Trust Lockdown System Overview
How It works
White Cloud Security Trust Lockdown employs a Cyber-Metric Handprint Technology utilizing 6-Factor Authentication (SHA-1, SHA-256, SHA-512, MD5, CRC32, and file length) to uniquely identify each file, ensuring only files on a pre-approved Trust-List can run. Combined with its Default-Deny methodology, this approach effectively blocks all malware and unauthorized software by only allowing explicitly pre-approved software to execute.
The Trust Lockdown Security Groups Inheritance Tree manages administrator access and software policies hierarchically, with child groups inheriting policies from parent groups to ensure consistency across an organization. This structure simplifies and scales the management of both administrator access and software policies.
Trust Lockdown System Components
Endpoint Security Agent
Centrally Managed Service
General Flow of App Security Policy operations
- The end user or a process initiates the loading of software.
- The Trust Lockdown Security Endpoint Agent applies a local policy if it exists
- Otherwise, the Agent requests Approval from the Trust Lockdown Service
- The Service returns any applicable Policy, otherwise approval is always denied
- For Endpoints using Monitor Mode, unknown software is logged but allowed to run
System Components Interaction Diagram
graph BT
user[End User Runs Software] --> execve
subgraph Protected Computer
execve[Operating System\nKernel Executive]
whack[Kernel\nSecurity Module\nApplies App Policies]
execve --> whack
whack --> kmcache[Kernel\nMemory Cache]
kmcache --> whack
whack -- req --> whacker[Security\nAgent]
whacker --> diskcache[Local\nPersistent Cache]
diskcache --> whacker
whacker -- ack --> whack
whack --> execve
end
whacker -. Verify\nApp .-> dca
dca -. App\nPolicy .-> whacker
subgraph Trust Lockdown Service
nfs[NFS\nFilesystem]
mysqld[MySQL\nDatabase]
dca[Data Center Appliance]
nfs <-- DB\nAccess --> dca
mysqld <-- File\nAccess --> dca
end
Key Features:
Default-Deny Execution Control: Trust Lockdown implements a Default-Deny Security Model that blocks the execution of all unauthorized and unknown software, allowing only those applications, libraries, and scripts that are explicitly approved for the endpoint to run.
Zero-Trust App Security Enforcement: Each time software tries to load, its 6-Factor Authentication Identity is re-computed to verify it is on the approved software list.
Zero-Trust Admin Access Enforcement: Each time any account owner tries to access information or admin controls their role-based acess rights are applied to that request, even if already logged in.
Zero-Trust Folder Protection: Instead of whitelisting folders used by tools to run dynamically generated scripts, Trust Lockdown only allows scripts run by the parent process. This prevents the misuse of whitelisted folders to run unauthorized and malicious software.
Efficient Trust Verification: By leveraging memory-based caching for approval lookups and caching the policy responses in kernel memory, Trust Lockdown minimizes the performance overhead associated with approval verification.
Comprehensive Coverage: Trust Lockdown hooks into critical points of the operating system's kernel file operations API, using established security hooks for executable programs and memory-mapped files, and monitors software file write operations to invalidate memory cache records, ensuring comprehensive execution control.
Flexible Operation Modes: Trust Lockdown supports multiple operating modes, Blocking, Monitoring and Learning modes, providing flexibility in how execution control policies are enforced, monitored and created.