Change Security Group Name and Alert Email Address
- Manage Endpoint Agent Deployment
- Host Management
- Override Security Groups Settings for Host
- Disable and Enabled Hosts
- Start and Stop Learn Mode for Host
- Archive and Unarchive Hosts
- Event Management
- Create Polcies from Events
- Export Events
- Archive/Restore Events
System Activity Visibility
graph BT
subgraph ga[Group Admins]
subgraph em[Event Management]
subgraph policies[App Policies for Events]
hands[Policies for Handprints]
certs[Policies for Code-Signing Certificates]
tc[Policies for Trusted and Monitored Children]
mc[Policies for Securely Managed Folders]
end
archive[Archiving Events]
end
end
subgraph oa[Org Admin]
op[Manage\nOrg Policies]
om[Add and Remove\nOrg Members]
subgraph ov[Org Viewer]
reports[Org Reports]
sg[Security Group Events]
pt[View Pivot Tables]
end
end
How to Manage White Cloud Security
TAME Team
Security Admins are organized into TAME Teams that monitor events in Security Group and manage the App Policies that control which software and scripts are approved to run.
TAME Team Assignment
Admins can be assigned to one or more Admin Groups. They can then monitor any or all of the Security Groups that their admin rights give them access to.
TAME Team Members see "Groups with Alerts"
The Monitoring Dashboard show TAME Team members Policy Exceptions in real-time
They can also use external monitoring system that process syslog events. (e.g SIEM, MDR, EDR or XDR platform)
Activity Reporting
Monitoring Activity
Security activities can be monitored in three ways:
- Trust Lockdown Dashboard
- Syslog Monitoring
- Periodic Reporting
Trust Lockdown Dashboard
The "Groups with Alerts" panel provides real-time monitoring for App Policy Exceptions and Host Activity Alerts for all Security Groups, filtered by Admin Group membership, Security Group Name, and/or Organization Name.
Syslog Monitoring
Syslog events provide input for third-party monitoring tools such as Splunk, Netdata, Prometheus, Zabbix, and Logz.io for monitoring and alerting on App Policy Exceptions and Host Status Change Events.
Periodic Reporting
Weekly, Monthly, and Annual Reports provide data on both events and policy and configuration changes: Activity During the Reporting Period
- Hosts Added
- Security Groups Created
- App Policies Created
- Software Profiles Followed During Period
- Software Profiles Unfollowed During Period
Historical Activity
- Hosts in Security Groups
- Security Groups Status
- App Policies Status
- Software Profiles Followed History
- Software Profiles Unfollowed History
- Application Users (End Users) by Security Group
Windows Security Agent Overview
Windows Mini-Filter Driver
White Cloud Security's Windows Security Agents is a Windows Mini-Filter Drivers.
Mini-Filter Driver Security Agent
The White Cloud Security Mini-Filter Driver plays a critical role in enforcing application and data access control policies. By intercepting file operations, uniquely identifying files, and verifying their trust status against a comprehensive Trust-List, it ensures that only trusted files can execute or be accessed, thereby protecting the system from unauthorized or malicious software.
Microsoft Windows recognized security product that is assigned a Windows File Filter Driver Altitude in the 320000 - 329998: FSFilter Anti-Virus altitude range.
Ended: How It Works
Quick Start Guide ↵
Quick Start Overview
3 Basic Steps
- Setup Trust Lockdown (if deploying a DCA)
- Define Security Groups
- Deploy the Endpoint Agents
Setup Trust Lockdown
DCA Setup procedure
- Setup the DCA to use a Static IP Address
- Set the Service and Site Domain Name
- Set the Mysql DB Access Credentials
- Add the Master Admin
NOTE: Ensure that your Servers have static IP addresses. Also install a TLS Web Site Certificate on your Load Balancer. The endpoint agents require a valid TLS Web Site Certificate to authenticate.
Define Security Groups
Setup your Organization
- Enter your Organization name
- Create Admin Accounts
- Build the Organization's Security Groups Tree
Security Groups Tree Graph View
Choose Software you want to allow
- Trust Software Profiles
- Upload your Own Software Trust-Lists
- Build Trusted App Profiles
- Use an Admin Team to manage Trust Policies
Deploy Agents to your Endpoints
Deploying the Endpoint Agent
Deploy Trust Lockdown to your endpoints using
Ended: Quick Start Guide
User Guide ↵
Dashboard Overview
Purpose and Use
The White Cloud Security Dashboard provides a centralized interface for administrators to manage and enforce Zero-Trust App Security policies, monitor system statuses, and review access logs. It ensures comprehensive oversight and streamlined control of organizational security measures, including granular admin access management and robust folder protection.
Dashboard Sections
The WCS Dashboard has six functional sections.
Main Menu Column
The Main Menu provides the following options, which vary based on the account owner's privilege level:
- Add an Org (Account Agent+)
- Show "Groups I Manage"
- Show "Groups with Alerts"
- Graph View of my Org
- Graph View with my Clients' Orgs
- Show Groups by Notification Email Address
- Show Known CERT List
- Show Known CERT Issuers List
- Show System Logs (System Admin+)
- Show Most Recently Created Accounts (Account Agents+)
- Show Account Managers (Sales Admins+)
- Open Admin Pages (Dashboard Extensions)
- Admin Submenu:
- Manage DCA Options (System Admin+)
- Manage Malware Advisors (applies the selected Advisors' Malware Policies Globally)
- Show Public Profiles
- Show Enterprise Profiles
- Show All Hosts in Blocking Mode
- Show All Unprotected Hosts
- Show All Disabled Hosts
- Show All Hosts Needing Updates
- Show All Uninstalled Hosts
- Show All Unactivated Accounts
- Show All Activated Accounts
- Show Newest Paid Accounts
- Create New Account
- Resend Activation Email for New Accounts
Graph View
The Graph View shows a subgroup hierarchy for all the Organizations you are a member of. It displays Orgs, Member Accounts, and Security Groups in their inheritance trees, providing a quick understanding of how subgroups are related to each other and belong to the functional groups in the organization.
Context Window
The Context Window shows all the information related to one specific Security Group or one of its subgroups. This consists of four scrolling columns:
- Subgroup Column
- Profile Menu
- App Trust-List Browser
- Information Column
Subgroup Column
The Subgroup Column has a shortcut bar that provides a clickable icon for each of the following subgroup information panels:
- Blocked Apps
- Monitor Mode Exceptions
- Trusted App Run History
- Apps Trusted Directly in this Subgroup
- Profiles Trusted Directly in this Subgroup
- Hosts Assigned to this Subgroup
- Subgroups Owned by this Subgroup
- Show the Groups View for this Subgroup
- Profile Settings for this Subgroup
Profile Menu Column
The Profile Menu Column provides eight submenu options that allow the admin to view and manage policy profiles related to the current subgroup. It also includes a host status submenu that provides a set of simple panel selections to view the status of all the hosts in this subgroup and its child subgroups.
App Trust-List Browser
The App Trust-List Browser provides a simple viewer to search for and view Apps added to this Subgroup.
Information Column
The Information Column provides an "Online Help" button to open the Support page and other buttons to see the most recently used subgroups, system logs (System Admins+), and the secure WCS Newsfeed.
Log in to Trust Lockdown
This is how you log into the Dashboard using your Email Address, Password and 2-FA
Navigate to the Dashboard
Enter the URL for your Trust Lockdown Dashboard into your browser
Enter your Email address
Enter your Password
Enter your "2-Factor Authentication Code"
Click the Login button
Dashboard Usage
This guide provides detailed instructions on the most important and commonly used features of our dashboard, complete with additional comments, scenarios, and practical examples.
Overview
Welcome to the White Cloud Security Dashboard. This manual is designed to help you navigate and operate the WCS Dashboard with ease. By following the instructions in this guide, you will become proficient in using the dashboard to manage your security tasks effectively. If you encounter any difficulties, feel free to revisit this manual as needed.
When you first access the dashboard, it might seem complex and overwhelming. This is a common initial reaction, but with practice and familiarity, you will find it intuitive and user-friendly. This guide will walk you through the essential features and functions, providing step-by-step instructions to ensure you can perform your duties confidently and efficiently.
Profile Settings
Let's begin by exploring our Profile Settings which you can see in your starting page. Click the "Gear" button.
Here in Profile Settings, you can change your photo, turn on two factor authentication to keep you account secure, reset your password for accessing your dashboard, get API Keys, change your personal information, your alert email address, the visibility you would like your profile to have and lastly the option to disable your account. Make sure to click "Apply Changes" in case you do make any changes.
Close the profile settings panel.
Main Menu
Out of all the buttons that you see in your Main Menu, the three places where you are going to spend the majority of your time are "Groups I Manage" "Groups with Alerts" and "Graph View of My Org".
Groups I Manage will show you all the groups you manage depending on your access level.
Groups with Alerts will show you all the alerts(Monitor Mode, Blocked Apps, and Host events) that you have in all of the groups you manage.
Here is an example of how it looks in the "Groups with Alerts" panel. In this case we have 40 Monitor Mode Exceptions in one of our groups called Test Lab and one Blocked App event in one of our groups called Sales that belong to the organization "my sandbox".
In this dropdown list, you can configure the time you want the alert panel to refresh itself in order to show you new event alerts. If you don't want to wait for the time to be over, you can click the name of the panel "Group with Alerts" or the "Refresh List" button at the bottom of the panel to reflect new events as they happen.
To make your life easier while working, we provide you with a variety of filtering options, so you can be very efficient in your day by day management. For example, if you are an admin for more than one group and you want to move around groups you can select at the "Filter Subgroups" section "By Admin Access" and your groups will appear on a dropdown list, by selecting each of your groups you will see their alerts.
If you want to be alerted by a sound when you have new alerts coming, click on "Enable Alert Sounds" and configure the volume and also the ping sound.
You also have a shortcut section with three buttons: Blocked Apps, Monitor Mode Exceptions and Run Apps History.
Those three buttons when clicked will give you information about your events in all the groups you manage, according to your access level.
Next, you will learn how to configure your dashboard settings. Click the Gear button on top of the alerts panel. If you want to hide the dashboard settings, click the Gear button again.
In this panel you can configure important settings such as your time zone, "Shortcut Mode" if you want to reduce the amount of buttons you have in "Your Profile" panel. Default Event Date range will change your event lists to one month before your current day. This way you can visualize everything that happened during that timeframe (You can choose your preferred date range). Banner Display can be configured to last more or less time according to your preferences. If you make any changes, click on "Save Changes."
This is how it looks if you decide to configure the use of dropdown lists in your dashboard settings.
Close your current "Groups with Alerts" panel and it is time to explore one of our newest features called the "Graph View".
There are two ways to access the graph view, the first way is through your Main Menu by clicking on "Graph View of My Org".
The second way to access your Graph View is through "Your Profile" section by clicking the button at the top or clicking "My Tree View".
Note: If for example you are located at the "Test Lab" subgroup and you click "My Tree View" you will have the tree view of Test Lab and its inheritance tree.
Graph View
This is the "Test Lab" subgroup and as we can see we are part of the group Internal which is part of "my sandbox Main Account" (The top of the tree). The tree view makes navigation throughout your groups quick and easy. Let's move to the "Internal" subgroup by clicking it directly.
We are moved to the "Internal" subgroup with just one click and we now see that the "Internal" subgroup has more subgroups below it in its inheritance tree.
Profile Menu
The Apps I Trust button provides you with information about the apps and CERTs in any subgroup you go to. Click on "Apps I Trust" to see more information.
In this case, the "Internal" group only has trusted two CERTs, and you can disable them or re-enable them. You are also provided with a filter to search by App Name or CERT by clicking "Filters".
Click "APPS I RAN" in order to see information about real time app usage running on your system or systems located in your group.
This is extremely useful, if for example, one of your admins trusts a CERT that they should not have trusted and you have to determine the kind of apps that were connected to this certificate, at what time this happened and when those apps ran in your system or systems and were signed with that specific certificate. This is all facilitated by the filters available to you.
Click "PROFILES I TRUST"
Profiles I Trust allows you to trust a profile of a product or person whose trust you would like to inherit. In this case we see that I trusted an "Admin Group". This means that I will inherit trust from this profile.
"Groups Trusting Me" is an admin group or groups that have trusted you to handle the trust of people who trusted them. If an admin group trusts me, then I will be part of an admin group and I will be able to access and manage everybody's subgroups who trusted the admin group.
Subgroup Menu
Here is another example of "Profiles I Trust". Click on Profiles I Trust on the Subgroup Menu, part of the Subgroup Configuration.
We at WCS, are constantly adding new trust to the profiles to make sure that all of our customers have the best protections. For example imagine a situation in which you are in Monitor Mode (Not protected, but alerted) and suddenly you execute a file that you thought it was legitimate, but, unfortunately, it was instead, a piece of "Ransomware" looking to encrypt your system. Surprisingly, however, the moment the ransomware tried to execute, it was blocked instantly.
What just happened? Why was the Ransomware blocked if I am not protected!? In this scenario, a few days ago, you trusted "Ziggy at White Cloud" and he had already added a Malware policy to his Trust-List identifying this same threat as Ransomware, and because you trusted him, his trust is inherited to you and to everyone who trusts him.
Software I can Trust is a very fast way to add trust by trusting product profiles of common software products that you are likely to encounter in your daily life or job. Click Software I can Trust to see more information.
Software I can Trust allows you to easily trust and manage the profiles of well-known, safe commercial software or software developed in house.
Now that Adobe has been trusted, I could run the Adobe tools without any issue.
If you suddenly decide that you are no longer required to use a product, you can just click "Distrust" to disable the trust in your subgroup.
"Admins I Can Trust".
Admins I Can Trust is all the admin groups you can trust, if you want them to manage your group or groups.
Click "Manage Advisor Access" if you are interested in inviting someone you know in order to help you with your subgroup's trust by making them an admin, or only granting them "Advisor" access for them to give you advice.
I can not manage my trusted apps alone, and I think I need to tell my friend John who is very smart. If I want to grant John permission to access to my subgroup I need to certify that I know him by clicking "I know Them".
Now, in the example below, John is an Advisor to my subgroup and he can see what apps I use in Monitor Mode and what apps get blocked in Blocking Mode. Thanks to his access, he can now help me take a decision in terms of what needs to be trusted and what needs to stay blocked.
I want to give Edit Access to John, so he can make changes for me, I click "Advisor".
John has been doing a great job and it is knowledgeable about app trust, I will make him an admin, so he can manage my subgroup and the subgroups that fall under it.
Today I received a call from John saying that he just found his dream job in another country and he is now planning to move, so he can not manage my groups anymore. I need to remove his access privileges as an admin by clicking on "Stop Admin".
Click "Stop" to remove his Edit Access too, this way he can not make changes.
John, is still my Advisor, in order from me to stop him from being my Advisor, the only thing I need to do is to click the interrogation mark "?" where John's account is located.
Click "Certified Advisors" to see your trusted advisors.
This section of "Advisors I know" reflects the advisors you trust right now. If you stop letting an Advisor have access to any of your Advisors in "Manage Advisor Access", it will stop coming up in this list.
"Directly Trusted Profiles" are the profiles you trusted and are giving your subgroup or groups trust from their inheritance tree.
In this example I have trusted six profiles and their trust is being inherited to me.
Click "Trusted & Inherited Profiles"
In this panel, you can see all of the profiles that were directly trusted from "Profiles I Can Trust" and the green arrow means that your trust will inherit to them.
Trust-Lists
Click "Show Trust-Lists" to access specific subgroup Trust-List.
This is your subgroup's Trust-List, the place where all of your Trusted Apps, Trusted CERTs, Trusted Folders and Block Policies(Malware,Denied,Distrusted) live and co-exist. Every time you trust an app based on its handprint, trust a CERT, apply a Block Policy, you will find it here.
Click "Add Fingerprints" if you want to import a Fingerprint File to add to your apps on your Trust-List.
Online Help
"Online Help" is the place to go if you have an issue or you need help related to our dashboard or our service.
You will be transported to the Online Help section where you can see our User Guide, and read technical documentation and if you can not fix your problem, email our support team or call us.
Newsfeed
Click "Show Newsfeed"
The News Feed is the place where you can see what you and the people you trust have been doing. For example, "Ziggy at White Cloud untrusted an App on Test Lab". The News Feed can also be used to add comments to the subgroup's admins or owners (according to your access level).
Click the "mail letter" button to open the comments panel, so you can add a comment to your news feed or to other group you have access to.
This is how it looks, you can enter a title for your post and then a comment, after you wrote your message, click "Post" to post it.
Click on the "Gear" icon in "YOUR NEWSFEED", to configure what you see on your news feed and the number of posts you wish to see.
Recently viewed
The "Log" button will help you hide your "Recently Viewed Subgroups". If you want to see this section again in your screen, click it again.
Alert Info Options
The "Alert Info Options" button gives you four different options to see more information about your organization, subgroups, everything you manage and your clients.
Click the red alert to hide that specific panel.
Click the "Alert Info Options" button if you want to hide it.
Admin Pages
Another useful place that at some point you will encounter, according to your level of privileges is "Open Admin Pages".
At the "Open Admin Pages" panel we have a lot of tools that will make a difference in more complex situations when you are looking for specific and specialized info about your organization, including moving computers in between subgroups.
Profile Menu - Shortcuts
Let's make a quick refresher on what the Profile Menu buttons do. The red lock is the Blocked Apps list, click it to see your blocked apps.
The yellow button with a magnifying glass is the Monitor Mode Exceptions list. Click on it to see your Monitor Mode alerts. Below you can see how it looks when you have blocked apps.
This is how it looks when you have Monitor Mode Exceptions, in this example we had a lot of alerts coming as "Monitored Children". For more information about the types of trust and methods to add trust, please check our other sections.
This is the "Run Apps History" where you can see all of the apps executing in your system or systems in real-time.
This is how it looks when you have a system running and all of your apps and system apps are being seen as they execute. We provide you with additional filters to help you make complex searches and gather all the info you need.
This is the "Trusted Apps" button in which you can see what apps have been trusted in that specific subgroup.
This example shows you have several apps trusted and indicates which one is an app, which one is a Trusted CERT, and more.
Next, let's click on the "Trusted Profiles" button to see your trusted profiles.
This is an example of your Trusted Profiles panel when you have added profiles that you trust and you want their trust inheritance to be inherited to your subgroup.
The "Host List" will show you how many computers you have on that specific subgroup.
This is how it looks like when you have computers in your "Host List". In this example we only have one computer.
Now, it is time to explore the "Groups" button (The WCS logo icon).
This is how it looks when you do not have any subgroups falling under or created within you subgroup. For example, I have 0 subgroups to show right now on Test Lab, however, if I click "Add new Subgroup" I will be able to see it in this list.
Click Edit Parent to go up one level in your group system or tree.
We are now at the "Internal" subgroup, one level up from Test Lab. Test Lab and IT DEPT are subgroups created inside the group "Internal" as explained in the previous step.
Let's make things more interesting and open the Tree View to compare the "Groups Panel" and the "Tree View".
Learning to navigate through your organization groups is a quick process, and will enable an administrator to identify and effectively manage and intercept malware and suspicious software, preempting their ability to disrupt or otherwise impair your operations.
We will now do a refresher on the Tree View and compare it to your groups panel.
We are on Internal's group, and you see that IT Dept has subgroups falling under it. I can move to any group I have (according to my access level) by just clicking the Tree View's buttons with their group's name and it will immediately be reflected in the profile panel. I see that I have 40 Monitor Mode events on Test Lab which is in "Monitor Mode" and I can jump quick and click Test Lab's group and click the Monitor Mode alerts button (yellow magnifiying glass) and apply filters, to see how many are signed or unsigned, launch a quick VirusTotal scan to see if there are any issues, and, if so, the source of the alerts. For help on Investigations, please see our section "Conducting Investigations".
Importance of Trust Inheritance and Best Practices
"Trust Inheritance" is one of the most important processes to the administrator. Successful management of Trust Inheritance begets successful management of Trust Lockdown, and helps ensure an impregnable computer network. This is essential for your success using our product, every subgroup has their own Trust-List and you might want to consider separating one department from another, basically, I will never allow unknown software at a group's Trust-List where my Domain Controllers are running, however, I could allow that unknown software on a different isolated subgroup that is not related and falls on a different tree branch.
The Marketing department uses one kind of software and the Finance department uses another kind of software and the IT Security department uses a completely different type of software.
My recommendation is to avoid adding trust at the tree's top level, unless it is strictly necessary. Remember that Trust will inherit from the top level to your groups down the inheritance tree. Be mindful of what software you add at your tree's top level, because software should be legitimate and verified, but also needed by all of your organization, then you can add the program at the top level of the tree. The risk your organization is taking by using this feature is high. Do not add unchecked, unknown and unverified software at the top level of your tree, because if this software is malicious it will be able to run everywhere, it is better to stay far away from one of those situations.
Creating Admin Groups
What are Admin Groups?
Admin Groups give one or more Login Accounts admin access to one or more Security Groups.
How do Admin Groups Work?
They provide a simple way to manage which Admins can access which Security Groups.
Enabling Admin Access
When you Trust an Admin in an Admin Group, they have instant access to the Security Groups already trusting that Admin Group.
When you Trust an Admin Group in a Security Group, all Admins in that Admin Group have instant access to it and all its children in its "Inheritance Tree".
Disabling Admin Access
Similarly, Distrusting an Admin in an Admin Group instantly disables that Admin's access to all Security Groups in the "Inheritance Tree" trusting or inheriting the trust for that Admin Group.
Distrusting an Admin Group in a Security Group instantly disables admin access for ALL of the Admins in that Admin Group.
Using Admin Groups
What is Required?
To use Admin Groups you need to:
- Create an Admin Group
- Trust an Account Owner in the Admin Group
- Trust the Admin Group in a Security Group
Creating an Admin Group
Where to Crate them
Where the Admin Group is created in your Organizations "Inheritance Tree" helps to control who can view and manage the Admins in it.
- Creating it where the Org's top admin have admin access give them control over it.
- Disabling "Inheritance" for the Admin Group restricts it to only those Admin Groups or Advisors who are directly trusted within that Admin Group.
How to Create one
Use the "Add Subgroup" option either in the Graph View or the Subgroups Panel.
- Enter the Admin Group's name
- Change the Alert Email Address if necessary
- Click on the "Admin Group" button
Adding an Admin
Enabling Admins
Before you can Trust an Account Owner as an Admin within an Admin Group, you must use "Manage Advisor Access" to identify that Account Owner as "known" for that Admin Group.
This is a security mechanism to prevent inadverntly trusting unknown users.
Adding an Admin
- Click on "Manage Advisor Access" in the "Profile Menu"
- Click on the "I Know Them" button to enable trusting that Account Owner's Profile
- Close the "Manage Advisor Access" panel
- Click on "Profiles I Can Trust" in the "Profile Menu"
- Click on the "Trust" button for the Account Owner's Profile
- Click on the "Trusted Admins" shortcut icon to verify their Admin Access
Applying the Admin Group
Security Groups Tree
Now, simplying Trusting that Admin Group in any Security Group will give ALL of the Admins in that Admin Group instant access to all of the Security Groups that inherit the trust for that Admin Group.
Trust in a Security Group
Select where the Admin Group should be Trusted
- Select a Security Group either in the Graph View or the Subgroups Panel
- Click on "Admins I Can Trust" in the "Profile Menu"
- Click on "Trust" for the Admin Group you want to have admin access
This will instantly provide Admin Access to ALL Admins in that Admin Group.
Security Precautions
- Only add Account Owners to an Admin Groups after they've activated their account and enable 2-Factor Authentication
- Control Admin Access to Admin Groups to prevent giving admin access to unauthorized Users
Creating App Policies
A brief and simple guide to create app policies for your apps and certificates.
Methods to Add Trust
If you are in a situation that you have hundreds of computers on a subgroup and you want to filter based on certain conditions, you have options, you have the "More" button which will expand the filter menu.
Note: You can use the Pivot Table to visualize and apply other kind of filtering operations if that is what you need, you can not start a learn mode session from the Pivot Table.
Note about the use of Learn Mode sessions created
Before we proceed further, I want to touch on a few things. Learn Mode usage should be for situations such as when you update your system and want to learn new apps and CERTs for a certain time frame.
Learn Mode usage is not recommended when you initially created a subgroup and attached computers for the first time when your Trust-List is empty.
When you on-board new computers you should trust apps and certificates manually to make sure you have an accurate, efficient and manageable Trust-List.
Starting a Learn Mode session
If you want to start a Learn Mode session, it is important to look for the computer you want to initiate this process on. Click on the "Show Hosts" icon, this will show you all of your computers in that specific subgroup.
This is the Host List Filtering Options menu that also can provide you with additional filters by clicking on the "Filters" button.
There are two ways of starting a Learn Mode session.
First way to start it is by clicking on the "Learn Mode" button you see when you hover in one of your systems, or the second
Click on the "Learn Mode" button to see the Learn Mode options to choose your preferred one.
Learn Mode Options
We are now presented with four different options:
Learn Only CERTs and Unsigned Apps: In this setting, CERTs and unsigned apps will be learned and at the end of the Learn Mode session, the CERTs and unsigned apps that were used during the session will be added to your Trust-List as one item indicating it is a Learn Mode session and all the apps and CERTs learned.
Only CERTs: In this setting, only the CERTs of the apps used during the session will be learned and then they will be added to your Trust-List as a one item that indicates a Learn Mode session was done.
Only Handprints: In this setting, only the handprints are going to be learned. Then, the session will be added to your Trust-List as a one item that indicates a Learn Mode session was done.
Learn All CERTs and Handprints: In this setting all CERTs and Handprints are learned and added to your Trust-List as a one item that indicates a Learn Mode session was done.
The second way to start a Learn Mode session it is to select a computer in your Host List and scroll down to see more options.
You should be able to see a red button saying "Start Learn Mode". Click on "Start Learn Mode to see more options, so you can choose the one that fit your needs.
Click "Start Learn Mode"
If you need to know what each does, please go back in this guide, because I expand more on them.
In this case, I decided that I want to start a learn mode session because I downloaded a new program and I do not want it to get blocked. I want to start a Learn Mode session and I will choose the "Only CERTs" option, in order to learn the certs used during the session.
This is how the red button of "Start Learn Mode" changes to yellow letting you know that a Learn Mode session has started.
This is how your computer is letting you know that a Learn Mode session is in progress, it provides you with a time in which the session will stop. Please make sure you "Stop" the session before the time is up, or if you do not want to stop it, you can "Extend" the session duration.
Now, I will stop my Learn Mode session, so I click on "Stop/Extend" to choose more options.
Click "Stop Learn Mode" to stop the Learn Mode session.
Something to remember after doing a Learn Mode session is that sometimes, based on past experiences, the Learn Mode session will be added to your Trust-List, but it is not marked as a trusted app, it is marked as a distrusted item, please, if this happens to you, only click the "Trust" button to activate learned apps trust.
Trusting an App
This is a very simple process. In this example, I have a number of blocked alerts in one of my groups called "Test Lab". Click on the Blocked Apps button (The red lock at the subgroup options menu).
Note: The alert number means the quantity of events that happened when seen through the "Groups I Manage" or "Groups with Alerts".
I see that HXOUTLOOK.EXE was blocked and this is one of the apps I need right now, so, I click the event for more information.
I see that this Outlook app has a code-signing certificate, but I do not want to trust the certificate for now, in this case I want to trust the App ( This is trusting the Handprint only).
Click "App"
Click on "Trust This App" to add this program to your Trust-List. Immediately when you add this program to your Trust-List, there should not be any problems in your system, this means that this app will work right now, unless the app requires other components to work, in that case you could use Trusted Children to trust the components of a "Parent" app.
I hope I do not confuse you with the word "Components". I try to refer the word "Components" to all the "Moving parts" of an executable program(.exe files) and what they need to properly work and accomplish their purpose. You can see the Trusted Children as all of those moving parts that work together to make sure the program does not fail.
Trusting a CERT
Let's now trust a CERT, in this example I want to trust an app's certificate, so this way, all the apps signed with this CERT will be allowed to run. Click on the event to see more information.
Click the certificate name to trust this certificate.
Click "Trust This CERT" after you filled up the information about this certificate.
Accessing your Trust-List
Click "Show Trust-Lists" to access your Trust-List and verify that the trust was added successfully.
Click on "Apps"
Here we have the two apps we added today. Click on the Trust-List item to see more information about when this policy was added and by whom.
Click "Distrust" if you decide you want to disable the trust for this app.
If you want to remove this app from the Trust-List, first, you have to do the previous step of distrusting the app by clicking "Distrust"and now click "Disable App" to fully remove it from your Trust-List.
Click "Disable It"
If you want to remove a certificate, it is the same process as removing an app. Click this Trust-List item to see more information.
Click "Distrust"
Click "Disable App"
Click "Disable It"
You can also select a period in time to see the apps that were trusted on a specific date range.
I wanted to see all the apps that were trusted from February 07 2024 to Jun 25 2024 thanks to the calendar filters.
If you want to see what apps have been added to your Trust-List recently, click "My Recent" to see a full list of the apps added recently, and if needed, you can distrust them and disable them from there too if you need to act fast.
Common Panel Filters
A brief guide to learn how to manipulate App Filtering in your Monitor Mode or Blocked Apps lists.
App List Filtering Options
Imagine that you are having a busy day and you were about to trust a program you needed, and suddenly you had a lot of apps coming to your app list and you lost the app you were about to examine and trust. The menu includes filtering options that help you find any specific program very quickly.
Click "More" to expand the filter options menu.
App List Filtering Sections
This is the app filter menu which is divided in five different sections: Events, VirusTotal, CERTs, Include and Show.
Additional Filters
Click "Filters" to expand the Filters menu in addition to the filters you already have above.
You can now search by Filename, Pathname, User, Host Name, CERT Name, CERT Thumbprint, Event ID and Sig ID.
Filtering by CERT Name
I want to look for the program I need, and I know that this program is signed by "Microsoft Corporation", so, I click on "CERT Name" and fill in the details.
Click the "CERT" button after you have written the name of the CERT you are looking for.
After you clicked the "CERT" button, you will see all the programs signed by the program of your search. Then, if you decide that you want to look for another CERT, you simply clear the textbox manually or click the "x" to clear the CERT textbox.
Click the "Search for Filename" field in order to search through a Filename instead of CERT Name.
Filtering by Filename
I want to look for a file or files that contain the name "Whatsapp", after you fill in the details, click the "File" button.
The filter now displays all files that contain the word "Whatsapp" in their filename.
Filtering by Archived apps
In the previous image, we made a search for all the files that contained the word "Whatsapp" in their filename. Now, let's add more complexity, by conducting a search for all the files that contain the word "Whatsapp" in their filename AND they are "Archived". Click the radio button called "Archived". (If you use "Dropdown lists" select the option that says to show archived items).
We have now filtered the list to show all the files that contain the word "Whatsapp" and that were archived in the past.
Filtering by All apps (Live and Archived)
We can also have "All" of the events, the "Live" events that are happening right now and the "Archived" events that were live events but they were archived at some point.
Note: When you add apps to your Trust-List, the app will be added to your Trust-List and it will be archived automatically. You may sometimes forget that you have trusted a certain app and add it a second time. While not ideal, there is no harm done. Sometimes these apps may have a different handprint or CERT.
As you can see, we now have filtered to show the live events and the archived events (blue folder icon) together in one place.
Filtering by Signed apps
Now I want to see how many apps in my blocked apps list are signed with a code-signing certificate, specifically signed apps that have the name Whatsapp in their filename. Click the radio button "Signed" in the CERTs section.
We can see that all the apps now displayed on the screen are properly signed with a code-signing certificate by clicking one of the events.
Filtering by Unsigned apps
Most of my blocked events are signed with a code-signing certificate, but I need to look at the bigger picture. Let's look at how many "Unsigned" events were blocked. ("Unsigned" events are those events of apps or programs that are not signed by a code-signing certificate.) Click on "Unsigned" to see your unsigned events.
We have only one result and this is an uninstall script. Click in the event to see more information.
The moment you click on the event, you are presented with the app's information and available actions, but we don't see any code-signing certificate information, because this is an unsigned event.
Filtering by VirusTotal Trusted
Sometimes corporations want to make sure that their files are coming from them, so they submit their files to VirusTotal and if a file was submitted by Microsoft to VirusTotal, they usually have a green checkmark in our app list. Click "Trusted" at the "VirusTotal" section to see if you have one of those known apps.
Closing Additional Filtering Menu
Click "Off" to close the App Filtering additional options.
Filtering by Unchecked apps
By clicking "Unchecked" at the "VirusTotal" you will filter based on all the app events or program events that have not been checked by VirusTotal. (See the "question mark" in each app event)
You can click the "VirusTotal" button in the app menu to start a scan of all of your unchecked app list.
Or you can check app by app individually if you hover your mouse around the question mark in the app event and click the VirusTotal button.
Filtering by Issues Found
Let's say you have made a scan of your app list, and you wish to filter based on "Issues Found," meaning if an app has any issues on VirusTotal, you will see only apps that were flagged by security vendors in your app list.
Filtering by Monitor Children
By clicking "Monitor Children" you will be able to filter for any Monitored Children, if you have had any.
Hide App Filtering Options Menu
Click "Hide" to hide the App Filtering Options Menu
Expand App Filtering Options Menu
Click "More" if you want to expand the App Filtering Options Menu.
Security Groups ↵
Security Groups Tree Graph View
This panel provides a Graph View of the Security Groups within their Inheritance Tree.
Security Groups are organized into a tree using parent / child relationships, where each Security Group is owned by a single parent Security Group.
A Security Group can be:
- A Login Account
- A Main Account for an Organization or one of its subdivisions
- A Trust Profile
- A Host Subgroup
- An Admin Group
Login Accounts are not allowed to have subgroups, hosts or trust policies.
Main Accounts can have subgroups
Organizations (Orgs)
Organizations can represent both
- An organization or one of its subdivisions
- A portion of an inheritance tree
Go to a specific Security Group in Graph View
1. Click "Graph View of My Org"
2. Click on specific Subgroup in the Security Group Tree
Groups I Manage
Filter by Security Group or Org Name
Click "Filters" to filter by Security Group or Organization Name
Click the "Search for Profile Name" field.and enter a Security Group Name
Click the "Search for Org Name" field.and enter a Organization Name
Click "Off" to disable the filters
Ended: Security Groups
Host Management ↵
Finding Hosts ↵
Host Filters
Click in the "Hosts" button.
You can look for hosts based on any of this options. This is useful when you have more than 20 computers and you need to know specific information about them.
Host Name Filter
Click the Hosts button.
Click the system you are interested in.
Click the name if you want to apply a nick name for this system.
This is the name of the computer.
Click "DESKTOP-D1F5EE5"
Click "Filters"
Click the "Search for Host Name" field.
Write the computer name and click the "Host" button.
Click "Host"
Host ID Filter
Click the "Hosts" button.
This is the Host ID your systems have.
Click "Filters"
Click the "Search for Host ID" field
Click "Host ID" to search based on Host ID.
Ended: Finding Hosts
View Host Status for specific Host
1. Click "Graph View of My Org"
2. Click "Host Status" button at the top of the Graph View
3. Click on the Subgroup the Host is in.
4. Click on the "Hosts Panel" shortcut.
5. Click on the specific how to show its details
6. First Attached date, Last Checkin dates and OS info are visible
Host Details
Click the "Hosts" button.
Here is the list where you will see your systems in this specific subgroup.
Click on the computer you are interested in.
You can now see all the information regarding to your system.
Updating White Cloud Security on your Computer
There are two ways to update the White Cloud Security software on your computer.
- Use the "Check for Updates" option from the Tray Settings Options if the White Cloud Security icon is visible,
- or Search for the "Update White Cloud Security" App and run it as an Administrator
- If an Update is available, Click the "Next" Button to Download the New Software
- Then click the "Install" Button to Start the Installation
Moving a Host (Endpoint) to another Subgroup
The AuthCode for each subgroup is unique, The endpoint is assigned the AuthCode for the Subgroup it belongs to during installation.
There are three ways to change the AuthCode for a Subgroup: - Use the Dashboard Host Move interface - Copy the AuthCode from the new Subgroup's Profile Settings and pasting it into the AuthCode field for the Windows WCS App Tray Dialog - Uninstall the Endpoint Agent and re-install using the Download from the new Subgroup - This is the least favored approach because the Endpoint will be vulnerable during the period of time between the Uninstall and Re-Instalation.
When you want to change a Host to a different subgroup, you can either:
Change the AuthCode using the Dashboard Move Host Interface
This is how the Dashboard is used to initiate a move from one subgroup to another:
- The Dashboard Move marks the Host for move to a new Subgroup ID (SGID)
- When the Host checks in the next time (App Lookup or Validation)
- the service
- creates a new Host record for the Endpoint in the Target Subgroup
- returns the AuthCode for the new Subgroup to the Host
- and marks the old Host record as
- Disabled, and
- being moved to the Target Subgroup
- the Host
- modifies it’s AuthCode setting
- then uses that new AuthCode for all subsequent communications with the WCS service
- If a move hasn’t completed yet, it can be canceled for the Host in its original Subgroup
- The cancel operation just clears the Target Subgroup ID in the Host record
Change the AuthCode using the Windows WCS App Tray Dialog
This requires manually change the AuthCode in the Windows WCS App Tray Dialog - On the Dashboard - Go to the Target Subgroup in Edit Mode - Click on the "Profile Settings" icon - Copy the AuthCode field - On the Host (Endpoint) in Windows - Double-Click the Windows WCS App Tray Icon to open its dialog - Paste the Target Subgroup's AuthCode into the "Server Authorization Code" field in the Windows WCS App Tray Dialog - Click on the "Validate" button to validate that the Host can connectd to the Target Subgroup - Verify that the Target Subgroup's name appears in the validation message box
Disable and Restore WCS Protection for a Specific Host
1. Open the WCS Dashboard: https://secure.whitecloudsecurity.com/
2. To find the Subgroup, Click "Graph View of My Org"
3. Click on the Subgroup for that specific Host
4. Click on the "Show Hosts" shortcut
5. Click on the specific Host to show its Host shortcuts
6. Click on the "Disable Host" shortcut
7. Click "Disable for Now", this will disable WCS for up to 24 hours
8. Click on the "Enable Host" shortcut to restore WCS protection.
Ended: Host Management
Dashboard Hot Keys
There are also several new Hot-Keys added to the Dashboard.
- Ctrl + Enter = Open the Tree View of Subgroups for current Edit profile
- Ctrl + Shift + Enter = Open the "Tree View for All Subgroups" you have Access to
- Ctrl + Shift + UpArrow = Edit Parent Subgroup (you don’t have to click on “Edit Parent” or even open the Subgroups Panel
- Ctrl + Shift + Comma = Open/Close the Dashboard Config Panel
Online Help
Access White Cloud Security User Guide, Technical Documentation, and contact information for our Support Team
1. Click "Online Help"
2. To view this User Guide, Click "User Guide"
3. Use the navigation menu on the left, e.g. Click "How It Works"
4. or Click "WCS Technical Documentation" to view WCS Technical Notes
5. Click "WCS Technical Notes"
Dashboard Profile Settings
General Configuration Settings for the Dashboard
Dashboard Behavior
Shortcut Mode
Shortcut mode collapses submenu button panels into simple shortcut bars with icons to reduce the use of screen space.
Panel Filter Behavior
The "Filters Use" option allows the suer to choose between using "Radion Buttons" and "Drop Down" menus in panels that provide display filters.
Banner Display Time
This Banner Display Time is in milliseconds and sets the time that a non-critical baner will be displayed before automatically disappearing.
Timezone Selection
The Timezone Selection Dropdown allows the suer to select the timezone that is used to display datas and time on the dashboard.
Default Event Date Range
The Default Event Date Range allows the account owner to specify the default Date Range that is used for any panel that has a Date Range filter. Its opations are:
- Same Day (just the current day)
- 2 Days
- 3 Days
- 4 Days
- 5 Days
- 6 Days
- 1 Week
- 1 Month
- Remember Last Used
- From Today
Default Host View Date Range
The Default Event Date Range allows the account owner to specify the default Date Range that is used for any panel that has a Date Range filter. Its opations are:
- Same Day (just the current day)
- 2 Days
- 3 Days
- 4 Days
- 5 Days
- 6 Days
- 1 Week
- 1 Month
- 2 Months
- 3 Months
- 6 Months
- 1 Year
- 2 Years
- 10 Years
- Remember Last Used
- From Today
- Forever
Default App View Date Range
The Default Event Date Range allows the account owner to specify the default Date Range that is used for any panel that has a Date Range filter. Its opations are:
- Same Day (just the current day)
- 2 Days
- 3 Days
- 4 Days
- 5 Days
- 6 Days
- 1 Week
- 1 Month
- 2 Months
- 3 Months
- 6 Months
- 1 Year
- 2 Years
- 10 Years
- Remember Last Used
- From Today
- Forever
The "Remember Last Used" option remembers and applies the last begin and end data to a newly opened panel.
The "From Today" option applies the Last Used data range with today's date as the ending date for that date ragne.
The "Forever" option applies from the unix "epoch" through tomorrow's date.
Dashboard Version
View Trust Lockdown Dashboard Version
Hover over the White Cloud Security icon to see the Dashboard Version ID
Contact support via Online Help
1. Click "Online Help"
2. Click "Email Our Support Team"
Ended: User Guide
Administrator Guide ↵
Administration Overview
This Administrator Guide explains:
Account Management ↵
Role-Based Access Control (RBAC) for Accounts
Who can make admin changes to a subgroup's settings, host settings or trust profiles ?
No account, (NOT EVEN System Admins), can edit or modify any Security Group settings, host settings or policy profile without being trusted as a Admin by the Inheritance Tree owner or admins.
Master Admins can access other login accounts but leave an audit trail of when they enter or exit that login account. Only administrators who can be trusted with Database access should be trusted as a Master Admin. They have "sudo" privileges in the Dashboard.
What is a Malware Advisor?
A "Malware Advisor" is NOT an "access role" but a system wide application of an Advisor's malware Block Policies for any matching App Handprints or Code-Signing Certificates (CERTs). A Malware Advisor can have any "access role" level. or even be just a Trust-Profile instead of an actual administrator's account. The purpose of Malware Advisors is to simplify which Profiles contribute to the process for blocking Known Malware and Unwanted Apps.
Role-Based Access Control Levels
Each of the following "role access" levels can perform the functions of a lower "role access" level.
- Master Admins
- Master Admins have the ability to "sudo" into an account, but this will leave an audit trail in the security log.
Who are the Master Admins for my White Cloud Security Data Center Appliance?
- With a Data Center Appliance the Master Admin is assigned during the setup process.
Role-Based Access Control Privileges
Role | Access |
---|---|
Master Admin | Can "View As" any account |
"View As" creates an audit trail in the security log | |
The first Master Admin is assigned during the setup process | |
Only a Master Admin can make another admin a Master Admin | |
System Admin | View all system logs |
Account Admin | Purge a Login Account after it has been disabled by the account owner |
System Agent | View all accounts across the platform |
Account Agent | Create Login Accounts, Organizations and resend activation emails |
Advisor | Standard Enterprise functional as Trust-Listing Admin |
Can be added to Admin Groups to allow configuration and policy management | |
Can be assigned as an Org Admin to add or remove members of an organization | |
Can be assigned as an Viewer with read only access to status and reports | |
Basic Account | Limited functionality for Dashboard Interface simplicity |
--------------- | ----------------------------------------------------------------------------- |
End User | End Users have no access or visibility into Trust Lockdown |
Isolating Accounts and Organizations
There are three important attributes we use to isolate login accounts and organizations
in multi-tenant environments, whether our SaaS service, CloudRun, or Kubernetes.
-
Organization membership
- Org Owner
- The Main Account for the Organization
- Org Admin
- can change details about the Organization
- can add or remove members for the Orgnization
- can assigned members as Org Admins or Org Viewers
- can view all Security Groups within the Org
- but only Administer those they have Admin Access for
- Org Viewer (intended for non-admin Orgization members report access)
- limited viewing of information in the Org
- Org Owner
-
Certified Advisors
- Other login accounts who you've identified as "Known" login accounts
- An Account Owner must be Known to a Security Group or an Admin Group
before they can be trusted by that Security Groups or Admin Group.
For security reasons, we don’t elevate privileges for an account or connect them to a admin group until:
- the Account Owner enables their 2-Factor Authentication, and
- we’ve associated them with an Admin group or other main account as a Certified Advisor
We also don't allow admins to browse the Security Groups of other organizations and accounts
unless we've specifically connected the accounts together.
This is a security precaution to prevent a malicious WCS account holder from determining who uses WCS.
Create New Account
Click "Create New Account"
Click the "Account's First Name: *" field.
Add Account First and Last Name and Email Address, click on "Sign Up" button
The new account owner will received two emails. One with a temporary password and the other with an activation link.
Click here.
The account owner should open the "New Account Email" to use the Activation link
The account owner can either click on the "Activate Your Account" button or copy the activation link and paste it into a browser.
Click the "Your Email/Login ID" field.
Click the "Password *" field.
The account owner should fill in their Email address and temporary password, and Click the "Login" button.
The Dashboard will open their Account Profile Setting, giving the new account owner an opportunity to change their first and last name. They can create an account "nickname" by clicking the "Enter your nickname" field.
Click "Continue" to Activate the Account..
The Dashboard will open. The new Account Owner can click on their "Profile Setting" icon to change their account settings such as their Alert Notification Email address or to upload an avatar for thier account.
Click on the "Change Photo" button to change the account avatar.
The Browser will open a file selection dialog. Navigate to the folder with the avatar. Select the avatar image and click "Upload Photo"
Click the "Appy Changes" button
If a new account owner clicks on "Groups I Manage" in the "Main Menu," they won't see any Security Groups yet. An Org Admin must add their account to the Organization after activation. After adding them to the Organization, an Administrator needs to add their account to an Admin Group to access specific Security Groups within the Organization.
Resetting Password on White Cloud Security Portal
1. Click on the "Account Profile Settings" icon.
2. Click "Reset Your Password"
3. Click Set and Confirm your new Password
4. Click enter your "2-Factor Authentication Code" if enabled
5. Click the "Set New Password" button.
Enable 2-Factor Authentication
1. Click on the "Account Profile Settings" icon.
2. Click the "Enabled 2-Factor Authentication" checkbox.
3. Scan the QRCode and enter the "2-Factor Authentication Code"
4. Click "Check Code and Enable"
Disable Two-Factor Authentication
1. Click on the "Account Profile Settings" icon.
2. Click to uncheck the "Enable 2-Factor Authentication" checkbox.
3. Click "Disable It!" to confirm disabling 2-Factor Authentication
Promote to Account Agent
Promote an Account to "Account Agent" Privileges
Click "@JIT"'s Account Profile in Recently Viewed Subgroups
Click the "Make Account Agent" button to promote this Account
Click "Make an Account Agent" to confirm
@JIT's Account has been promoted to an Account Agent who can now create Accounts and Organizations in the Dashboard
Ended: Account Management
Org Management ↵
Add Organization in Trust Lockdown
Click "Add an Org"
Click the "Org Name" field and enter the Organization Name
Click the "Org Label" field and set the Label (Description) as wanted
Click the "Domain Name controlled by this Org" field and enter a Domain Name for this Organization or subdivision
Click the "Email Address to send Alerts to" field and set the Alerts Notification Email address
Click "Add This Org" to create the Organization
The Organization is created and displayed in the Graph View
Click the Close button for the Graph View.
Update Organization Info
Click on the Graph View shortcut icon.
Click "Show Members" to see the Member Accounts assigned to the Organizations
Click on the Organization that needs to be Edited
Click the "Org Name" field to change the Organization Name
Click the "Org Label" field to change the Organization's Label (Description)
Click "Apply Changes" to save the changes
Click "OK" to confirm
Click on the Graph View Close icon to close Graph View of the Organizations
Click on the Graph View shortcut icon to see the updates
Click here.
Type " [[Escape]]"
Add member to Org
Click Justin Time's Account Profile "@JIT" in Recently View Subgroups
Click the "Add To Org" button to add Justin to an Organization
Click the "Org Admin" checkbox to make him an Organization Admin
Click the "Choose Org Scope" dropdown to see all the organizations to which you can make assignments.
Click the "As Member of Org" dropdown to select the Organization
Click "Make Member of Org"
Click "Assign Account" to confirm the assignment as a member of the Organization
Click "THEIR TREE VIEW" to open a Graph View of their Organizatons
Click "Show Members" to see who the members of the organizations are
The Graph View shows that @JIT's Account is now a member of the "White Cloud Security Support" organization
Remove Member from Org
Remove a member from Organization.
Click "MY ORGANIZATIONS"
Click "WHITE CLOUD SECURITY, INC. Support Team Org Admin"
Click "Remove from this Org"
Click "Remove Member"
Click here.
Ended: Org Management
Trust Lockdown ↵
Data Center Appliance ↵
DCA Prerequisites
Deploying a Data Center based WCS Service using VMware
Basic steps to set up the MySQL, NFS and Data Center Appliance servers
- Prerequisites for setting up the Data Center Appliance (DCA)
- MySQL Server running either MySQL Version 8 or 5.7
- Network File Server (NFS) Volume to store files for:
- Login Account, Main Account, and Security Group Avatars
- Organization and Subgroup files for
- reports (monthly, weekly, daily and report templates)
- files uploaded for analysis
- notes, instruction, etc
- File Analysis results (store as JSON files) collected from analysis sites
- VMware to create the Virtual Machines for one or more DCA Appliances
- An SSL Certificate to validate the URL for the HTTPS communications from the WCS endpoint agents
- Set up the Resources needed for the DCA: Mysql, NFS and Load Balancer with SSL CERT
- Set up your MySQL Server
- This can be any MySQL hosted on a VM, bare metal or a cloud MySQL service
- We recommend using MySQL 8 for performance reasons, though you can use MySQL 5.7
- You'll need to create a Database with a related DB User Account for the DCA to use for storage
- To configure the DCA's connectivity to MySQL you'll need:
- MySQL Database Service Hostname/IP Address
- MySQL Database Port Number for the MySQL Service
- Database Name
- Database User Name
- Database User Password
-
Set up your NFS Server for avatar storage
- Set the folder and its permissions for avatar storage to 48:48
# mkdir -p /mnt/shared/wcsdcas/avatars # chown 48:48 /mnt/shared/wcsdcas/avatars # Export list for localhost: /mnt/data/dcas/wcs1/avatars 172.31.20.1/24
-
Share the NFS volume for the avatars
$ showmount -e localhost Export list for localhost: /mnt/data/dcas/wcs1/avatars 172.31.20.1/24
-
View the NFS volume mounts
$ showmount -e localhost Export list for localhost: /mnt/data/dcas/wcs1/avatars 172.31.20.1/24
- Set up your VMs to install the WCS software Appliance
- Download the DCA OVA image from the main WCS Dashboard here.
- Create a Virtual Machine using the OVA (see detailed instructions here)
- Set up the Virtual Machine with a MySQL Instance and NFS Mount
- A MySQL database instance and NFS Volume should have already been created
- See detailed instructions here for configuring the DCA here
- Set the folder and its permissions for avatar storage to 48:48
DCA Setup & Configuration Instructions
Setup - Start by visiting /setup-ip
Setup the DCA to use a Static IP Address
- /setup-ip
- Enter the Configuration Settings for the Static IP Address
- Click "Review Static IP Address Settings"
- Click "Change to these Static IP Address Settings"
Set the Service and Site Domain Name
- /setup
- Set a Service Instance Name
- Set the Domain name for the Service
- "Next" ⇒ /setup-db
Set the Mysql DB Access Credential
- /setup-db
- If /data has a Volume Attached, checkbox to use either
- Remote MySQL DB
- Local MySQL on /data
- "Next"
- If /data has a Volume Attached, checkbox to use either
Add the Master Admin
-
Click on the "Add Master Admin" button
- Enter the Master Admins information
- "Next"
Master Admin Dashboard Opens.
Set DCA Options
Admin > Set DCA Options - Set Recaptcha API Key (optional) - Set VirusTotal API Key (optional) - Set email connection credentials - Set syslog forwarding (if used) - "Apply Changes"
Start DCA Setup Process
You need to ensure that the DCA Virtual Maching is using a static IP address.
Navigate to the /setup-ip page on your DHCP IP Adderss
If the DCA VM is using a DHCP IP address of 192.168.1.1, then navigate to:
//192.168.1.1/setup-ip
In our example our DHCP IP Address was 172.31.20.205 so we navigatged to:
//172.31.20.205/setup-ip
to configure a static IP address for the Data Center Appliance.
We set the Example DCA to use Network Address/Mask of
172.31.20.40/24
Example Setup
Setup a Static IP Address
Click the "New IP Address/Netmask: *" field.
Click the "New Gateway IP Address: *" field.
Click the "New DNS Server IP Address or Domain Name *" field.
Click the "New DNS Server IP Address or Domain Name *" field.
Click the "Review Static IP Address Settings" button to continue ...
Click the "Change to these Static IP Address Settings" button to apply \ the Static IP Address Settgins and re-configure the network interface.
Set the Service and Site Domain Name
Click the "Appliance Site Domain Name:" field.
Enter the Domain Name used for the Apache SSL Certificate
Click the "Appliance Service Name:" field.
Set an "Appliance Service Name" which \ represents a name for your Database Instnace\ then Click the "Next" button.
Click "Apply Settings" to confirm
Verify that Domain Name is correct\ then click "Setup DB Access" to connect to the MySQL Database
Set the Mysql DB Access Credentials
Click the "Hostname:" field and enter the dmain name or IP addres \ for the MySQL server or service
Click the "Port Number:" field and \ Change the MySQL "Port Number" if necessary
Click the "Database Name:" field and\ Enter the MySQL Database Name,
Click the "DB User Name:" field, and\ Enter the MySQL DB User Name
Enter the Password for the MySQL DB User Name, and\ Click the "Next" button.
Click "Apply Settings" to confirm
Verify that "All specified MySQL settings are correctly set.\ Setup DB Access, WCS Data Center Appliance, ver: 1.0.4\ DCA Service Name: 'CyberGuy' at 'dca.wcse..."
Click the "Add Master Admin" button \ to give a Master Admin Access to the DCA
Add the Master Admin
Click the "I Accept the Terms and Conditions" field.
Enter the login credentials for the Master Admin, and\ Click the "Next" button to create the Master Admin Account
The Master Admin should enter their credentials, and\ Click the "Login" button.
The first step is to Add an Organization for the Master Admin's Account\ Click "Add an Org"
Enter the "Org Name"
Enter the "Org Label" or a Description
Enter the Domain Name controlled by this Organization.
Enter the "Email Address to send Alerts to"
Click "Add This Org"
Click "Show Users" to show that the Master Admin's Account \ is now a Member of the Organization
Click "Manage DCA Options"
Click "Admin"
Click "Manage DCA Options"
Set the NFS Server URI and \ Email Relay Service Configuration Settings, and\ Click the "Next" button.
Confirmat that these Configuration Setting were properly saved
Click "Resend My AuthCode" to test \ the Email Relay Service configuration setting
Click "Resend" to confirm
Click "EXIT" to return to the Master Admin Account
Upgrading DCAs
Introduction
This guide will walk you through the process of upgrading your White Cloud Security (WCS) Data Center Appliance (DCA). The upgrade involves downloading the new version of the DCA image, validating its integrity, implementing it into your cloud environment, and decommissioning the old version once the new node is verified to be functioning correctly.
Step 1: Obtaining the New DCA Image
1.1 Accessing the Image
New version DCA images are made available via Google Drive. To receive the link to the Google Drive folder containing the latest DCA image, you must first initiate a request for the latest version and confirm that you are a valid license holder. Upon verification, White Cloud Security will provide you with the link.
1.2 Downloading the Image
- Navigate to the provided Google Drive link.
- Locate the latest DCA image file.
- Download the image to your local system.
1.3 Verifying the Image Integrity
Each DCA image is provided with handprint identifying factors. These factors are used to ensure that the image you downloaded is authentic and has not been tampered with. The verification process involves using five hashes (SHA-1, SHA-256, SHA-512, MD5, and CRC32) and the file length, which is the same technology used to validate approved app runs in the product itself.
1.3.1 Handprint Verification Process
- Obtain the handprint identifying factors from White Cloud Security. This information typically includes checksums or hashes.
- Generate the checksums/hashes of the downloaded image using tools for each algorithm:
- For SHA-1:
sha1sum <path-to-downloaded-image>
- For SHA-256:
sha256sum <path-to-downloaded-image>
- For SHA-512:
sha512sum <path-to-downloaded-image>
- For MD5:
md5sum <path-to-downloaded-image>
- For CRC32:
crc32 <path-to-downloaded-image>
- Compare the generated checksums/hashes and file length with those provided by White Cloud Security.
- If all values match, the image is verified. If not, do not proceed with the installation and contact White Cloud Security support.
Step 2: Implementing the New DCA Node
2.1 Preparing for Installation
Before proceeding, ensure that you have the necessary access and permissions to add a new node to your cloud environment and connect it to your existing MySQL database.
2.2 Standard Install Method
Follow the standard installation method provided by White Cloud Security to set up the new DCA node. The general steps are as follows:
2.2.1 Deploying the New DCA Image
- Upload the verified DCA image to your cloud environment.
- Launch a new virtual machine or container instance using the uploaded DCA image.
- Once the DCA appliance is running, reference Quick Start Guide for setup.
2.2.2 Connecting to MySQL Database
- During the setup, configure the new DCA node to connect to your existing MySQL database.
- Ensure that the new node has the necessary permissions and can successfully communicate with the database.
2.3 Adding to Load Balancer
If you are using a load balancing reverse proxy cluster, you need to add the new DCA node to the load balancer configuration.
2.3.1 Updating Load Balancer Configuration
- Access your load balancer management console.
- Add the new DCA node’s IP address or hostname to the load balancer’s configuration.
- Ensure that the load balancer can route traffic to the new node.
- Apply the changes and verify that the new node is receiving traffic.
Step 3: Validating the New Node
3.1 Testing and Verification
After the new DCA node is part of your current cluster, perform the following tests to ensure it is working properly:
- Check the DCA node’s status via the WCS dashboard.
- Verify that the new node can successfully collect and process security events.
- Ensure that the node is correctly integrated into the MySQL database.
- Test the node’s functionality within the load balancer cluster.
3.2 Monitoring and Validation Period
Allow the new DCA node to run for a validation period to ensure stability and reliability. Monitor the node’s performance and logs during this period.
Step 4: Decommissioning the Old DCA Node
4.1 Preparation for Decommissioning
Before decommissioning the old DCA nodes, ensure that the new nodes are fully functional and stable.
4.2 Removing Old Nodes from Load Balancer
- Access your load balancer management console.
- Remove the old DCA nodes from the load balancer’s configuration.
- Apply the changes to stop routing traffic to the old nodes.
4.3 Shutting Down Old Nodes
- Access your cloud environment management console.
- Locate the old DCA nodes.
- Shut down the old nodes and remove them from your cloud environment.
4.4 Clean-Up
Remove any associated resources of the old DCA nodes, such as disks and network interfaces, to free up resources in your cloud environment.
Deploying the VMware-based WCS Service using VMware
Basic steps to set up the MySQL, NFS and Appliance servers
- Set up your MySQL Server
-
Set up your NFS Server for avatar storage
- Set the folder and its permissions for avatar storage to 48:48
# mkdir -p /mnt/shared/wcsdcas/avatars # chown 48:48 /mnt/shared/wcsdcas/avatars # Export list for localhost: /mnt/data/dcas/wcs1/avatars 172.31.20.1/24
-
Share the NFS volume for the avatars
$ showmount -e localhost Export list for localhost: /mnt/data/dcas/wcs1/avatars 172.31.20.1/24
-
View the NFS volume mounts
$ showmount -e localhost Export list for localhost: /mnt/data/dcas/wcs1/avatars 172.31.20.1/24
- Set the folder and its permissions for avatar storage to 48:48
-
Set up your VMs to install the WCS software Appliance
Securing the MySQL / NFS Server
Purpose
The DCA cluster needs to have access to a MySQL and an NFS Shared Volume to support the storage of policies, events, avatars and data files.
A Firewall is Required
The MySQL / NFS Server should employ a firewall to prevent unauthorized access to services on the server but that allow the DCA cluster to access the server.
Required Services
Services to open for the MySQL / NFS support server
The Required Services are:
- ssh (Port 22)
- http (Port 80)
- https (Port 443)
- mysql (Port 3306)
- nfs (Ports 111,2049,32803)
The Uncomplicate Firewall (UFW) provides a simple solution for easily securing the Linix firewall on either fedora or debian based linux systems.
Using UFW
Using UFW to open the required ports for White Cloud Security
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw allow from 172.31.20.1/24 to any port 3306
sudo ufw default deny incoming
sudo ufw status
Ended: Data Center Appliance
Ended: Trust Lockdown
Endpoint Admin ↵
Endpoint Deployment ↵
Deploying White Cloud Security to Endpoints
There are multiple ways to deploy the WCS software to Windows Endpoints:
- Use the WCS RMM Deployment PowerShell scripts to:
- Install the Agent
- Update the Agent
- Uninstall the Agent
- Download and run the EXE based installer manually
- Download and run the MSI based installer manually
- Download and use Windows GPO to install the MSI Installer
The RMM Scripts can be deployed using any RMM tool that can remotely run PowerShell Scripts.
Using RMM Scripts
Install Endpoint Agent using RMM PowerShell Script
Click on the Graph View shortcut icon
Click on the Security Group in the Graph View which has the Policies you want the Endpoint to use. (e.g. "Test Lab")
Click "Click to Download and Install"
Click "Download RMM Deployment Scripts"
Click "Install Endpoint Agent"
Click "Download" to download the PowerShell Installation Script
Run the PowerShell Script on all the endpoints associated with this Security Group.
WCS Installer Packages
Installer Packages
There are two types of installer packages that can be downloaded from the dashboard using the Download Protection button in the Subgroup Profile:
- Universal EXE Installer (via Install Now button)
- 64-bit and 32-bit MSI Installer Packages
EXE based installer package
- Supports both 32-bit and 64-bit platforms
- Installs the Visual C++ 2008 redistributable pre-requisite package
- Includes updater that can be used to find, download, and install a WCS update
- Supports silent installs using
/quiet
(no end user interaction) and/or/qn
(no end user interface) flags - Platform specific MSI Installers (via Download MSI Packages button)
MSI based installer packages
- Separate installers for 32-bit and 64-bit
- DOES NOT install the Visual C++ 2008 redistributable pre-requisite package, this must already be installed on the target for WCS installation to succeed
- DOES NOT include updater package, updates are generally pushed out via the same method used for the original installation
- No arguments required for normal installation; supports silent installs using
/quiet
(no end user interaction) and/or/qn
(no end user interface) flags
NOTE: Do not modify the name of the installer package that is downloaded from the dashboard (see notes below for exceptions) The filename is in a very specific format that provides important information to the installer, specifically:
The subgroup authorization code, and The server name used to access the account
The filename includes the following components separated by a dash (-
):
- The string
WCSSetup
- The version number (e.g.,
1.3.7
) - The platform (e.g.,
Windows
,Windows_x86
,Windows_x64
) - The AuthCode (e.g.,
1234567890abababababababababab1234567890
) - The Server URL (e.g.,
sigs.whitecloudsecurity.com
)
Examples:
WCSSetup-1.3.7-Windows-1234567890abababababababababab1234567890-sigs.whitecloudsecurity.com.exe
WCSSetup-1.3.7-Windows_x86-1234567890abababababababababab1234567890-sigs.whitecloudsecurity.com.msi
WCSSetup-1.3.7-Windows_x64-1234567890abababababababababab1234567890-sigs.whitecloudsecurity.com.msi
Notes Regarding Updates
The filename restrictions described above only apply to the first installation on a system. If you are updating to the most recent version, the installer package recognizes that it is installing an update and it uses the information that is already in the registry for that system. The subgroup authorization code and server name embedded in the filename are ignored when updating to the most recent version.
Examples for Updates:
WCSSetup-1.3.7-Windows.exe
WCSSetup-1.3.7-Windows_x86.msi
WCSSetup-1.3.7-Windows_x64.msi
External Configuration File
There is a second option for specifying the subgroup authorization code and server name by using an external configuration file. The external configuration file is a JSON formatted text file that contains the subgroup authorization code and server name rather than having them embedded in the installer filename.
The external configuration file is named WCSSetup-Config.json and must be in the same directory as the installer when it is launched. The contents of the WCSSetup-Config.json file is a single line of JSON formatted text:
{"auth":"1234567890abababababababababab1234567890","sigsURL":"sigs.whitecloudsecurity.com"}
HTTPS Proxy Settings
A HTTPS Proxy can be set in this external configuration file using the "proxy" keyword. The proxy settings are usually in the format "IPADDR:PORT" or "HOSTNAME:PORT".
This example would set the name of the proxy server to 'myproxy' and the port for the proxy server to '8080'.
{"auth":"1234567890abababababababababab1234567890","sigsURL":"sigs.whitecloudsecurity.com","proxy":"myproxy:8080"}
Command Line Public Properties
There is a third option for specifying the subgroup authorization code and server name by using public properties on the installer command line. The name of the public property contains only uppercase letters and is specified on the command line like this: PROPERTY=value. You must specify the subgroup authorization code (property name AUTHCODE). If you do not specify a server name (property name SIGSURL), it will default to sigs.whitecloudsecurity.com.
Example MSI command line:
msiexec.exe /i WCSSetup-1.3.7-Windows_x64.msi AUTHCODE=1234567890abababababababababab1234567890 SIGSURL=sigs.whitecloudsecurity.com
Example EXE command line:
WCSSetup-1.3.7-Windows.exe AUTHCODE=1234567890abababababababababab1234567890 SIGSURL=sigs.whitecloudsecurity.com
Configuration Settings Priority Order
If there are multiple sources of information available, the installer/updater uses the following priority order when configuring the subgroup authorization code and server name:
Settings already in the Registry (should only apply to updates) Settings embedded in the installer filename Settings specified via command line public properties Settings contained in the external configuration file
References
Advanced Installer User Guide - Silent installation package https://www.advancedinstaller.com/user-guide/qa-silent-install.html Advanced Installer User Guide - Msiexec.exe Command Line https://www.advancedinstaller.com/user-guide/msiexec.html Windows Dev Center - Msiexec (command-line options) https://msdn.microsoft.com/en-us/library/windows/desktop/aa367988(v=vs.85).aspx
If you don't have a Remote Monitoring and Management (RMM) tool, you can use these instructions as an example of replacing Version 1.3.13 of the White Cloud Security Driver with Version 1.4.1 using GPO from a server named "srcdc2016".
Note: See important for setting "Package can upgrade over the existing package" in Step 10 when driver upgrades are needed.
- First copy the WCS Installer MSI Package file to a shared drive (e.g., the "\srcdc2016\Downloads\WCS" directory on serversrcdc2016).
- Make sure that the network computers have read access to the share, e.g. "\srcdc2016\Downloads\WCS".
- On the server, e.g.srcdc2016, right click the Start button, select Run, then type 'gpmc.msc' in the box to launch Group Policy Management.
- Find and expand the domain you are using, right click on "App Deployment" and click Edit to bring up the Group Policy Management Editor.
- Expand "Computer Configuration", expand "Policies", expand "Software Settings", then click on "Software installation" (you should see something similar to the image below).
- Right click on "Software installation", click New, click Package.
- Select the WCS Installer MSI Package file from \srcdc2016\Downloads\WCS directory.
- Select Assigned as the Deployment method.
- Right click the new application and select the Properties, rename it to something like "White Cloud Security 1.3.13" to differentiate it from the 1.4.1 package, click on the Deployment tab, click on "Assigned" and you should then be able to select "Install this application at logon". You should not need to make any other changes.
- Then right click on the 1.4 version, select Properties. Rename it to something like "White Cloud Security 1.4.1", click on the Deployment tab, click on "Assigned" then select "Install this application at logon". Click on the Upgrades tab, click Add, select "Current Group Policy Object", then select "White Cloud Security 1.3.13". Make sure to select "Package can upgrade over the existing package" to make sure it does an upgrade and not an uninstall and new install. You may need to click the "Browse" button and dig down until you find the 1.3.13 package.
Here’s a tutorial_ on using GPO for MSI Package Deployment.
Ended: Endpoint Deployment
Ended: Endpoint Admin
Resource Management ↵
Load Balancing Guide for WCS DCAs
Introduction to Load Balancing
Load balancing is a technique used to distribute network or application traffic across multiple servers. This ensures no single server becomes overwhelmed, leading to improved performance, increased reliability, and high availability of services. Implementation of a mininum of two load balancers in your network architecture is always best practice to eliminate having any possible single points of failure. Load balancers can be implemented in hardware, software, or a combination of both.
flowchart TD
nt["Load Balancer / Reverse Proxy"] --> G["WCS DCA"] & A["WCS DCA"] & no["WCS DCA"]
ne["Load Balancer / Reverse Proxy"] --> G & A & no
Note: The graph above illustrates proxying in front of your DCAs. Similar implementations can and should be carried out behind your DCAs in large deployments. Illustrations on these implementations can be found in the NFS and MySQL Management sections of the documentation.
Types of Load Balancers
1. Hardware Load Balancers
Hardware load balancers are physical devices dedicated to distributing traffic among servers. They are often used in large-scale environments due to their high performance and advanced features but can be costly.
2. Software Load Balancers
Software load balancers run on standard servers or virtual machines. They are more flexible and cost-effective than hardware load balancers and can be deployed in various environments, including on-premises and cloud.
3. Cloud Load Balancers
Cloud providers offer load balancing services as part of their infrastructure, providing seamless integration with other cloud services. Examples include AWS Elastic Load Balancer (ELB), Google Cloud Load Balancing, and Azure Load Balancer.
Load Balancing Algorithms
1. Round Robin
Distributes requests sequentially across all servers. Simple and effective for evenly distributed traffic.
2. Least Connections
Routes traffic to the server with the fewest active connections. Ideal for environments where connections vary significantly in duration.
3. Least Response Time
Directs traffic to the server with the lowest response time, ensuring the quickest handling of requests.
4. IP Hash
Uses the client’s IP address to determine which server will handle the request, ensuring consistent routing for clients.
5. Weighted Round Robin
Assigns weights to servers based on their capacity. Servers with higher weights receive more traffic.
6. Least Bandwidth
Routes traffic to the server currently serving the least amount of traffic measured in Mbps.
Setting Up Load Balancing
Step 1: Identify Your Requirements
- Traffic Volume: Estimate the amount of traffic your application will receive.
- Redundancy: Determine the level of redundancy and failover required.
- Performance: Define performance metrics and goals.
Step 2: Choose a Load Balancer
- Hardware vs. Software: Choose based on budget, scalability, and flexibility.
- Cloud Integration: Consider cloud-based load balancers for cloud-native applications.
Step 3: Configure Your Load Balancer
- Define Backend Servers: List the servers that will handle the traffic.
- Select Load Balancing Algorithm: Choose the appropriate algorithm based on your traffic patterns.
- Health Checks: Configure health checks to ensure only healthy servers receive traffic.
Step 4: Deploy and Test
- Deployment: Implement the load balancer in your environment.
- Testing: Conduct thorough testing to ensure proper distribution of traffic and failover functionality.
Step 5: Monitor and Optimize
- Monitoring Tools: Use monitoring tools to track performance metrics and server health.
- Optimization: Adjust configurations and algorithms based on performance data.
Best Practices
- Regularly Update and Patch: Ensure your load balancer software is up-to-date to protect against vulnerabilities.
- Implement Health Checks: Regular health checks can prevent routing traffic to unhealthy servers.
- Use Redundancy: Deploy multiple load balancers to avoid a single point of failure.
- Monitor Performance: Continuous monitoring helps identify and resolve bottlenecks.
- Optimize Configuration: Periodically review and optimize load balancing rules and algorithms.
Applying Load Balancing to WCS DCA
Overview
The White Cloud Security Dynamic Content Architecture (WCS DCA) benefits significantly from load balancing due to its need for high availability and performance. Load balancing can distribute traffic among multiple DCA servers, ensuring consistent access to security services and data.
Example Setup with Nginx
Step 1: Install Nginx
- Install Nginx on your load balancer server:
sudo apt update sudo apt install nginx
Step 2: Configure Nginx
- Edit the Nginx configuration file, typically found at
/etc/nginx/nginx.conf
:http { upstream wcs_dca { server dca1.example.com; server dca2.example.com; server dca3.example.com; } server { listen 80; listen 443 ssl; location / { proxy_pass http://wcs_dca; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } } stream { upstream ssh_backend { server dca1.example.com:22; server dca2.example.com:22; server dca3.example.com:22; } server { listen 22; proxy_pass ssh_backend; } }
Step 3: Enable and Start Nginx
- Enable and start Nginx:
sudo systemctl enable nginx sudo systemctl start nginx
Example Setup with HAProxy
Step 1: Install HAProxy
- Install HAProxy on your load balancer server:
sudo apt update sudo apt install haproxy
Step 2: Configure HAProxy
- Edit the HAProxy configuration file, typically found at
/etc/haproxy/haproxy.cfg
:global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s user haproxy group haproxy daemon defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 frontend http_front bind *:80 bind *:443 ssl crt /etc/haproxy/certs/ default_backend http_back backend http_back balance roundrobin server dca1 dca1.example.com:80 check server dca2 dca2.example.com:80 check server dca3 dca3.example.com:80 check frontend ssh_front bind *:22 default_backend ssh_back backend ssh_back balance roundrobin server dca1 dca1.example.com:22 check server dca2 dca2.example.com:22 check server dca3 dca3.example.com:22 check
Step 3: Enable and Start HAProxy
- Enable and start HAProxy:
sudo systemctl enable haproxy sudo systemctl start haproxy
Example Setup with Caddy
Step 1: Install Caddy
- Install Caddy on your load balancer server:
sudo apt update sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo tee /etc/apt/trusted.gpg.d/caddy-stable.asc curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list sudo apt update sudo apt install caddy
Step 2: Configure Caddy
- Edit the Caddy configuration file, typically found at
/etc/caddy/Caddyfile
:http:// { reverse_proxy * { to dca1.example.com:80 dca2.example.com:80 dca3.example.com:80 } } https:// { reverse_proxy * { to dca1.example.com:443 dca2.example.com:443 dca3.example.com:443 } } :22 { reverse_proxy * { to dca1.example.com:22 dca2.example.com:22 dca3.example.com:22 } }
Step 3: Enable and Start Caddy
- Enable and start Caddy:
sudo systemctl enable caddy sudo systemctl start caddy
Setting Up Health Checks
Each load balancer configuration above includes basic health checks. Ensure that your WCS DCA servers return appropriate health check responses (e.g., HTTP 200 OK).
Monitoring and Optimization
- Use Monitoring Tools: Implement monitoring tools like NetData and/or Prometheus and Grafana to track the performance of your load balancers and WCS DCA servers. WCS DCAs currently support NetData for not only health but security event exportation.
- Adjust Load Balancer Configuration: Based on the monitoring data, adjust the load balancing algorithm, weights, and other configurations to optimize performance.
MySQL Management
Introduction to MySQL
MySQL is a widely-used open-source relational database management system (RDBMS). It enables the efficient management of large amounts of data using structured query language (SQL). MySQL operates on a client-server model, where the database server stores data and responds to client requests. It is known for its speed, reliability, and ease of use, making it a popular choice for web applications and data-driven services.
MySQL Installation
A MySQL instance is required for the WCS-DCA. Below are the typical steps for installation in Linux environments.
1. Install MySQL Server
- Linux: Use the package manager for your distribution (e.g.,
dnf
for Oracle Linux,apt
for Debian/Ubuntu, oryum
for CentOS/RHEL). For example, on Ubuntu:sudo apt update sudo apt install mysql-server
2. Secure the MySQL Installation
Run the security script to set a root password, remove anonymous users, disallow root login remotely, remove the test database, and reload privilege tables:
sudo mysql_secure_installation
3. Start the MySQL Service
Ensure the MySQL service is running. On most systems, you can use systemd to manage the MySQL service:
sudo systemctl start mysql
sudo systemctl enable mysql
4. Log into MySQL
Use the MySQL client to log in as the root user:
mysql -u root -p
5. Create a Database
Once logged in, create a WCS database. Make your database name unique to your organization:
CREATE DATABASE wcs_myuniqorg_db;
6. Create a Database User
Create a new and unique user and grant them permissions on the new database. Note this user and password as they will be required to complete the WCS-DCA setup:
CREATE USER 'my_uniq_user'@'localhost' IDENTIFIED BY 'my_password';
GRANT ALL PRIVILEGES ON wcs_myuniqorg_db.* TO 'my_uniq_user'@'localhost';
FLUSH PRIVILEGES;
7. Test the Setup
Log out from the root user and log in with the new user to ensure everything is set up correctly:
mysql -u my_uniq_user -p wcs_myuniqorg_db
8. Connect to the Database
Once your database is set up, you will connect to it remotely via the WCS-DCA instance. Refer to the user and password you created earlier as they will be needed to complete the WCS-DCA installation process.
MySQL WCS Configuration
1. Edit your MySQL Config File
Typically named my.cnf
for Linux MySQL instances, this file can be located in different directories depending on your Linux flavor or MySQL installation. Common locations include /etc/
, /etc/mysql
, or /etc/my.cnf.d/
. In the latter case, the file may be named differently, such as mysql-server.conf
vs. my.cnf
. Note: You can eliminate the ANSIBLE BLOCKS or leave them commented out.
[mysqld]
datadir=/data/mysql
socket=/data/mysql/mysql.sock
log-error=/var/log/mysql/mysqld.log
pid-file=/run/mysqld/mysqld.pid
# BEGIN ANSIBLE MANAGED BLOCK
explicit_defaults_for_timestamp=1
sql_mode=NO_ENGINE_SUBSTITUTION
character_set_server=latin1
collation_server=latin1_swedish_ci
log_bin_trust_function_creators=1
slow_query_log=1
slow_query_log_file=/data/mysql/slow_query.log
# END ANSIBLE MANAGED BLOCK
2. Restart MySQL
Once the configuration is updated, a restart is required for the changes to become active.
sudo systemctl restart mysqld
MySQL Backup
Backing up a MySQL server in a Linux environment involves using the mysqldump
utility, which is a built-in tool for creating logical backups of MySQL databases. Here's a high-level overview of the steps involved:
1. Prepare the Environment
- Ensure you have sufficient disk space on the server where the backup will be stored.
- Verify that you have access to the MySQL server with a user that has appropriate privileges (e.g., a user with
SELECT
,LOCK TABLES
, andSHOW VIEW
privileges).
2. Perform the Backup Using mysqldump
Use the mysqldump
command to create a backup of a single database or all databases. The command generates a SQL script that can recreate the database(s).
- For a single database:
mysqldump -u [username] -p[password] [database_name] > [backup_file.sql]
mysqldump -u [username] -p[password] --all-databases > [backup_file.sql]
3. Schedule Regular Backups
Use cron
jobs to automate the backup process. Edit the crontab file with crontab -e
and add an entry to schedule the backup. For example, to run a backup every day at 2 AM:
0 2 * * * mysqldump -u [username] -p[password] [database_name] > /path/to/backup/backup_file_$(date +\%F).sql
4. Compress the Backup File
To save disk space, you can compress the backup file using tools like gzip
or bzip2
. For example:
gzip [backup_file.sql]
5. Verify the Backup
Periodically verify that the backup files are not corrupted and can be restored. You can do this by restoring the backup to a test server:
mysql -u [username] -p[password] [database_name] < [backup_file.sql]
6. Secure the Backup
Ensure the backup files are stored in a secure location with restricted access. Consider encrypting the backups for added security.
Example Backup Script
Here's an example of a shell script to back up a MySQL database and compress the backup file:
#!/bin/bash
# Variables
USER="backup_user"
PASSWORD="your_password"
DATABASE="your_database"
BACKUP_DIR="/path/to/backup"
DATE=$(date +%F)
BACKUP_FILE="$BACKUP_DIR/${DATABASE}_backup_$DATE.sql"
COMPRESSED_FILE="$BACKUP_FILE.gz"
# Perform the backup
mysqldump -u $USER -p$PASSWORD $DATABASE > $BACKUP_FILE
# Compress the backup file
gzip $BACKUP_FILE
# Log the backup
echo "Backup completed: $COMPRESSED_FILE"
Backup Strategies
- Logical Backups: Use
mysqldump
for logical backups.mysqldump -u root -p wcs_myuniqorg_db > backup.sql
- Physical Backups: Use Percona XtraBackup for physical backups without downtime.
xtrabackup --backup --target-dir=/path/to/backup
Recovery Processes
Restoring from Logical Backup
To restore a database from a mysqldump
backup:
mysql -u root -p wcs_myuniqorg_db < backup.sql
Restoring from Physical Backup
- Prepare the backup:
xtrabackup --prepare --target-dir=/path/to/backup
- Restore the backup:
xtrabackup --copy-back --target-dir=/path/to/backup
Point-in-Time Recovery
For point-in-time recovery, ensure binary logging is enabled in MySQL. To restore up to a specific point: 1. Restore the most recent full backup. 2. Apply the binary logs up to the desired point in time:
mysqlbinlog /var/lib/mysql/binlog.000001 | mysql -u root -p wcs_myuniqorg_db
Additional Considerations
- Security: Regularly update MySQL to the latest version and apply security patches. Ensure your MySQL server is configured to be accessible only from trusted networks.
- Monitoring: Use monitoring systems like NetData or Prometheus to keep an eye on database performance and health. The latest WCS-DCA supports these two platforms as well, enabling you to monitor not just system health, but also security events within your entire environment where agent endpoints are installed.
- Incremental Backups: For large databases, consider using incremental backups with binary logs.
- Remote Backups: Store backups on a remote server or cloud storage to prevent data loss in case of hardware failure.
- Backup Retention: Implement a retention policy to manage the storage of backup files, deleting older backups as necessary.
- Performance Tuning: Adjust MySQL configuration (
my.cnf
) for better performance based on your workload. - Scalability and High Availability: To ensure your MySQL database is scalable and highly available, consider the following:
- Replication: Use MySQL Replication to create multiple copies of your database for read scalability and high availability. Learn more about MySQL Replication.
- Clustering: Implement MySQL InnoDB Cluster or Galera Cluster for high availability and automatic failover. More information on MySQL InnoDB Cluster and Galera Cluster.
- Load Balancing: Use a load balancer like ProxySQL to distribute database traffic and ensure continuous availability. Check out ProxySQL.
- Backup Solutions: Use backup solutions like Percona XtraBackup for hot backups without downtime. Details available at Percona XtraBackup.
- Cloud Services: Consider using cloud database services such as Amazon RDS or Google Cloud SQL, which provide built-in high availability and scalability options. See Amazon RDS for MySQL and Google Cloud SQL for MySQL.
Common highly available and scalable MySQL database architectures.
Master-Master Replication
flowchart TD
A["WCS DCA"] -- Round Robin Request --> E["Load Balancer / Reverse Proxy"] & H["Load Balancer / Reverse Proxy"]
G["WCS DCA"] -- Round Robin Request --> E & H
E -- Read/Write --> I["MySQL"] & J["MySQL"]
H -- Read/Write --> I & J
I --> nv["Backup"]
I <--> n7["Bi-Directional Replication"]
J --> nu["Backup"]
J <--> n7
Master-Slave Replication
flowchart TD
A["WCS DCA"] -- Round Robin Request --> E["Load Balancer / Reverse Proxy"] & H["Load Balancer / Reverse Proxy"]
G["WCS DCA"] -- Round Robin Request --> E & H
E -- Read/Write --> I["MySQL Primary / Master"]
E -. Read/Write .-> J["MySQL Secondary / Slave"]
H -- Read/Write --> I
H -. Read/Write .-> J
I --> nv["Backup"]
I --- n7["Failover Master / Slave Replication"]
J --> nu["Backup"]
J --- n7
NFS Management
Introduction to NFS
Network File System (NFS) is a distributed file system protocol originally developed by Sun Microsystems in 1984. It allows a computer to access files over a network in the same way it accesses local storage. NFS enables users and programs to access files on remote systems as if they were local files, providing a seamless integration of resources across a network.
NFS Volume for the WCS DCA Servers
Overview for DCA Shared Filesystem
The White Cloud Security Data Center Appliance (DCA) uses avatar icons to represent login accounts and Security Groups. These avatar images are uploaded by login accounts and admins and stored in a Linux volume via the DCA server.
To ensure these avatar images are shared and displayed on the WCS Dashboard for any DCA server showing the Dashboard, they must be stored on a shared Linux volume that all DCAs can access.
Likewise, the cluster of DCA servers stores reports and third-party app reports on this shared volume, which can either be a shared NFS volume or an attached volume on AWS Elastic File Storage (EFS).
NFS On AWS: Elastic File Storage
NFS nomenclature on AWS is EFS. The AWS EFS volume should be mounted on the /data
folder on the DCA server. If the DCA detects that the /data
volume is mounted, it then shows the /data
volume as a pre-attached volume and doesn't give the user an option to provide an NFS URI.
NFS: Use of Shared NFS Volume
If the DCA detects that no volume is attached to the /data
folder, it requests the NFS URI for the NFS Shared Volume to store its files. This NFS URI should point to an NFS volume on a Linux NFS server.
When the DCA /set-dca-options
page is opened, its form allows the admin to specify a DCA NFS File Storage Volume URI, such as:
172.31.20.2:/mnt/data/dcas/wcs1
172.31.20.11:/srv/nfs/share/wcs1
where "wcs1" would represent an NFS shared volume for a single WCS service instance. This service instance can include one or more DCAs which are all:
- Using the same MySQL databases
- Servicing the same groups of endpoints
- Sharing the file storage for avatars, reports, and other data files
NFS On RHEL/CentOS
Install NFS on RHEL and CentOS
Use yum
or dnf
to install the NFS Server package:
sudo dnf update
sudo dnf install nfs-utils
sudo systemctl enable --now nfs-server
sudo systemctl enable --now nfs-lock
sudo systemctl enable --now nfs-idmap
sudo firewall-cmd --permanent --add-service=nfs
sudo firewall-cmd --reload
Set up NFS Shared Volume on RHEL and CentOS
In the first URI example, the IT admin has created an NFS storage volume on the Linux server at IP address 172.31.20.2
which is sharing the directory on its filesystem at: /mnt/data/dcas/wcs1
.
To create the first example's shared volume, follow these steps:
-
Create a directory to hold the shared avatar images:
sudo mkdir -p /mnt/data/dcas/wcs1
-
Edit
/etc/exports
to specify the shared volume and which DCAs can access it:Add the line:sudo vi /etc/exports
In this case, the entire class C subnet for/mnt/data/dcas/wcs1 172.31.20.1/24(rw,sync,no_subtree_check,no_root_squash)
172.31.20.1
is allowed to mount this file storage volume. -
Export the share info and restart the NFS server:
sudo exportfs -arv sudo systemctl restart nfs-server.service
-
On the DCA
/set-dca-options
page, include the shared volume's URI (servername:/pathname):172.31.20.2:/mnt/data/dcas/wcs1/avatars
-
When you click on the "Setup DCA" button, the DCA will verify that the DCA WCS File Storage Volume is accessible and will make the mount point persistent on the DCA.
NFS On Debian/Ubuntu
Install NFS on Debian and Ubuntu
Use apt
and apt-get
to install the NFS Server package:
sudo apt update
sudo apt install nfs-kernel-server
sudo systemctl restart nfs-kernel-server
sudo systemctl status nfs-server # Check the status of the NFS server
sudo systemctl start nfs-server # Start the NFS server if not already running
sudo systemctl enable nfs-server
# Check nfs-lock and nfs-idmapd
sudo systemctl status nfs-server # Should also show nfs-lock status
ps aux | grep nfs-idmapd # Check if nfs-idmapd is running
# Allow NFS ports
sudo ufw allow from 172.31.20.1/24 to any port 111 # RPC portmapper
sudo ufw allow from 172.31.20.1/24 to any port 2049 # NFS
sudo ufw allow from 172.31.20.1/24 to any port 32803 # rpcbind
# Enable UFW if not already enabled
sudo ufw enable
Set up NFS Shared Volume on Debian and Ubuntu
In the second URI example, the IT admin has created an NFS storage volume on the Linux server at IP address 172.31.20.11
which is sharing the directory on its filesystem at: /srv/nfs/share/wcs1
.
-
Create a directory to hold the shared files and set its user permissions:
sudo mkdir -p /srv/nfs/share/wcs1 sudo chown 48:48 /srv/nfs/share/wcs1 sudo chmod 0770 /srv/nfs/share/wcs1
-
Edit
/etc/exports
to specify the shared volume and which DCAs can access it:Add the line:sudo vi /etc/exports
/srv/nfs/share/wcs1 172.31.20.1/24(rw,sync,no_subtree_check,no_root_squash)
In this case, the entire class C subnet for 172.31.20.1
is allowed to mount this file storage volume.
-
Restart the NFS server:
sudo exportfs -ra
-
On the DCA
/set-dca-options
page, include the shared volume's URI (servername:/pathname):172.31.20.2:/mnt/data/dcas/wcs1/avatars
-
When you click on the "Setup DCA" button, the DCA will verify that the DCA Avatar Storage Volume is accessible and will make the mount point persistent on the DCA.
When running /set-dca-options
, the DCA will copy the default avatars to the shared NFS volume and create a file structure similar to this:
wcsFiles/
├── avatars
└── virustotal
To ensure that the NFS setup is scalable and highly available, consider the following:
Scaling and Highly Available NFS Architectures
- Automounting: Utilize automounting features to manage mounting of NFS volumes dynamically based on usage. This can help balance the load across multiple NFS servers. Reference: NFS Automount Configuration
- Load Balancing: Implement load balancing to distribute the traffic evenly across multiple NFS servers. Tools like HAProxy can be used. Reference: Load Balancing NFS with HAProxy
- Horizontal Scaling: Increase the number of NFS servers as needed. This might involve setting up a distributed file system like GlusterFS or CephFS, which can scale out by adding more servers and data centers. Reference: GlusterFS Documentation, CephFS Documentation
- Redundant NFS Servers: Set up multiple NFS servers with redundancy. If one server fails, another can take over. Reference: High Availability NFS using DRBD and Heartbeat
- Shared Storage: Use shared storage solutions like AWS EFS, which inherently provides high availability and durability. Reference: AWS EFS High Availability
- Backup and Recovery: Regularly backup NFS data and have a recovery plan in place. Tools like rsync can be used for incremental backups. Reference: Using rsync for Backups
flowchart TD
A["WCS DCA"] -- Round Robin Request --> E["Load Balancer"] & H["Load Balancer"]
G["WCS DCA"] -- Round Robin Request --> E & H
E -- Read/Write --> I["NFS Server"] & J["NFS Server"]
H -- Read/Write --> I & J
I -- Round Robin --> K["Shared Storage"] & L["Shared Storage"]
J -- Round Robin --> K & L
K -- Backup --> M["Backup Server"]
L -- Backup --> N["Backup Server"]
Gluster and/or Ceph considerations, are both distributed storage systems, but they have different architectures and use cases although both support WCS DCA Appliances NFS requirements:
GlusterFS
- Architecture: Gluster uses a scale-out architecture where storage is provided by multiple servers (or nodes) that pool their storage resources into a single namespace. It uses a stackable user-space design, meaning it's implemented mostly in user space.
- Use Cases: Gluster is primarily used for scale-out NAS (Network-Attached Storage) and is well-suited for file-based workloads. It's designed to be simple to deploy and manage, often used for storing large volumes of unstructured data like logs, media files, and backups.
- Data Access: Gluster provides file-level access to data, typically using protocols like NFS and SMB.
- Ease of Use: Gluster is generally considered easier to set up and manage compared to Ceph, with a simpler configuration and fewer dependencies.
CephFS
- Architecture: Ceph uses a more complex, distributed object storage architecture that provides interfaces for object, block, and file-level storage. It uses a combination of RADOS (Reliable Autonomic Distributed Object Store) for storing data and CRUSH (Controlled Replication Under Scalable Hashing) for data placement and replication.
- Use Cases: Ceph is designed to provide unified storage, supporting object storage (via S3 and Swift APIs), block storage (via RBD), and file storage (via CephFS). It's often used in cloud environments and for OpenStack storage backends.
- Data Access: Ceph provides object, block, and file-level access, making it a versatile solution for various storage needs. It's known for its high scalability and performance, particularly in environments that require high availability and redundancy.
- Complexity: Ceph is more complex to deploy and manage compared to Gluster, requiring more expertise and a more extensive setup process. It also has a higher learning curve but offers more flexibility and robustness.
Air Gapped Backups
- Backup and Recovery: We highly recommend performing periodic air-gapped backups as part of a disaster/recovery plan.
Monitoring and Alerts
- Implement monitoring and alerting systems to proactively manage NFS server health and performance. NetData or Prometheus can be used for this purpose.
- Reference: Monitoring NFS Servers with Netdata Note: NFS metrics fully integrated.
- Reference: Monitoring NFS Servers with Prometheus Note: The node exporter supports a multitude or NFS metrics.
Ended: Resource Management
Ended: Administrator Guide
Best Practices ↵
Best Practices should be followed in these areas:
- Ensure Account Owners have enabled 2-Factor Authentcation on their WCS account
- Use Monitor Mode to On-board new Endpoints without disrupting end users software use
- Keep Learn Mode sessions short and for specific App Learning
Specific Guidelines
Learn Mode vs Monitor Mode
The Best Practice for On-Boarding New Endpoints/Customer is to use Monitor Mode.
Learn Mode has a very narrow use case.
Our Learn Mode is meant to Learn CERTs and/or Unsigned Apps when an endpoint is in Blocking Mode. and you are just adding a single App.
Learn Mode Groups all learned CERTs & Apps in a Learn Mode Session into a single App named
A Learn Mode Session has a Timeout setting to prevent accidentally leaving a protected Host in Learn Mode beyond what was anticipated. You also need to review the Learn Mode session's Element to ensure they are what is necessary before trusting it.
Whereas Monitor Mode doesn’t have a timeout and allows you to organize the Monitor Mode Polity Exceptions into one or more Apps. With Monitor Mode you can incrementally add both Trust for Apps, CERTs, Trusted Children and Block Policies.
Managing Apps in White Cloud Security
A brief guide about the day to day basis managing applications.
Blocked Apps
We see that we have four alerts in one of our subgroups. Click the "Blocked Apps" button.
Now, you are presented with alerts related to programs that were blocked in one of your systems at the subgroup "ziggy test". You can also access the Blocked Apps menu by clicking the red lock at the top of the menu.
A brief note about Blocked Apps Exceptions: When a program is blocked, it usually means that you are in Blocking Mode and because this program is not added to your Trust-List.
Monitor Mode Exceptions
Click "MONITOR MODE EXCEPTIONS" to navigate to the exceptions menu.
You are now at the Monitor Mode Exceptions menu, in this case this computer does not display any alerts right now.
A brief note about Monitor Mode Exceptions: Monitor Mode Exceptions are alerts generated by programs which are not approved in your Trust-List nor inherited by your Security Group, but the distinction from Blocked Apps, is that the blocked apps are blocked instantly and you have to unblock them for them to run. A Monitor Exception is not blocked; it is just a policy alert for an active program.
Monitor Mode Exceptions are examples of what an Intrusion Detection System(IDS) would do, i.e. alerting the administrator, but not taking any action.
Blocking Mode Exceptions are examples of what an Intrusion Prevention System(IPS) would do; taking action and blocking malicious traffic proactively.
Trusted Apps Run History
This is the "Trusted Apps Run History" button, that will show you in real time what programs are being executed in your system or systems. It is very useful if you trust a CERT and you want to know what program is connected to that cert by filtering by CERT Thumbprint or CERT Name.
Trusting an App
We want to trust Spotify.exe, but we do not want to trust the certificate. Click in the app alert.
Click "App", to trust this file through its handprint. By trusting a program as an app, we are trusting that individual file only, unlike trusting a certificate, which includes trusting all the apps that are signed with that same certificate.
Click "Show More Edit Options" to introduce more details.
Click the "Enter a Description" field to enter a "Description" and a "Home Page URL".
Click "Trust This App" to add this program to your Trust-List.
Click "Show Trust-Lists" to access to your Trust-List.
Click "Apps" to expand the trusted apps items in your Trust-List.
Here is the program just trusted as an "App", including the description added by the administrator. Click on it to see more details.
Scroll down and click the name of the program to see more information and options for research, analysis and more.
Here is the new menu that now contains more information such as the file length, name, and the file directory. You can also navigate to VirusTotal for further analysis.
Distrusting an App from your Trust-List
Click "Distrust" if you decide that you do not want this app trusted in your Trust-List anymore. This means that if you are in Blocking Mode, your users in this group will not be able to use this app.
Removing an App from your Trust-List
Click "Disable App" if you want to remove this app from your Trust-List completely.
Click "Disable It"
Trusting Installers
Click "Installer" if you are going to install a program, usually if you trust an installer as an app, the installer might be limited and it might fail (Not always the case) if one of its components is blocked during setup, the installer options allows you to add depth to trust its children.
Click the "Depth" field to adjust the depth. Usually, 6 levels of depth works well.
Click "Trust as Installer" after you have selected the source of your trust from the dropdown menu.
Trusting Children
Programs tend to use many components to operate well on a system, and usually if those files are blocked it will prevent the "Parent" program from running well, or at all. In this case, we have a .dll file that depends on the program called "PhoneExperienceHost.exe" from Microsoft to run. Other example is Adobe software that uses a lot of JS files as their child processes. Click on "As Trusted Child" to see more information.
We can see more information about the Parent App. You can click it to see more information about if it has been trusted in the past by someone else in your Trust-List, where its trust is coming from and more.
Now, if you decide to trust the Parent App you have to be aware that by trusting the Parent App you will automatically trust all of those components that came with it and were blocked.
Click "Auto-Trust Children" if you want to move forward and add this Parent App to your Trust-List.
Click "Trust its Children"
Click "Show Trust-Lists" and then click "Apps" to expand your Trust-List.
You just added a new app to your Trust-List. Click to see more information.
Notice that you will only see the Parent App and its CERT instead all the components that came with it.
Monitored Children
What is a Monitored Child? Simply stated, Monitored Child includes those programs that will run in Monitor Mode even if the system is protected.
Monitored Children operate with only one level of depth and all Monitored Children apps are reported to the service by the WCS Agent. They are recorded as Monitored Children and allowed to run, even in Blocking Mode.
One major difference between Monitored Children and Trusted Children is that once an endpoint picks up the Trust Policy for the Handprint for a Parent App, the WCS Agent will not report Trusted Children to the service until they exceed the depth level setting for that Parent.
Click "As Monitored Child" to introduce more information.
Click "Monitor Children"
Click "Show More Edit Options"
You can scroll and see where this app is located.
Click the "Enter a Description" field.
Click "Monitor Children" if you want to add this program as a "Monitored Children".
Creating Reports
If you want to have a report of your blocked apps, you can click the "Download" button to download a report of your blocked items in that subgroup.
Export Fingerprints
Click "Export" if you want to download the fingerprints of your blocked list, it could be useful if you want to import those fingerprints into another group.
Trust Apps Menu
Click "Trust Apps" to see all of your apps in your list right now. You can trust signed and unsigned apps in this section.
I want to trust everything that comes from Google Chrome, so I select Google.
I also want to trust the ChromeSetup.exe program down below.
After I filled up the information, I will choose if I want it trusted immediately after I upload it to the Trust-List or any of the options given by the dropdown.
Click this "Upload", after you chose where to upload the trust.
If you go to your Trust-List, you will see that Google Chrome was added together with all of the files you selected to this new Trust-List item.
Types of Blocks
Now, let say that you want to block an app permanently or temporary, we click on the red lock on the app options menu.
Stop for Host and Stop for Group (Soft Block): This kind of block is not permanent, it will last only a certain amount of time, but it has the same impact as a hard block. You could block an app in one computer only or in the entire group.
Malware, Denied, and Distrusted (Hard Block): This kind of block is permanent and it will block a program even if you are in Monitor Mode (No Protection). The difference with Soft Block and Hard Block is that the Hard Block will propagate to all of your groups below the one you add the trust to. For example, if you add it to the top of your inheritance tree, it will apply to all groups within that tree, which is something the Soft Block will not do.
Archiving Apps
If you want to clear your list of alerts, you can do it in two ways. You can clear alerts individually by clicking the button that shows up when you hover over the zone selected by the blue arrow in the image down below.
Right click over the "Archive" button will show you different archive options to choose:
Archive This App's Events: It will archive events for only that specific app.
This app and All Older Events: It will archive all the alerts in the list.
Archive This App's Events for Host: It will archive app events for that computer specifically.
This App and Older Events for Host: It will archive all the apps and older events for that specific computer.
Click "Archived" if you want to see all the alerts you archived.
Click the "Live" radio button or dropdown, depends of your preference to see your live events that have not been archived.
App List Date Range
If you need to go back in time and see what apps you archived or what apps were in the blocked apps or monitor mode events you can use the calendar functionality to set specific dates.
The second element is the button "Open Pivot Table" which we will cover next.
Pivot Table
The Pivot Table is incredibly useful when you have to deal with hundreds or even thousands of events at a very fast pace (Ideal for Incident Responders) that want to map a potential threat). When time is critical and limited, the Pivot Table will allow you to organize and filter large varieties of information. To your left (Blue Zone) you have tags that you can drag and drop to the white zone to display their information contained in each tag.
Note: The Pivot Table uses all of your alert list, which can include your Blocked Apps or your Monitor Mode Exceptions list.
You can get extremely detailed about every single piece of information you want to filter, making the Pivot Table a very valuable and very powerful tool. You can also filter through every tag with the help of their individual arrows. In the next section we will show you what that looks like.
In this case we are filtering by CERT Name allowing us to see all of the CERTs present. I want to see only the Google apps signed by Google, so I uncheck the "Google LLC" checkbox.
Then I click "Invert and Apply" to uncheck everything and only check "Google LLC".
Using filters, we now see ONLY the apps signed by Google LLC, and, in this example we are looking at "Blocked" events from the subgroup "ziggy test". Using tags, we can see a lot of information about this google app and where it has been used. These Google apps were seen in DESKTOP-D1F5EE5 at the subgroup ziggy test, its Parent App is updater.exe, we see the pathnames where this happened, by which end user, if any of those files have any hits in VirusTotal(vtPositives), where the Parent App is located, and more. You can also use the "Refresh Table" button to refresh your table and reflect what you have in your Monitor Mode or Blocked Apps list.
Click "Reload It!". If you were checking 200 alerts and suddenly you noticed that you had 300 more alerts back in your alert list, you can click "Refresh Table" and then click "Reload it!". Those new 300 alerts will be immediately fed into your existing Pivot Table. (This process it is not automatic)
Recently Viewed Subgroups
If you need to go quickly to one of the groups that you recently checked, we record your recently viewed subgroups, allowing you to quickly navigate through your subgroups. This list does not persist if you close your session.
Guide to Managing Certificates in Trust Lists
A comprehensive guide to learn how to manage code-signing certificates and how to trust apps based on certificate trust.
Trusting a CERT
Trusting apps based on certificate is very easy and fast. Let's take this program as an example. HXTSR.exe signed by Microsoft Corporation
After you click the program, you will see the "Trust CERT" section with a button displaying the name of the signer. Click in the name of the code-signing certificate, this will make a new window appear.
You can write a name to identify this certificate in your Trust-List, or leave it as is, so the placeholder name will be used.
You can additionally click "HxTsr.exe" to use that name without the need of writing a name or the default name.
On "Upload to:" dropdown, you can choose where you want to upload this certificate, you can choose between your "Inheritance Tree", your "Groups I Manage" or "Groups I Manage & their subgroups".
Next, when you select your "Inheritance Tree" for example, in the next dropdown you will be presented with the subgroups you have in your inheritance tree and if you select "ziggy test", then this Microsoft Corporation certificate will be upload it to the subgroup called ziggy test.
Click "Show More Edit Options" to expand the options to introduce more information about this certificate.
You can now enter a description and also you can add a home page url of the certificate.
This is an example of how it would look like.
Whenever you are ready to trust and add this cert to the subgroup of your choice, you can click "Trust This CERT".
Verifying CERT Trust
Click "Show Trust-Lists" to access to your Trust-List in that specific subgroup.
Click on "Apps"
You now have added this Microsoft Corporation certificate to your Trust-List and all the apps that are signed with this certificate will be allowed to run. Click on the Trust-List item to see more information.
After you clicked in the Trust-List item, you will see more information about it including when it was added by who and when in addition to more information.
Scroll down to see more information about the certificate itself.
Disabling and removing a CERT
If for some reason you do not want this certificate in your Trust-List anymore, you can remove it quickly by clicking "Distrust" first.
And then clicking "Disable App". You will be shown a pop-up window confirming your actions.
Click "Disable It" to remove this certificate from your Trust-List.
Trust CERTs Menu
There is another way to trust certificates, Click "Trust CERTs".
You will be taken to a different page, and to your right you are going to see all of the CERTs you had on your app menu, this way you can choose them all (If you really know where they all come from), or you can select one by one as you prefer. To your left, you can see the menu to add more information about this certificate or certificates.
This dropdown list, allow you to decide IF you want to add those certificates and add them and trust them immediately as they are added, add them but not trusting it yet (so you can make a decision later), you can also add them with a Hard Block (Malware,Denied or Distrusted policy) which means that all those apps signed by those certificates will be blocked instantly.
We select the certificates we want to add to our Trust-List.
We also select Spotify AB because we want to hear some music while working.
After you select the certificates of your choice and fill-up all the information, you can select where (to what subgroup) you want to upload those certificates.
Click this dropdown to select in which subgroup in your inheritance tree you want to upload the trust.
Click "Upload" when you are ready to add trust.
Click "Show Trust-Lists"
Click "Apps".
Click the Trust-List item you just added to see more information.
As you can see, all the certs you selected, including the spotify cert were added together in one single item on your Trust-List.
Editing Trust-List App or CERT
Click "Edit App" if you want to edit any information contained within this Trust-List item.
For example, we want to add the word "CERTs" into the name of the Trust-List item. Click "Apply" when you finish editing.
Click "Apply"
Copy App(s) or CERT(s)
Click "Copy" IF you want to edit the apps or CERTs contained within this Trust-List item. You will be transported to a different page.
We decided that we want to only have Microsoft CERTs in this item and we want to create another trusted item from this one, so assuming I want all the Microsoft CERTs I click "All" to select everything.
Then, we uncheck "Spotify AB".
We fill up the information.
We choose how we want to proceed in terms of if we want it Trusted, Not trusted yet and more options to choose.
Warning: Selecting Malware, Denied, or Distrusted will apply a "Hard Block" to a certificate.
In this case, we want to create a new Trust-List item, BUT, we do not want it trusted yet, so we select "Add But Don't Trust Yet" option.
We select where is where we want to upload our new Trust-List item. We want to upload it somewhere in our inheritance tree.
Click the second dropdown to select the subgroup of your preference located in your inheritance tree to upload the trust.
When you are ready to upload, click "Upload".
We see the Spotify AB cert only, which means that a new item was created in the Trust-List with the other certs only.
Open your Trust-List and select "Only Mine" and look what we have, we added a new item called MICROSOFT CERTS ONLY". We added it successfully AND it was not trusted yet as we said in the previous step. Click the item for more information.
Right after you clicked to see more information, you will notice that the Spotify AB certificate was not added, but rather we only have the four certs that we selected.
Enabling a Distrusted App or CERT
If you have made the decision to trust these four certificates within this Trust-List item, you can click "Trust" to enable this item in the Trust-List.
Disabling a Distrusted App or CERT
If you decide that you are no longer going to use those four certificates within this Trust-List item, you can click "Disable" to remove it together with those four certificates.
Note that we covered distrusting and disabling a Trust-List item earlier in this guide, the purpose of covering it again is to show that you can have more than one element within a Trust-List item, in the first example you have only one certificate and distrusting that one certificate will deactivate the trust for that certificate, in this specific example, if you disable a Trust-List item that contains four certificates, it is the same as disabling those four certificates trust at once.
If you are sure about this action, click "Disable it".
This is a quicker option to trust a cert that it was already added to your Trust-List, but has not been trusted yet. If you do not want to enter and expand the details. Just click the "Trust" button and it will be automatically trusted.
Click "Distrust" to distrust the item on a very quick way.
Click "Trust" to trust the item on a very quick way.
Export Fingerprint File
If you want to export this item as a "Fingerprint File" to export it physically to another subgroup through the top menu option called "Add fingerprints" (Close to the "Show Trust-List" button").
Conducting Investigations
A brief guide to making decisions on a daily basis for teams in charge of app reviews, app research, and adding app trust in computer systems.
Initial Information Gathering About an Event
Let's say that you are a Security Administrator tasked with adding and removing apps from your organization's Trust List. One day, you see that one of your users is trying to use a program to check their email messages.
By clicking on the selected app, you can now see more information, such as whether the program in question is signed by a code-signing certificate or not, along with many other details.
We want to know more about this program, so we clicked the "i" button to expand the app menu.
Next, you are presented with information about the code signing certificate of the program, the name of the signing organization, and who issued this certificate, in this case, "Microsoft Marketplace CA G 024."
App's Policy History
Now, we are presented with three buttons: "Show Policy History," "Show CERT History," and "Show Policy History for CERT."
The "Show Policy History" button will take you to another page.
In this case, we do not have information available. This feature is essentially to know if we already have a policy related to this program added to your Trust List.
The "Show CERT History" button will help you know if a certain app or program has been historically signed or if at some point the app that was signed is no longer signed, which can sometimes be suspicious.
We are presented with only one result, which means that the program in question has always been seen as signed. If you see the same program with the columns "CERT ID," "CERT Name," and "CERT Issuer" empty, it means that the program seen in one of your subgroups is no longer signed.
The "Show Policy History for CERT" button will help you know what policies related to this program have been added throughout your organization or organizations, depending on your access level.
In this case, we do not have information available. This feature will show you, for example, if John, one of your administrators, added a block policy for this specific app, or if Mary, another of your administrators, added trust for one of your departments. Note that you can also search for CERT Thumbprints of other apps by entering it in the first textbox.
App History for an Event
This section, "Show this App's History for," can help you gather more information about its history on its current computer, within the entire subgroup, or across all the groups you manage.
We have only one instance of HXTSR.exe on this computer.
Click "This Group" to find out if someone else in the group is running the same program.
In this case, we see that only this computer in the group is running this app. If more than one computer is running this program, you will be able to see the different computers and the users using this program.
Click the app to see several options.
After you click the app, you will be presented with a variety of options to choose from, including archiving the app without taking any action, stopping the app on its current computer, or stopping it on all systems within the subgroup (this is known as a "Soft Block," and it won't stop the program forever; after a certain amount of time, the program will work as normal).
If you want a program to not run at all, you can also add a "Hard Block," found in each app menu shown with the red lock.
By clicking "All Groups I Manage," you will be presented with all the instances of this program according to your access level.
Using Google Search Menu
Now, let's see if we can find information about this app using its fingerprints! Click the Google icon, and you will see search options such as SHA-1, SHA256, Filename, CERT, CERT Name, and the Issuer (Note: If the program is not signed, you will not see the CERT, CERT Name, and the Issuer).
Click "SHA-1"
There are websites that study malware indicators of compromise (IOC) and publish reports including their SHA-1 and SHA256 fingerprints, so other people can compare a file hash they found in their network with the hashes published on the web.
This kind of information can help you a lot in addition to all the information you already have and will help you make a decision.
We see that we do not have results of SHA-1 fingerprints published by anyone on the internet.
Click "SHA-256"
We see that we have results. This means that one website has studied this program based on its SHA-256 fingerprint. We can gather more information about the file we are investigating, what it does in an isolated environment, and also see if there are any indicators of compromise (IOC) detected.
Click "Filename"
After clicking "Filename," we will perform a search to see if the name of the file is found anywhere. If there are people who have used the app or experienced any issues with it, you might be able to see it.
Click "CERT" to see if the CERT thumbprint has been posted anywhere.
We did not find the thumbprint posted anywhere.
Looking for a CERT thumbprint can be very useful because sometimes certificates get stolen and can be used to sign malicious software to evade detection.
Thanks to the research done and published by other security professionals and researchers, Certificate Authorities can find and revoke those certificates. They may disclose the thumbprints so security vendors can implement a global block to prevent a certain certificate from being used.
Click "CERT Name" if you want to know more about the company that signed this program.
The company that signed this program is called "Microsoft Corporation," which is a well-known enterprise. You can discover a lot of things based on the CERT name.
Click "Issuer" if you want to see more information about who the issuer of this code-signing certificate is.
We see that the issuer of this certificate is the Microsoft Marketplace. This is important because you want to ensure that a well-known Certification Authority is issuing the certificate. It is not good practice for a company to issue their own self-signed certificates unless it is used for testing purposes only and not for production environments. A third party has to certify the process.
Coming back to the dashboard, you can check where the program is located using the scroll navigation. You can see the Username, the File Name, the Group where it is located, and the Parent app, which is the program that initiated the program you are reviewing. In this case, HXTSR.exe was initiated by svchost.exe.
Using VirusTotal for Our Research
Now, let's check what VirusTotal has to say about this app. Click this button to be transported to a different page.
We are now in VirusTotal, and we see that out of 74 security vendors, none detected suspicious behavior in this app.
Now, let's check the "Details" tab. After you click, scroll down to see more.
The "History" section will tell you when the program or file in question was created, when it was first submitted to VirusTotal, when the last submission was made, and when the last analysis was done.
The "Names" section serves as a resource to know the different names this program has had in the past throughout submissions from other members of the security community.
This section, "Signature Info," will give you details about its code-signing certificate, if there is one. If you see an app with an expired certificate, it is still acceptable if it expired recently, like two or three years ago. However, if the certificate is older than five years, you should consider updating to a newer version of the software being used. Remember that stolen certificates can be used to evade detection in certain scenarios.
Click on the "Relations" tab to see which files are related to the file being studied.
The "Relations" tab represents the files stored in the program or file being studied.
The Graph Summary is a brief representation of the program's relations and communications with other files and domain names. To see more information, you can click the "More" button and "Explore in Threat Graph" at the top menu near the "Reanalyze" button. (Note: You might need a VirusTotal account to access the Graph.)
Click the "Behavior" tab to see how the program being studied behaves inside a sandbox.
Click on "Community" to see if other people have posted anything about this specific program.
This is how an app looks when it has not been checked in VirusTotal through our menu. You can see the interrogation mark "?" in the image below.
If you hover over the interrogation question mark, you will see the VirusTotal logo appear. You can analyze all of your blocked apps or monitor mode list either individually, one by one, or you can choose to scan all of them at once with the VirusTotal button at the top of the menu (more on how to do that in the next step).
This is the VirusTotal button that will allow you to launch a scan of your entire list.
After you click the VirusTotal button at the top of the menu, your apps on the list will be checked. If any apps have an issue, you will see a number such as the one in the image below. This number represents the number of security vendors that flagged this specific file.
If you hover over the number one, you will see a brief description of when it was last checked, including the date and time.
Note: Sometimes you will encounter false positives from security vendors when the number is one or sometimes two. However, do not ignore a program with a "1" or a "2"; it may very well be malware that has not yet been detected by other vendors. The solution, or at least what I like to do, is to check if the sandbox study shows unusual actions, if it is related to a lot of known malware, or if it is making unusual communications to IP addresses in other countries or domains.
To deal with false positives, back up the results with information on how the program behaves. Is the program doing something it should not? Is it accessing places that a normal program would not? It all depends on the context of what the program is used for.
When you see that this number increases drastically, say from 2 to 9 in a matter of hours, or from 2 to 20 in a matter of days, this usually means that something bad is happening, and you should investigate further.
Right-click the red number button to access the VirusTotal Options menu, which will allow you to check this file again.
Click "Recheck on VirusTotal"
Using JoeSandbox for Our Research
Let's check the JoeSandbox website to see if this app has any record of sandbox activity and indicators of compromise.
We do not have results available, which means that the app has not been studied in a sandbox. If the app is submitted for analysis, you and the entire security community will be able to see and read a report about it.
This is how it looks when the file you want to study on JoeSandbox exists and was submitted in the past by members of the security community. Click on "Full Report" to see the complete analysis.
This graph registers the activity of a file performing any kind of activity. In this case, we are looking at ransomware being analyzed. If the arrows stay in the green area, it usually means that there is no suspicious activity. However, when the arrows pass through the orange circle (Suspicious Activity) and reach the red circle (Malicious Activity), you should consider taking a closer look and investigating further.
This shows the detection meter and indicates if the malware or ransomware sample is identified. In this case, it was identified as "Wannacry."
General information about the file.
The "Signatures" section tells you about which rules were triggered during analysis. In this case, we see Snort, communication being done through HTTP, and detections through Yara.
In this section, "Process Tree," we can see the processes that were created by the program that started execution, in this case: loaddll32.exe.
In this section, thanks to the MITRE ATT&CK Matrix, we can see more about what a file does at the time of execution based on the Matrix. For example, we can see if the program is trying to use encrypted channels or attempting to scan for antivirus software installed in the system.
In this section, we are provided with a map revealing the communication being done by this malicious file.
Using Hybrid Analysis (Falcon Sandbox) for Our Research
Let's check Hybrid Analysis to see if there are any records of sandbox activity.
We are transported to a different page and presented with no results. If the program had been uploaded in the past, you would be able to see in-depth details about its activity.
This is how Hybrid Analysis looks when you find results of a file being studied. In this situation, we are faced with Wannacry Ransomware.
We are given more information about the tags and a threat score. Additionally, you have the option to refresh the analysis and re-run it to see if anything has changed by clicking the "Click to Refresh" button.
We see antivirus results from the sandbox study that identified the file as "Malicious."
If you want to see more about the behavior of the sample, you can click the little red square with a number. It represents the number of malicious patterns that were registered during analysis.
You will be transported to a different page where you can take a more in-depth look at the patterns of malicious activity that were observed.
Malicious indicators are being detected.
Suspicious indicators are being detected.
Dealing with Legitimate Remote Control Programs
Communication is key. As people work from home, you often cannot compare the security in their homes to the security mechanisms they have at their office. Remote control programs are widely used and might be in your network too. As the security administrator managing trusted apps and CERTs, if you suddenly see a remote control program, it is a good idea to verify if the person connecting is who they say they are. For example, you can send an email asking if they were using that remote software. If they were not, you can block it. If they confirm that they need that software for their support team, you can add it to their Trust List. If you see suspicious activity, let them know.
Final Conclusion
After being provided with all of this information, you now have more data to make an informed decision. You can add trust, apply a block, or archive a program based on the information available.
Ended: Best Practices
Monitoring Options ↵
NetData
Overview of NetData
NetData is a highly efficient, real-time performance monitoring tool designed to provide insights into the various aspects of a system’s health and performance. It offers a comprehensive view of system metrics, applications, containers, and even custom metrics. NetData is known for its:
- Real-Time Monitoring: It collects data with per-second granularity, enabling administrators to observe system performance in real time.
- Low Overhead: Designed to have minimal impact on system performance, making it suitable for use in production environments.
- Rich Visualizations: Provides extensive visualizations through an interactive web interface, facilitating easy analysis and troubleshooting.
- Wide Range of Metrics: Supports monitoring a plethora of metrics out-of-the-box, including CPU, memory, disk, network, and various application-specific metrics.
- Extensibility: Allows for the addition of custom metrics and integration with other monitoring tools.
NetData in a White Cloud Security Deployment
In the context of a White Cloud Security (WCS) deployment, NetData can be utilized to monitor security events, administrative actions, and the health of essential services such as MySQL, NFS, and Firewalls. Here’s how NetData can be effectively employed in this scenario:
Monitoring Security Events and Administrative Actions
-
Log Collection and Analysis:
- Custom Plugins: Develop custom NetData plugins or use existing ones to parse and monitor logs from WCS for security events and administrative actions.
- Alerts: Configure alerts for specific security events or unusual administrative activities. For example, alert on failed login attempts, changes in account privileges, or unauthorized access attempts.
-
Real-Time Dashboards:
- Custom Dashboards: Create custom dashboards to visualize security events and administrative actions. These dashboards can display metrics like the number of successful/failed login attempts, privilege changes, and more.
- Drill-Down Capabilities: Enable detailed drill-down into specific security events, allowing for in-depth analysis and rapid response.
-
Integration with Other Monitoring Tools:
- SIEM Integration: Integrate NetData with Security Information and Event Management (SIEM) systems to correlate security events with other data sources.
- Alerting Systems: Use existing alerting systems in conjunction with NetData to ensure critical events are not missed.
Monitoring Essential Services
-
MySQL Monitoring:
- Database Performance: Track key performance indicators (KPIs) such as query execution times, slow queries, and connections.
- Health Metrics: Monitor metrics like CPU usage, memory usage, disk I/O, and network activity specific to MySQL servers.
- Alert Configuration: Set up alerts for critical metrics to detect issues such as high query latency, replication lag, or resource exhaustion.
-
NFS Monitoring:
- Storage Performance: Monitor performance metrics related to NFS volumes, including read/write latency, throughput, and error rates.
- Capacity Planning: Keep track of storage utilization to aid in capacity planning and ensure adequate resources are available.
- Service Health: Set up alerts for issues such as high latency, excessive errors, or service unavailability, ensuring prompt response to potential problems.
-
Firewall Monitoring:
- Network Traffic: Track network traffic metrics, including inbound and outbound traffic, packet drops, and errors.
- Security Events: Monitor firewall logs for security-related events such as blocked connections, port scans, and unauthorized access attempts.
- Alert Configuration: Configure alerts for suspicious activities or anomalies in network traffic patterns, helping to detect potential security breaches early.
Implementation Steps
-
Install NetData:
- Follow the NetData installation guide to install NetData on the WCS deployment servers.
-
Configure NetData:
- Customize NetData configurations to monitor specific services and security events. This includes setting up collectors for MySQL, NFS, and firewall logs.
- Use the NetData documentation to find relevant collectors and configure them accordingly.
-
Develop Custom Plugins:
- Create custom NetData plugins to parse WCS-specific logs for security events and administrative actions. This may involve scripting in Python or other languages supported by NetData.
-
Set Up Dashboards and Alerts:
- Design custom dashboards to visualize key metrics and security events.
- Configure alerts for critical events and anomalies, using the NetData alerting system or integrating with external alerting tools.
-
Integration with Other Tools:
- Integrate NetData with other monitoring and security tools used in the WCS environment, such as SIEM systems, to enhance visibility and response capabilities.
By leveraging NetData in a WCS deployment, administrators can gain real-time insights into the system’s health, performance, and security posture, enabling proactive monitoring and rapid response to potential issues.
Prometheus
Overview of Prometheus
Prometheus is an open-source monitoring and alerting toolkit designed for reliability and scalability. It excels at collecting and querying time-series data, making it suitable for monitoring various metrics across distributed systems. Prometheus is characterized by:
- Time-Series Data: It stores metrics with a timestamp and key-value pairs (labels), allowing for efficient querying and alerting.
- Multi-Dimensional Data Model: Uses labels to distinguish different dimensions of a metric, enabling powerful and flexible querying.
- Powerful Query Language (PromQL): Allows for complex metric queries and aggregation, supporting advanced analysis and alerting.
- Pull-Based Model: Prometheus scrapes metrics from configured endpoints, ensuring that data collection is centralized and controlled.
- Alerting: Built-in alert manager for defining and managing alerts, with integration capabilities for various notification channels.
- Extensibility: Supports numerous exporters for different services and can be extended with custom exporters.
Prometheus in a White Cloud Security Deployment
In the context of a White Cloud Security (WCS) deployment, Prometheus can be used to monitor security events, administrative actions, and essential services like MySQL, NFS, and Firewalls. Here’s how Prometheus can be effectively utilized in this scenario:
Monitoring Security Events and Administrative Actions
-
Metric Collection and Exporters:
- Custom Exporters: Develop custom Prometheus exporters or use existing ones to expose WCS-specific metrics related to security events and administrative actions.
- Log Scraping: Use exporters to scrape logs for specific security events and administrative actions, converting them into Prometheus metrics.
-
PromQL Queries:
- Custom Queries: Write PromQL queries to extract meaningful insights from the collected metrics. For instance, queries to track the number of failed login attempts, changes in account roles, or unauthorized access attempts.
- Dashboards: Create dashboards using Grafana (commonly used with Prometheus) to visualize these metrics and provide real-time insights into security events and administrative actions.
-
Alerting:
- Alert Rules: Define alert rules based on specific conditions, such as multiple failed login attempts within a short period or unexpected changes in administrative roles.
- Alert Manager: Use Prometheus Alertmanager to route alerts to appropriate channels (email, Slack, etc.) and manage alert silencing, inhibition, and grouping.
Monitoring MySQL, NFS, and Firewalls
-
MySQL Monitoring:
- MySQL Exporter: Use the Prometheus MySQL exporter to collect metrics such as query performance, connections, query latency, and resource utilization.
- Custom Metrics: Expose custom MySQL metrics relevant to the deployment, such as failed queries or unauthorized access attempts.
-
NFS Monitoring:
- Node Exporter: Use the Prometheus Node Exporter to gather system-level metrics, including NFS performance metrics like network throughput, latency, and read/write operations.
- Alert Configuration: Set up alerting rules for high latency, excessive errors, or NFS service unavailability.
-
Firewall Monitoring:
- Firewall Logs Exporter: Use or develop an exporter to convert firewall logs into Prometheus metrics, tracking events like blocked connections, port scans, and unauthorized access attempts.
- Network Traffic Monitoring: Utilize existing exporters or custom scripts to monitor network traffic metrics, including packet drops and errors.
Implementation Steps
-
Install Prometheus:
- Follow the Prometheus installation guide to set up Prometheus on the WCS deployment servers.
-
Configure Exporters:
- Install and configure relevant exporters (e.g., MySQL Exporter, Node Exporter, custom WCS exporters) to expose the necessary metrics.
- Use the Prometheus documentation to find and configure exporters.
-
Develop Custom Exporters:
- Create custom exporters to expose WCS-specific metrics related to security events and administrative actions. This might involve scripting in Go, Python, or other languages.
-
Set Up Dashboards and Alerts:
- Integrate Prometheus with Grafana to create dashboards that visualize key metrics and security events.
- Configure alert rules in Prometheus and use Alertmanager to manage alerts and notifications.
-
Integration with Other Tools:
- Integrate Prometheus with other monitoring and security tools used in the WCS environment to enhance visibility and response capabilities.
By leveraging Prometheus in a WCS deployment, administrators can achieve comprehensive monitoring of system health, performance, and security. This enables proactive detection and response to potential issues, ensuring a robust and secure environment.
Zabbix
Overview of Zabbix
Zabbix is an open-source enterprise-level monitoring solution designed for real-time monitoring of various IT components, including networks, servers, virtual machines, and cloud services. It is known for its flexibility, scalability, and robust alerting capabilities. Key features of Zabbix include:
- Unified Monitoring: Provides a single platform for monitoring diverse IT infrastructure, including hardware, software, and applications.
- Scalability: Capable of handling large-scale environments with distributed monitoring capabilities.
- Data Collection: Supports various methods for data collection, including agent-based, agentless, and SNMP.
- Flexible Alerting: Advanced alerting system with multiple notification channels and escalation options.
- Custom Dashboards: Offers customizable dashboards and rich visualizations for easy monitoring and analysis.
- Extensibility: Supports custom scripts and templates for extending monitoring capabilities.
Zabbix in a White Cloud Security Deployment
In the context of a White Cloud Security (WCS) deployment, Zabbix can be used to monitor security events, administrative actions, and essential services like MySQL, NFS, and Firewalls. Here’s how Zabbix can be effectively utilized in this scenario:
Monitoring Security Events and Administrative Actions
-
Data Collection:
- Custom Scripts: Use Zabbix's ability to run custom scripts to collect security event and administrative action logs from WCS.
- Log Monitoring: Configure Zabbix to monitor log files for specific security events, such as failed login attempts, changes in account roles, and unauthorized access attempts.
-
Dashboards and Visualizations:
- Custom Dashboards: Create dashboards to visualize security events and administrative actions. Display metrics like the number of successful/failed logins, account activity logs, and policy changes.
- Event Correlation: Use Zabbix’s event correlation capabilities to identify patterns and trends in security events and administrative actions.
-
Alerting:
- Trigger Configuration: Define triggers for specific security events or anomalies in administrative actions, such as multiple failed login attempts or unauthorized access attempts.
- Notifications: Set up notifications for critical security events and administrative actions using email, SMS, or other channels supported by Zabbix.
Monitoring MySQL, NFS, and Firewalls
-
MySQL Monitoring:
- MySQL Template: Use the Zabbix MySQL template to collect metrics such as query performance, connections, query latency, and resource utilization.
- Custom Metrics: Implement custom items and triggers to monitor additional MySQL metrics relevant to the deployment, such as failed queries or unauthorized access attempts.
-
NFS Monitoring:
- NFS Metrics Collection: Configure Zabbix agents to collect NFS performance metrics, including network throughput, latency, read/write operations, and errors.
- Alerts and Notifications: Define triggers and notifications for issues like high latency, excessive errors, or NFS service unavailability.
-
Firewall Monitoring:
- Firewall Logs: Use Zabbix to monitor firewall logs for security-related events such as blocked connections, port scans, and unauthorized access attempts.
- Network Traffic Monitoring: Collect network traffic metrics using Zabbix agents or SNMP, tracking inbound and outbound traffic, packet drops, and errors.
Implementation Steps
-
Install Zabbix:
- Follow the Zabbix installation guide to set up the Zabbix server, frontend, and agents on the WCS deployment servers.
-
Configure Zabbix Agents:
- Install and configure Zabbix agents on servers running MySQL, NFS, and Firewall services to collect relevant metrics.
- Use Zabbix templates and custom items to monitor specific metrics for these services.
-
Develop Custom Scripts:
- Create custom scripts to collect and parse WCS-specific logs for security events and administrative actions. These scripts can be executed by Zabbix agents or as external scripts.
-
Set Up Dashboards and Alerts:
- Design custom dashboards in Zabbix to visualize key metrics and security events.
- Configure triggers and actions in Zabbix to generate alerts and notifications for critical events and anomalies.
-
Integration with Other Tools:
- Integrate Zabbix with other monitoring and security tools used in the WCS environment to enhance overall visibility and response capabilities.
By leveraging Zabbix in a WCS deployment, administrators can gain comprehensive insights into the system’s health, performance, and security. This allows for proactive monitoring, efficient troubleshooting, and rapid response to potential issues, ensuring a secure and well-maintained environment.
SysLog Event Generation
When syslog event generation is enabled on the WCS service, it generates syslog events that can be fed to SIEMs and other cybersecurity analysis tools. Syslogs are generated with a 'wcsec' prefix.
SysLog Tags
System Status Events
Syslog Tag | Event | Description |
---|---|---|
livehosts | Live Hosts Count | Update Number of Live Hosts |
Host Status Events
Syslog Tag | Event | Description |
---|---|---|
blockmode | Blocking Mode Change | The endpoint's blocking mode changed |
version | Agent Version Change | The endpoint's agent version changed |
certsonly | CERTs Only Learn Mode | The endpoint was set to only learn CERTs |
certhands | CERTs and Unsigned Learn Mode | The endpoint was set to learn CERTs and unsigned apps |
handsonly | Handprints Only Learn Mode | The endpoint was set to only handprints |
learnall | Learn All Mode | The endpoint was set to learn all CERTs and handprints |
exit | Exit Learn Mode | The endpoint's learn mode was stopped |
timeout | Agent Version Change | The endpoint's learn mode session timed out |
App Events
The panel type indicates which panel the event should be displayed in. Some events can be displayed in either the Blocked Apps or Monitor Mode Exceptions panel, depending upon the value of the event's "blocking" JSON attribute: 1 = Blocked, 0 = Exception.
Syslog Tag | Event | Panel Type | Description |
---|---|---|---|
trusted | Trusted App | Allowed | App was trusted by a handprint or CERT policy |
hand | Unsigned App | Allowed | App was allowed in unsigned learn mode |
cert | Signed App | Allowed | App was allowed in CERT learn mode |
allowed | Known Allowed | Allowed | App known to an advisor was allowed to run |
mme | Monitor Mode Exception | Exception | Unknown app was allowed in monitor mode |
untrusted | Known Blocked | "blocking" flag | App known to an advisor was blocked |
soft | Soft Block | "blocking" flag | Unknown app was soft blocked and stopped reporting |
blocked | Blocked Unknown | Blocked | Unknown app was blocked |
ignored | Blocked Unknown, Unreported | Blocked | Unknown app was blocked and stopped reporting |
policy | Block Policy | Blocked | App was blocked by an unknown policy |
denied | Deny Policy | Blocked | App was blocked by a specific deny policy |
distrusted | Distrust App | Blocked | App was blocked by a specific distrusted app policy |
malware | Marked as Malware | Blocked | App was blocked by a specific malware policy |
Example Golang Structs
Common Fields
GID
is the subgroup ID for the subgroup that generated the syslog.Sub
is the subgroup's name/nickname.TID
is the subgroup ID (SGID) of the group at the top of the inheritance tree.TreeName
is the name of the top of the tree.OID
is the Account ID for the account that this tree belongs to.OwnerName
is the account owner's name/nickname.ORGID
is the organization ID.OrgName
is the organization's name.
Live Host Count event
type LiveHostCount struct {
MetricName string `json:"metricName"`
Count int `json:"count"`
}
Agent Version Change Events
type VersionData struct {
MetricName string `json:"metricName"`
GID int `json:"gid"`
Sub string `json:"sub"`
TID int `json:"tid"`
TreeName string `json:"tname"`
OID int `json:"oid"`
OwnerName string `json:"oname"`
ORGID int `json:"orgid"`
OrgName string `json:"org"`
HID int `json:"hid"`
Host string `json:"host"`
Nick string `json:"nick"`
Ver string `json:"ver"`
}
Block Mode Change Events
type BlockModeData struct {
MetricName string `json:"metricName"`
GID int `json:"gid"`
Sub string `json:"sub"`
TID int `json:"tid"`
TreeName string `json:"tname"`
OID int `json:"oid"`
OwnerName string `json:"oname"`
ORGID int `json:"orgid"`
OrgName string `json:"org"`
HID int `json:"hid"`
Host string `json:"host"`
Nick string `json:"nick"`
Mode int `json:"mode"`
}
App Events
type EventData struct {
MetricName string `json:"metricName"`
GID int `json:"gid"`
Sub string `json:"sub"`
TID int `json:"tid"`
TreeName string `json:"tname"`
OID int `json:"oid"`
OwnerName string `json:"oname"`
ORGID int `json:"orgid"`
OrgName string `json:"org"`
HID int `json:"hid"`
Host string `json:"host"`
Nick string `json:"nick"`
User string `json:"user"`
Path string `json:"path"`
File string `json:"file"`
Blocking int `json:"blocking"`
}
For example, a "Trusted App" event would generate a syslog with a "wcsec" identifier and a "trusted" tag.
May 15 13:37:09 wcs wcsec[96038]: trusted {"gid":"1000001","sub":"domain-1000001\\user-1000001","hid":"2","host":"hostname-1000001","nick":"","metricName":"trusted","user":"domain-1000001\\user-1000001","path":"C:\\Windows\\SoftwareDistribution\\Download\\ab4d06812d580d4fc85d3fddd97a74bb\\Metadata","file":"UAOneSettings.dll","blocking":1}
The syslog consists of the following fields:
- Date (Month DD HH:MM:SS)
wcs
- [process_id]:
- syslog_tag
- Event JSON string
Here is a simple Golang example to parse these syslog records:
package main
import (
"encoding/json"
"fmt"
"regexp"
"strings"
"time"
)
// Define functions for different syslog tags
func handleTrusted(syslogTag string, event map[string]interface{}) {
fmt.Printf("Handling %s event: %s\n", syslogTag, event)
}
func handleBlocked(syslogTag string, event map[string]interface{}) {
fmt.Printf("Handling %s event: %s\n", syslogTag, event)
}
// Dispatcher function to call appropriate handler based on syslog_tag
func dispatchSyslogTag(syslogTag string, event map[string]interface{}) {
switch syslogTag {
case "trusted":
handleTrusted(syslogTag, event)
case "blocked":
handleBlocked(syslogTag, event)
default:
fmt.Println("Unknown syslog tag:", syslogTag)
}
}
// Function to parse the syslog record and call the appropriate handler
func parseAndHandleSyslogRecord(record string) error {
// Define regex pattern to match the syslog record
pattern := `^([A-Za-z]{3} \d{2} \d{2}:\d{2}:\d{2}) (\w+) \[(\d+)\]: (\w+) (.+)$`
re := regexp.MustCompile(pattern)
matches := re.FindStringSubmatch(record)
if len(matches) != 6 {
return fmt.Errorf("record does not match expected format")
}
// Extract fields from the syslog record
dateStr := matches[1]
serverName := matches[2]
processID := matches[3]
syslogTag := matches[4]
eventStr := matches[5]
// Parse the date string
date, err := time.Parse("Jan 02 15:04:05", dateStr)
if err != nil {
return fmt.Errorf("failed to parse date: %v", err)
}
// Parse the event JSON string
var event map[string]interface{}
err = json.Unmarshal([]byte(eventStr), &event)
if err != nil {
return fmt.Errorf("failed to parse event JSON: %v", err)
}
// Print the parsed information
fmt.Println("Date:", date)
fmt.Println("Server:", serverName)
fmt.Println("Process ID:", processID)
fmt.Println("Syslog Tag:", syslogTag)
fmt.Println("Event:", event)
// Dispatch to the appropriate handler based on the syslog tag
dispatchSyslogTag(syslogTag, event)
return nil
}
func main() {
// Example syslog record
record := "May 15 13:37:09 wcs wcsec[96038]: trusted {\"gid\":\"1000001\",\"sub
Ended: Monitoring Options
Glossary
ACL - Access Control List: A list of permissions attached to an object specifying which users or system processes can access objects and what operations they can perform.
API - Application Programming Interface: A set of tools and protocols for building software and applications.
ASR - Attack Surface Reduction: A set of features in Windows Defender that can reduce the attack surfaces on your organization.
BAT - Batch file: A text file containing a series of commands intended to be executed by the command interpreter.
CA - Certification Authority: An entity that issues digital certificates.
CERT - Certificate: A digital certificate used to provide a public key with a trusted association.
CERTs - Certificates: Plural of Certificate, digital documents providing authentication.
CFG - Configuration: Files that contain settings and preferences for configuring software applications.
CIS - Center for Internet Security: A nonprofit organization focused on enhancing cybersecurity readiness and response.
CLI - Command Line Interface: A way of interacting with a computer program by typing commands to perform specific tasks.
CRC32 - Cyclic Redundancy Check 32: A hash function used to detect accidental changes to raw data.
CPU - Central Processing Unit: The primary component of a computer that performs most of the processing inside a computer.
DCA - Data Center Administration: Managing and operating data centers.
DAM - Database Activity Monitoring: Tools and processes used to monitor and analyze database activities.
DBMS - Database Management System: Software that uses a standard method to store and organize data.
DDoS - Distributed Denial of Service: An attack where multiple compromised systems are used to target a single system causing a Denial of Service (DoS) attack.
DLL - Dynamic Link Library: A file that contains code and data that can be used by multiple programs simultaneously.
DLP - Data Loss Prevention: Strategies to ensure that sensitive data is not lost, misused, or accessed by unauthorized users.
DIPS - Data Intrusion Prevention System: A system that prevents unauthorized access to or modification of data.
DNS - Domain Name System: The phonebook of the Internet, translating human-friendly domain names to IP addresses.
EDR - Endpoint Detection and Response: Tools and solutions that detect, investigate, and respond to endpoint threats.
EXE - Executable file: A file that contains a program capable of being executed or run as a program in the computer.
FQDN - Fully Qualified Domain Name: The complete domain name for a specific computer, or host, on the Internet.
FTP - File Transfer Protocol: A standard network protocol used to transfer computer files between a client and server on a computer network.
GID - Group Identifier: A unique identifier assigned to a group of users on a system.
GPU - Graphics Processing Unit: A specialized processor designed to accelerate graphics rendering.
HDD - Hard Disk Drive: Data storage device used for storing and retrieving digital information using one or more rigid rapidly rotating disks.
HIDS - Host-based Intrusion Detection System: An intrusion detection system that monitors and analyzes the internals of a computing system rather than the network packets on its external interfaces.
HTTPS - HyperText Transfer Protocol Secure: An extension of HTTP that provides secure communication over a computer network.
HXTSR - Hidden Task Scheduler: A specific Windows executable file related to task scheduling.
ICMP - Internet Control Message Protocol: A network layer protocol used by network devices to diagnose network communication issues.
IDS - Intrusion Detection System: A device or software application that monitors a network for malicious activity or policy violations.
IaaS - Infrastructure as a Service: Cloud computing services that provide essential compute, storage, and networking resources on demand, on a pay-as-you-go basis.
IOCs - Indicators of Compromise: Pieces of information that can be used to identify a potential security breach.
IPS - Intrusion Prevention System: A system that monitors network or system activities for malicious activities and can prevent those activities.
ISO - International Organization for Standardization: An international standard-setting body composed of representatives from various national standards organizations.
JSON - JavaScript Object Notation: A lightweight data-interchange format that's easy for humans to read and write and easy for machines to parse and generate.
KPI - Key Performance Indicator: A measurable value that demonstrates how effectively a company is achieving key business objectives.
LDAP - Lightweight Directory Access Protocol: An open, vendor-neutral application protocol for accessing and maintaining distributed directory information services.
LSM - Linux Security Module: A framework that allows the Linux kernel to support a variety of computer security models.
MD5 - Message Digest Algorithm 5: A widely used hash function producing a 128-bit hash value.
MDR - Managed Detection and Response: A service that provides outsourced monitoring and management of security threats to an organization.
MFA - Multi-Factor Authentication: A method of confirming a user's identity by utilizing two or more authentication factors.
MITM - Man-in-the-Middle: An attack where the attacker secretly intercepts and possibly alters the communication between two parties who believe they are directly communicating with each other.
MITRE ATT&CK - MITRE Adversarial Tactics, Techniques, and Common Knowledge: A knowledge base for cyber adversary behavior.
NFS - Network File System: A protocol that allows a user on a client computer to access files over a network.
NGAV - Next-Generation Antivirus: Advanced antivirus software using a combination of traditional signature-based detection and modern techniques like machine learning.
NIDS - Network-based Intrusion Detection System: An intrusion detection system that monitors network traffic for suspicious activity.
Org(s) - An "Organization" represents a distinct operational unit or entity within the platform, responsible for managing security policies, users, and resources specific to that entity.
OS - Operating System: System software that manages computer hardware and software resources and provides common services for computer programs.
PaaS - Platform as a Service: A category of cloud computing services that provides a platform allowing customers to develop, run, and manage applications.
RAR - Roshal Archive: A proprietary archive file format that supports data compression, error recovery, and file spanning.
RAID - Redundant Array of Independent Disks: A data storage virtualization technology that combines multiple physical disk drive components into one or more logical units.
RAM - Random Access Memory: A type of computer memory that can be accessed randomly.
RDP - Remote Desktop Protocol: A proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection.
SaaS - Software as a Service: A software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network.
SHA-1 - Secure Hash Algorithm 1: A cryptographic hash function designed by the NSA, producing a 160-bit hash value.
SHA256 - Secure Hash Algorithm 256: A cryptographic hash function that produces a 256-bit hash value.
SHA512 - Secure Hash Algorithm 512: A cryptographic hash function producing a 512-bit hash value.
SIEM - Security Information and Event Management: A system that collects, analyzes, and reports on security-related events and data from across an IT infrastructure.
SI - System Integrator: An individual or business that builds computing systems for clients by combining hardware, software, networking, and storage products from multiple vendors.
SLA - Service Level Agreement: A commitment between a service provider and a client regarding the expected level of service.
SMTP - Simple Mail Transfer Protocol: An Internet standard for email transmission.
SNMP - Simple Network Management Protocol: An Internet-standard protocol for managing devices on IP networks.
SOC - Security Operations Center: A centralized unit that deals with security issues on an organizational and technical level.
SQL - Structured Query Language: A standardized programming language used to manage relational databases and perform various operations on the data in them.
SSH - Secure Shell: A cryptographic network protocol for operating network services securely over an unsecured network.
SSD - Solid State Drive: A type of mass storage device similar to a hard disk drive but uses flash memory instead of magnetic platters.
TFTP - Trivial File Transfer Protocol: A simple lockstep file transfer protocol which allows a client to get a file from or put a file onto a remote host.
TMP - Temporary file: Files created to temporarily contain information while a new file is being made.
TTL - Trust Time-to-Live: A time limit for the validity of a trust relationship.
UAC - User Account Control: A security feature in Windows that helps prevent unauthorized changes to the operating system.
UID - User Identifier: A unique identifier assigned to each user on a system.
URL - Uniform Resource Locator: The address of a web page on the internet.
USB - Universal Serial Bus: An industry standard for short-distance digital data communications.
VAR - Value Added Reseller: A company that adds features or services to an existing product, then resells it as an integrated product or complete "turn-key" solution.
VPN - Virtual Private Network: A service that allows you to connect to the Internet via a server run by a VPN provider.
VTI - VirusTotal Intelligence: A feature from VirusTotal offering advanced search and threat hunting capabilities.
WAF - Web Application Firewall: A firewall that monitors, filters, and blocks HTTP traffic to and from a web application.
WCS - White Cloud Security: The name of the security product.
WHACK - WhiteHeron App Control Kernel: A specific kernel module or feature in White Cloud Security.
WHACKER - WHACK Kernel Extension Response: An extension or response mechanism related to WHACK.
XDR - Extended Detection and Response: An integrated suite of security tools and data sources for a more comprehensive threat detection and response.
Agent Release Notes ↵
Windows ↵
Release Notes: Version 1.4.3083 (2024-03-17)
Go to the Start Menu > All Programs > White Cloud Security > Update White Cloud Security
-or-
Right click the Tray App, then select Check for Updates
Features:
- n/a
Enhancements:
- [#679] updated root CAs for Digicert Global Root CA
- [#681] updated certificates to the certificate bundle for new SSL certs
Bug Fixes:
- [#677] enhancements to the PSPolicy file verification
Known Issues:
- [#196] uninstall does not register with server for systems running Windows XP, Windows 2000, Server 2003
- [#272] standalone MSI installer package right-click "Repair" may fail and rollback
- [#388] clicking cancel during the install may result in indeterminate state
Release Notes: Version 1.4.2980 (2020-04-03)
Go to the Start Menu > All Programs > White Cloud Security > Update White Cloud Security
-or-
Right click the Tray App, then select Check for Updates
Features:
- [#664] Support for Multi-level depth Trusted Children
- [#665] Ability to enable the Vault from the web portal dashboard
Enhancements:
- [#650] Handle the PowerShell __PSScriptPolicyTest files on Windows 10 systems (updated)
- [#657] change version to include a build number based on git checkin count
- [#658] include the directory path and base filename in the Splunk/SIEM/CSV logs
- [#660] modify CSV logging to use empty values rather than undefined
Bug Fixes:
- [#661] clear the CSV cache even if we don't rotate the log files
Known Issues:
- [#196] uninstall does not register with server for systems running Windows XP, Windows 2000, Server 2003
- [#272] standalone MSI installer package right-click "Repair" may fail and rollback
- [#388] clicking cancel during the install may result in indeterminate state
Release Notes: Version 1.4.1 (2019-02-07)
Go to the Start Menu > All Programs > White Cloud Security > Update White Cloud Security
-or-
Right click the Tray App, then select Check for Updates
Features:
- [#650] handle the __PSScriptPolicyTest PowerShell files on Windows 10 systems
- [#649] support for allowing the remote dashboard to control new settings options
- [#645] update settings dialog to support Splunk logging option
- [#643] option to write Unknown and Trusted information to CSV format for Splunk ingestion
- [#648] added Harvester option to write data as CSV format for Splunk ingestion
- [#651] update settings dialog to support PowerShell Admin Mode option
- [#392] enable SystemModeImage option to check system driver files
Enhancements:
- [#652] Windows Application logs now include the code signing cert SHA1 hash
- [#644] expanded the size of the settings dialog to support more options
- [#654] include Windows version information in account info query
Bug Fixes:
- [#633] resolved issue where installer was creating URLs as ALL CAPS
Known Issues:
- [#196] uninstall does not register with server for systems running Windows XP, Windows 2000, Server 2003
- [#272] standalone MSI installer package right-click "Repair" may fail and rollback
- [#388] clicking cancel during the install may result in indeterminate state
Release Notes: Version 1.3.13 (2018-02-14)
Go to the Start Menu > All Programs > White Cloud Security > Update White Cloud Security
-or-
Right click the Tray App, then select Check for Updates
Features:
- [#623] added php-cgi.exe to W3 Trusted Scripts
- [#624] added option for Enhanced Trusted Scripts to be configured from the dashboard
Enhancements:
- [#625] settings dialog will display the hidden check box if the flag is enabled
- [#627] include signature algorithm with code signing certificate data
- [#342] added COMODO certificates to the certificate bundle for new SSL certs
Bug Fixes:
- n/a
Known Issues:
- [#196] uninstall does not register with server for systems running Windows XP, Windows 2000, Server 2003
- [#272] standalone MSI installer package right-click "Repair" may fail and rollback
- [#388] clicking cancel during the install may result in indeterminate state
Release Notes: Version 1.3.12 (2017-08-21)
Go to the Start Menu > All Programs > White Cloud Security > Update White Cloud Security
-or-
Right click the Tray App, then select Check for Updates
Features:
- [#612] option to force the driver offline and always use the persistent cache
- [#614] option for remote configuration of the updater scheduled task
- [#617] configuration item to enable W3 Trusted Scripts for ASP.NET
Enhancements:
- [#604] added extra logging to investigate fingerprint errors from the kernel
- [#606] verify the binary SHA-256 fingerprint when reading certificate in the service
- [#610] added Java as Trusted Scripts for JAR, CLASS and ZIP extensions
- [#613] added persistCache flag to determine whether or not to save an app to the persistent cache
Bug Fixes:
- [#609] modified Trusted Scripts to account for files without an extension
- [#611] fingerprint lookup errors always result it Network Error handling
Known Issues:
- [#196] uninstall does not register with server for systems running Windows XP, Windows 2000, Server 2003
- [#272] standalone MSI installer package right-click "Repair" may fail and rollback
- [#388] clicking cancel during the install may result in indeterminate state
Release Notes: Version 1.3.11 (2017-03-21)
Go to the Start Menu > All Programs > White Cloud Security > Update White Cloud Security
-or-
Right click the Tray App, then select Check for Updates
Features:
- [#601] full Windows Lab Kit testing to enable support for Windows 10 and Server 2016
Enhancements:
- [#603] include proxy settings in the installation configuration file
Bug Fixes:
- [#274] better error handling in the kernel to manage and log errors
Known Issues:
- [#196] uninstall does not register with server for systems running Windows XP, Windows 2000, Server 2003
- [#272] standalone MSI installer package right-click "Repair" may fail and rollback
- [#388] clicking cancel during the install may result in indeterminate state
Release Notes: Version 1.3.10 (2017-01-11)
Go to the Start Menu > All Programs > White Cloud Security > Update White Cloud Security
-or-
Right click the Tray App, then select Check for Updates
Features:
- [#586] support driver signing changes in Windows 10, version 1607
Enhancements:
- [#588] option to create a scheduled task to run the updater tool every day
Bug Fixes:
- [#589] the Tray App validate button will clear the cache when directed by the dashboard
Known Issues:
- [#196] uninstall does not register with server for systems running Windows XP, Windows 2000, Server 2003
- [#272] standalone MSI installer package right-click "Repair" may fail and rollback
- [#388] clicking cancel during the install may result in indeterminate state
Ended: Windows
Ended: Agent Release Notes
Our Blog ↵
White Cloud Security Blogs
2024 ↵
July ↵
How and why the CrowdStrike global BSOD occurred
The Blue Screen of Death (BSOD)
FRIDAY JULY 19, 2024, THE WORLD SAW the global impact of a widespread BSOD event caused by an update error from an antivirus company resulting in the crash of approximately 8.5 million computers used in various industries around the world.
What is a BSOD?
WHEN MICROSOFT WINDOWS encounters a serious inconsistency error in its internal memory management system, it has no choice but to halt the running of the Windows Operating System in order to prevent more serious problems that might occur, e.g. data loss or a security breach.
While programmers are supposed to guard against this kind of fatal error by checking the consistency of their memory operations, a programming oversight can lead to either corruption of data or unauthorized data exposure. This could result in losing all data in memory or on a disk or potentially giving a user or process unauthorized privileged access.
This condition is so serious that Microsoft halts all software on the affected computer and displays a fatal error message on a blue screen.
A BSOD indicates that Windows is dead!
This is why we commonly call it the Blue Screen of Death.
Why rebooting did not work?
IN THE PAST WHEN YOU ENCOUNTERED A BSOD you merely rebooted Windows to fix it. That usually worked because the problem was a result of a combination of events that created the internal inconsistency error that led to the BSOD.
July 19th was different because CrowdStrike’s software update error caused the same internal memory inconsistency error each time that their antivirus software driver was loaded as the Windows operating system was starting up.
Here's what happened …
CrowdStrike and other antivirus software need to frequently update their software to ensure that it can detect and mitigate new strains of computer viruses and hacking threats.
CrowdStrike CEO George Kurtz noted that keeping up with hackers requires frequent updates to security tools ... This is true for all antivirus software, not just CrowdStrike.
CrowdStrike’s automated updater installed an antivirus update that caused the BSOD error. Each reboot resulted in the same system failure.
Unfortunately, this BSOD prevented Windows from booting to the point where the CrowdStrike updater could repair their broken software.
Windows was “Locked Up” at Boot Time, requiring a manual boot into Safe Mode
Malware Detection and Operational Considerations
Is the problem fixed now?
WHILE THIS PATCH was fixed, the risk of future BSODs from frequent antivirus updates looms as an issue. And while there is no silver bullet to completely eliminate the risk of BSODs, careful engineering of software design can significantly reduce this risk.
The Danger of a Zero-Day Attack
THE BIGGEST CYBERSECURITY THREAT is from the exploitation of Zero-Day Vulnerabilities.
A Zero-Day attack exploits an undisclosed computer-software vulnerability to gain control of a computer or network. It is known as a "zero-day" because the vulnerability isn’t publicly known before hackers use it, leaving the software authors with “zero” days to create patches to mitigate it.
Traditional and next-generation antivirus products can’t detect and stop new threats and Zero-Day attacks without prior knowledge of their behavior, so they requires antivirus updates whenever new threats are discovered in order to identify them.
“Updates to Channel Files are a normal part of the sensor’s operation and occur several times a day in response to novel tactics, techniques, and procedures discovered by CrowdStrike.”
These frequent CrowdStrike updates significantly increased the risk of a BSOD occurring. It took only a single update error to cause the global outage affecting millions of computers. 2024 was not CrowdStrike’s first BSOD incident, with other incidents allegedly in 2013, 2017, 2019, and 2023.
Malware Detection Complexity
No matter how many attack attributes an antivirus technology uses to categorize an attack vector or its behavior, hackers will continue to develop new hacking techniques. This makes malware detection an unbounded problem; one that’s characterized by unknown or poorly defined information requirements, a great number of variables and unpredictable behavior on a large-scale. Just adding more features or using newer learning algorithms cannot solve this kind of problem.
To avoid BSODs, simplify the design
To provide a predictable solution, we transformed the complex task of detecting malware into a straightforward, bounded task: determining which software is allowed to run. Instead of searching for the “needle in the haystack”, we only have to determine which software is authorized to run. Our App Firewall blocks all Zero-Day malware and all other unauthorized and unknown software.
Because our kernel software design is so simple, we haven’t needed to update it since April 2020.
This eliminates downtime risks caused by:
- a breach due to a missed Zero-Day attack, and
- errors during frequent software updates
So, now you can choose:
- a simple, stable Zero-Day prevention solution,
- or being stuck with a BSOD brick.
VMware Admin flaw gives hackers privileged access
Ransomware Threat Exploiting VMware ESXi Vulnerability
Summary:
- Vulnerability Details: The vulnerability, identified as CVE-2024-37085, affects VMware ESXi hypervisors. It allows attackers to add a new user to the "ESX Admins" group, which grants full administrative privileges. This flaw was fixed in the ESXi 8.0 U3 update released on June 25, 2024.
- Exploitation in the Wild: Several ransomware gangs, including those known as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest, have been exploiting this vulnerability to deploy ransomware like Akira and Black Basta. The exploitation allows attackers to steal sensitive data, move laterally across networks, and encrypt the ESXi hypervisor's file system, causing major disruptions.
- Ransomware Impact: These attacks have led to significant outages and disruptions, particularly targeting critical applications and data hosted on ESXi virtual machines. The ransomware groups are focusing on ESXi VMs due to their critical importance to business operations.
- Federal Response: The Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive for Federal Civilian Executive Branch (FCEB) agencies to secure their systems against this vulnerability by August 20, 2024. CISA has also urged all organizations to prioritize fixing this flaw to prevent potential ransomware attacks.
- The Play ransomware group has started using an ESXi Linux locker for attacks, indicating a broader trend of ransomware operations targeting ESXi environments.
How we prevent this
How White Cloud Security Trust Lockdown prevents such attacks.
White Cloud Security's Trust Lockdown solution is uniquely positioned to prevent such ransomware attacks, even if they involve privilege escalation vulnerabilities like CVE-2024-37085. Trust Lockdown implements a Zero-Trust App Security Model that uses 6-Factor Authentication to uniquely identify and allow only pre-approved software to run. This includes:
What we do different
-
Default-Deny Approach
All applications are denied by default unless explicitly trusted and approved by administrators.
-
6-Factor Authentication
Uses SHA-1, SHA-256, SHA-512, MD5, CRC32, and the file's length to verify software integrity and authenticity.
-
Strict Administrative Controls
Even users with administrative privileges cannot run unauthorized applications, including ransomware or other malicious software.
Only Authorised Apps Run
By leveraging these security measures, Trust Lockdown ensures that only authorized and vetted software can execute, thereby preventing ransomware gangs from exploiting vulnerabilities to gain administrative access and deploy malware.
References
For further reading, you can check the original reports here and here.
Ended: July
August ↵
GRC Information Protection Basics
01 August 2024
We suggest a concise and structured approach to information protection. It emphasizes the key principles of Governance, Risk Management, and Compliance (GRC) with a focus on simplicity, scalability, and security.
Setting Boundaries
Setting Boundaries for Data Access starts with "the six Ws of information gathering".
What, Where, Who, Why, How and When.
These questions provide context for risk evaluation for our information assets and provide guidance for proper Data Privacy and Data Security governance.
Starting with the What (What our Assets are), each of these essential questions helps us to evaluate risk for that context and leads us to the next essential question.
- What – An Inventory of the information assets
- Where - Where are these assets located (domains, computers, volumes)
- Who - Who has (or will need) access to these assets
- Why - Why do these entities need access
- How - What methods will be used for access
- When - During what periods do these entities require access
Determining Risk
- What – What is the Risk Category for each asset
- Where – What are the data location exposure risks
- Who – What are the entity access exposure risks
- Why – Does this entity require access
- How – How should this entity access it
- When – What are the appropriate periods of access
Key Highlights:
-
Data Access Boundaries: This approach outlines a clear framework for setting boundaries for data access by considering factors such as what information assets are involved, where they are located, who needs access, why they need access, how they will access it, and when the access is needed. This holistic approach ensures comprehensive coverage of all aspects of data access control.
-
Risk Assessment: This approach also emphasizes the importance of determining risk categories for each asset, understanding data location and access exposure risks, and evaluating the necessity and timing of access. This risk-based approach helps in prioritizing and mitigating potential exposure and other threats.
-
Prevention Focus: Our recommendation strongly advocates for a preventive approach.
Awareness is Security
You can't secure what you aren't aware of, don't know where it's located, who can access it, whether they need to, how they access it, or when access is required.
It is founded in our thinking that the "Prevention Beats Remediation Every Single Time." This aligns with White Cloud Security's philosophy of using Default-Deny and Zero-Trust Protection to minimize risks before they materialize.
Overall, this approache provides a solid foundation for organizations looking to implement or enhance their GRC strategies, particularly in terms of data protection and access management. The focus on clear, actionable steps and preventive measures makes it a practical resource for stakeholders involved in information security and compliance.