AppSense, the Ultimate Citrix BFF, Is Ready to Bring Your Partners’ Business and ROI to the Next Level

GettyImages-463425885AppSense has long been a Citrix partner powerhouse, helping its channel step up its ROI on Citrix deals.

AppSense has brought more to its Citrix partnership since becoming part of the LANDESK family in April 2016 and was recognized by Citrix as an elite contributor in November with its Citrix Ready Partner of the Month award.

Citrix Summit 2017 is LANDESK’s first, and we’re excited to connect with Citrix partners to show how you can leverage AppSense and LANDESK solutions.

There are three ways to maximize your time with AppSense and LANDESK at Citrix Summit:

  1. Stop by booth #603 for a breakdown of what AppSense and LANDESK have to offer, get a deep-dive demo, and enter for a chance to win a drone!
  2. Book a channel briefing with Jon Rolls, VP of Product Management and me to learn how to get the most out of a partnership with AppSense and LANDESK and get a product roadmap update, including:
    • Citrix Ready certifications for XA and XD 7.11 and NetScaler for AppSense products
    • AppSense DesktopNow v10.1 w Windows Server 2016 support
  3. Avoid the Citrix Summit partner reception lines and network with some of the top individuals within the Citrix partner environment by attending our cocktail party co-hosted with IGEL on Tuesday! Visit booth #603 to get the details.

Looking forward to seeing you at Citrix Summit!

Reza Parsia

Director of America’s Channel

LANDESK

P.S.  On Wednesday, February 8, Citrix Ready will host a webinar interview with a McKesson IT staff member with many years of Citrix implementation experience. Join us for a frank discussion about using AppSense and Citrix in a healthcare environment. Register here!

The Cybersecurity Skills Shortage: Threat AND Opportunity for IT?

RET_005To paraphrase iconic singer/songwriter Donovan Leitch, who borrowed the idea from a Buddhist saying, “First, there is a cybersecurity skills shortage, then there is no shortage, then there is.”

A recent Computerworld article highlighted a US Department of Homeland Security (DHS) blog post, in which a DHS official argued that the much-publicized cybersecurity skills shortage is a myth.

In that post, the DHS official offered as evidence the 14,000 applicants, including 2,000 walk-ins, who attended a DHS job fair last July. “[W]hile not all of them were qualified, we continue to this day to hire from the wealth of talent made available as a result of our hiring event. The amount of talent available to hire was so great, we stayed well into the night interviewing potential employees.”

Perhaps unsurprisingly, the Computerworld article contrasts DHS’s interpretation of its job fair experience with the findings of numerous others outside of government. “For instance, a report released one day before the government’s job fair in July, Intel Security, in partnership with the Center for Strategic and International Studies (CSIS), pointed to a ‘talent shortage crisis’ of cybersecurity skills.”

Of course, the question isn’t whether there is or is not a cybersecurity skills shortage. The real question is, how can your company avoid the negative effects of such a shortage, now or in the future?

If skills are the question, technology is the answer

The right combination of skills, technologies, and processes can maximize the business value of the skills already in place at your organization. That combination can also help your organization to deal with any difficulties in expanding your cybersecurity team, by instead expanding the reach of the people you already have and the knowledge and experience they possess.

These benefits are equally applicable beyond cybersecurity. Technologies and processes that automate mundane tasks effectively and enable well-managed collection, sharing, and application of knowledge can aid your organization’s IT asset management (ITAM), IT service management (ITSM), and other efforts as well.

However, given the highly publicized challenges and risks associated with ransomware and other cybersecurity threats, cybersecurity may be the starting point that delivers the most benefits soonest.

LANDESK, AppSense, and Shavlik solutions—and the skills and experience of their developers, resellers, and partners—can help you to ensure that your business can do business safely and efficiently. No matter how the availability of skilled, experienced personnel may ebb and flow. Visit us online, or contact your representative, to begin implementing the solutions and processes that protect and enable your people and your business.

No More ‘Small, Mid-Sized’ Businesses: Size Is out—Maturity Is In

Map pin flat above city scape and network connection conceptAs we approach another new year, some may already be thinking about resolutions for 2017.

Here’s a suggestion: Stop talking about your company in monolithic, size-focused terms such as “SMB” (“small to mid-sized business”) or “large enterprise.”

In all but the smallest companies, there is rarely if ever a situation where one size fits all. Why? Because in most enterprises (regardless of size) multiple initiatives and efforts are underway simultaneously. And while your business may be deeply experienced in some areas, some of those initiatives likely involve areas of focus at which you and your colleagues are novices.

IT presents several immediate and obvious examples. Your company may be expert in its primary business or businesses. But unless one or more of those is, in fact, IT, it’s unlikely that your company is as good at IT as it is at whatever it does best.

With this in mind, it may be more valuable and relevant to think less about companies in terms of “small” and “large”, and more about companies in terms of “start-up” and “scale-up” of specific initiatives. Or about processes that are more mature and less mature. Or environments or situations that are more complex or less complex.

Why words matter

This may seem at first like a pointless exercise in rhetorical hair-splitting. However, it turns out that how you frame discussions can have important effects on how those discussions play out and the results they produce.

Or, to be a bit more succinct, word choice matters.

Especially when you’re considering or pursuing initiatives important to your business.

Depending on the words you use to describe it, an initiative to, say, improve IT security or asset management may come across as a daunting, boil-the-ocean exercise, or as a worthy enhancement to the processes that run the business. And since every significant initiative involves engaging the support of others, how you present the initiative can have a major effect on its probability of success.

The challenge of word choice is equally significant regardless of the size of your enterprise. There are lots of smaller companies that face IT and other challenges as complex as those faced by larger organizations. And not every challenge faced by a larger enterprise is necessarily more complex than those faced by their smaller counterparts.

Another challenge: making sure the words used to assess challenges and plan solutions are based on accurate, credible information wherever possible. This means that in many cases, a central, well-managed repository of relevant information, stored and organized with an agreed-upon taxonomy, is the best foundation for communications based on or related to that information.

LANDESK solutions

LANDESK has both the solutions and the thought leaders to help you use the right words to pursue your IT initiatives successfully, and to back those words up with the best available information about your environment.

  • ITAM

Are you considering or pursuing an IT asset management (ITAM) initiative? You can read about how different people view assets differently, as well as what should be in your ITAM database, in this excellent blog post by ITAM Evangelist Patricia Adams: What is IT Asset Management?

You might also want to check out Patricia’s on-demand webinar in which she introduces her ITAM Attainment Model. There is also the very useful Info-Tech ITAM Report in which LANDESK was named a “Champion” vendor.

  • Risk management

How about risk management? Read Effective Risk Management Without Boiling the Ocean, another great post by our CSO, Phil Richards. In it, Phil discusses why a risk register aids risk and security management initiatives, and suggests some of the words that can help avoid boiling the risk management ocean.

  • Service management

Service management, within and even beyond IT? Got you covered there, too. LANDESK Service Desk combines social, mobile, and self-service support with data connectors and multiple integrations with other tools and data. Its ability to deliver a federated view of your configuration management database (CMDB) and other features are why Garter named LANDESK a “Visionary” in its 2015 IT Service Management and Support report.

Of course, we have other resources and solutions to help you succeed with initiatives in these and other areas as well. Check them out online, or contact your LANDESKAppSense, Shavlik, or Wavelink representative to learn more.

Let LANDESK help you make 2017 the year in which your organization increases the maturity of its IT initiatives and processes, to the benefit of the entire business.

ITSM-CTA-Blog-Banner (1)

Windows 10 Security Mitigations When You Can’t Apply Cumulative Updates

Managing-Windows-10-Updates

The introduction of Windows 10 cumulative updates will force enterprises to make a difficult choice: security or availability. Security in the sense of eliminating the risk of known vulnerabilities through patching. Availability where an application or Windows 10 feature only works when an update isn’t applied. Enterprises will need to plan on Windows 10 security mitigations when applying cumulative updates isn’t an option.

Bad Patches

Bad patches are like any other software bugs: they happen. In speaking with many of our customers, we hear about them experiencing bad Windows patches a few times a year. When these patches are applied they break functionality in Windows or 3rd party applications. Sometimes Microsoft needs to fix something – sometimes a 3rd party vendor (see Windows 10 Cumulative Updates Overview for an example with Citrix XenDesktop). In the past, the solution was fairly straight forward: don’t apply the bad patch, address the security risk of the vulnerabilities in that patch, wait for a fixed patch or 3rd party software to be released, apply the improved patch or software and move forward.

Windows 10 Security Mitigations

With the cumulative updates, selectively applying patches is over. Rather that fretting over the situation, there are a number of mitigations that might be applied in place of the update when issues arise. In April 2014, Gartner’s Neil MacDonald, wrote a report on Best Practices for Secure Use of Windows XP After Support Ends to address the issues of not being able to patch vulnerabilities that would continue to be found. Many of these practices can be used with Windows 10 for these situations where a patch breaks functionality. These practices can also be used persistently, but are often seen as too restrictive. Consider these approaches as part of a flexible security strategy that goes along with your patch management program. I will highlight a few of the practices in that report that can be addressed with LANDESK solutions.

Restrict Network Connectivity to the Minimum Possible

This can be challenging for many client systems, but easier to achieve with fixed function devices like kiosks or POS systems. LANDESK Security Suite can limit network connectivity through Windows firewall management or the LANDESK firewall.

Whitelisting

Whitelisting is a very effective method of securing a system as it stops unauthorized applications from running. LANDESK Security Suite and our recently acquired AppSense Application Manager both provide industry leading whitelisting with plans to blend both capabilities in future product releases.

Remove Administrative Rights

Many Microsoft vulnerabilities can be mitigated if the user does not run with an administrator account. Removing administrative rights is easy, but the limitations from such an action often stop organizations from taking this step. Privilege management software, including AppSense Application Manager, can be used to grant privileges to applications that need them so users can use non-administrative accounts. On the reverse, privilege management software can also be used to remove administrative rights from an application that is vulnerable and cannot be patched.

Address the Most Common Attack Vectors — Web Browsing and Email

There are a number of things that go into securing web browsing and email. Neil mentions the following controls:

  • Patch Management: As discussed in my previous article, 3rd party patch management is a strength of LANDESK Patch Manager
  • Containerization: there are a number of solutions that use technology to isolate applications including our partner Bufferzone. With these solutions, attacks are contained to that application unable to spread to the operating system or other applications.

Keep the Rest of the Software Stack Updated Where Possible, Including Office

Can I get one more amen for patch management? Enough said.

Use an IPS to Shield Systems from Attack

LANDESK Security Suite includes a Host Intrusion Prevention component to address behavioral based attacks and apply file protection rules. Add to that, LANDESK Antivirus brings an industry leading antimalware engine.

Disable USB Ports and CD\DVD Drives

Often malware is introduced through removable media. LANDESK Security Suite provides device control to disable external media devices, make them read-only, and\or shadow copy files that move across those devices.

Key Takeaways

Here are some points to remember and share:

  • Expect Windows 10 cumulative updates to occasionally break features or 3rd party applications
  • Selective application of patches is no longer an option with Windows 10
  • Build out a strategy of security mitigations when applying the cumulative update isn’t feasible

The article marks a stopping point for this series. There will likely be updates and changes to this conversation as new branch upgrades are released, but this gives you a solid foundation. Hopefully this series has been helpful and I wish you great success with Managing Windows 10 updates.

Infographic: Your Quick Guide to Simplifying Endpoint Security

AppSense-Security-Infographic-page-001
The problems of protecting endpoints are pretty well understood. You have private data and intellectual property that others want.

On the other hand, you have employees who need to do their jobs and who require access to that private data and intellectual property.

Endpoints will always be under attack. Every line of code in an application presents an attack surface that cybercriminals can exploit. These hackers are constantly researching and exploiting defects in code.

The overarching problem is that software will always have defects making it susceptible to attacks.

Similar issues exist for every user on your network. Employees also present an attack surface that can be exploited. As hackers become more sophisticated, they’re learning more about the targeted user than ever before. Users can easily be fooled into installing malware or providing sensitive information.

If you disrupt either the application or the user, you break the attack chain.

Effective endpoint security solutions must satisfy three different entities: user’s needs, security IT needs and desktop IT needs.

The top needs of the user are performance, flexibility and control, and consistency. The most important security IT needs are protection, compliance, and the ability to audit. Lastly, desktop IT needs are endpoint manageability, license control, and profile management.

Application control is the last line of defense. It blocks unknown malware that bypasses all other defenses. It doesn’t matter whether it came from a website or a USB. It doesn’t matter that it was an executable, a self-extracting file, a script, a registry key or a screen saver.

Using AppSense Application Manager, you can boost endpoint security in three steps:

  • Roll out AppSense in ‘passive mode’ for Application Control and Rights Discovery.
  • Review output; who really uses their admin privileges, specifically what privileges and how often?
  • Create configuration based on analysis and activate.

That’s just the beginning. AppSense can also eliminate profile corruption, simplify user data management, increase user density, accelerate logon times, improve desktop responsiveness, and simplify image management.

Visit www.appsense.com to see how AppSense can help.

SANS_BlogCTA_Banner

On March 14, 2016,  LANDESK acquired AppSense, the leading provider of secure user environment management solutions. Check the AppSense section of the blog for all of our AppSense-related content.

Why Securing Devices Is Not a ‘One Size Fits All’ Proposition

Given the breadth of ways computing devices are used in a typical enterprise, trying to use a generic set of security controls for every device wouldn’t make sense.laptop with key lock on display - data security 3d concept

First, you have to spend time profiling the main use models of devices and defining standard ‘profiles’ for which you can then design appropriate defenses. There are plenty of attributes you can use to define use cases, but we see a few in most environments:watch full film The Magnificent Seven

1. Operating system

You protect Windows devices differently than Macs than Linux servers because each has a different security model and different available controls. When deciding how to protect a device, operating system is a fundamental factor.

2. Usage model

Next look at how the device is used. Is it a desktop, kiosk, server, laptop, or mobile device? We protect personal desktops differently than kiosks, even if the hardware and operating systems are the same.

3. Application variability

Consider what kind of applications run on the device, as well as how often they change and are updated.

4. Geographic distribution

Where is the device located? Do you have dedicated IT and/or security staff there? What is the culture, and can you monitor and lock everything down? Some countries don’t allow device monitoring, and some security controls require permission from government organizations, so those must be considerations as well.

5. Access to sensitive data

Do the users of these devices have access to sensitive and/or protected data? Depending on the sensitivity of the data, you may need to lock down the device. Contrast that with a public device in an open area, with no access to corporate networks, may be able to do with much looser or simpler security controls.

Using these types of attributes, you should be able to define a handful of use cases or so, which you can use to determine the most appropriate means of protecting each device, trading off security against usability.

SANS_BlogCTA_Banner

On March 14, 2016,  LANDESK acquired AppSense, the leading provider of secure user environment management solutions. Check the AppSense section of the blog for all of our AppSense-related content.

Texas School District Shares Nightmare Security Issue

Laptop with caution illustration design over whiteThough it doesn’t get as much attention as hackers targeting the Department of Defense, large financial institutions, or the nation’s utility grid, cybercrime plagues the networks of educational institutions from coast to coast.

Just Google something like “students steal personal information from school networks” and you’ll get more than 29M results.

Greg Bartay, IT director for Pearland ISD, can vouch for the seriousness of this problem firsthand.

“We had a student who brought malicious tools into the district and executed them from a flash drive,” explains Bartay. “He downloaded Active Directory tools at home. He also downloaded UltraSurf, which creates a virtual tunnel through your firewall from the inside out. He was trying to break into student accounts.”

“He was posting the information he retrieved online,” Bartay continues. “We received anonymous emails from Internet share groups telling us what he was doing. With more time, he could have gotten access to things like students’ and parents’ Social Security numbers.”

To combat this threat and avoid future problems, Bartay began looking for a technology solution that the district could use to protect the personal information of students, teachers, and staff.

One week after the hack, Pearland was hit with a ransomware attack.

“The attack was due to a file generated from a flash drive used on a school computer,” said Jonathan Block, desktop support services manager for Pearland ISD. “There were 15-20 file shares affected. It took us five hours to recover the data from backup. And, because we had to take down those file shares to recover data, we were unable to back up a day’s worth of teachers’ and students’ classwork.”

“We thought we were protected against ransomware,” continued Block. “But we discovered that Microsoft System Center Endpoint Protection had no zero-day definitions for the variant that attacked us.”

The one-two punch of a hack closely followed by a ransomware attack created an enormous sense of urgency for the Pearland ISD IT team to find a solution.

The Solution: AppSense Application Manager

Other than locking down the network, which made day-to-day educational tasks nearly impossible, the district had few choices for protecting its sensitive information.

“We knew that trying to address the problem via Active Directory would take a lot of time and expertise,” recalls George Thornton, vice president of engineering for Pearland’s technology partner Logical Front. “Then a representative from AppSense explained what Application Manager could do. So we set up a proof of concept study.”

The POC ran for two months and Application Manager performed as promised, preventing any unauthorized executable from running within the network.

“It did everything we were told it would do,” notes Bartay. “It gives us control over what anyone can execute out of their home folders or off a USB drive. If someone wants to run a program that’s not on our list, they have to ask permission. It’s prevented kids and even many of our staff from using Pearland ISD endpoints for non-school-related activities.”

“It took just ten minutes to deploy a simple Application Manager configuration to 38 machines in one of our high school libraries as a test,” said Block. “The team spent several hours observing a succession of students try to play games on those library computers using flash drives they brought from home. Application Manager blocked every attempt.”

The Results

Since installing Application Manager, Bartay and his team have significantly reduced their risk. In addition, as the team observed in the school library, Application Manager has allowed the IT team to block students from executing online games without diving in to granular Active Directory policies. This saved the IT team time and also put a stop to activities that were robbing students of instructional time.

“When they are losing instructional time, it means they are not doing what they are here to do,” Bartay points out.

In addition to saving time on AD policies, implementing Application Manager also saves the IT team hundreds of hours each school year resetting all the student passwords due to malware or ransomware issues.

Organizations used to stress perimeter security with strong firewalls and robust access policies. Today, that’s not enough.

“You can’t put a price on security. You’re talking about people’s lives. Just ask the people that shopped at Target. People will be cleaning that up for years to come,” concludes Bartay. “You have to have a zero trust policy, with virtual firewalls throughout your network and layered defenses. AppSense helps achieve that.”

SANS_BlogCTA_Banner

On March 14, 2016,  LANDESK acquired AppSense, the leading provider of secure user environment management solutions. Check the AppSense section of the blog for all of our AppSense-related content.

Watch Movie Online Popstar: Never Stop Never Stopping (2016) subtitle english

Poster Movie Popstar: Never Stop Never Stopping 2016

Popstar: Never Stop Never Stopping (2016) HD

Director : Akiva Schaffer, Jorma Taccone.
Writer : Akiva Schaffer, Andy Samberg, Jorma Taccone.
Release : June 3, 2016
Country : United States of America.
Production Company : Universal Pictures, Apatow Productions, Party Over, Lonely Island, The.
Language : English.
Runtime : 86 min.
Genre : Comedy, Music.

Buy Now on Amazon Popstar: Never Stop Never Stopping (2016) Full Movie

‘Popstar: Never Stop Never Stopping’ is a movie genre Comedy, was released in June 3, 2016. Akiva Schaffer was directed this movie and starring by Andy Samberg. This movie tell story about When his new album fails to sell records, pop/rap superstar Conner4real goes into a major tailspin and watches his celebrity high life begin to collapse. He’ll try anything to bounce back, anything except reuniting with his old rap group The Style Boyz.

Do not miss to Watch movie Popstar: Never Stop Never Stopping (2016) Online for free with your family. only 2 step you can Watch or download this movie with high quality video. Come and join us! because very much movie can you watch free streaming.

Watch movie online Popstar: Never Stop Never Stopping (2016)

Incoming search term :

watch full film Popstar: Never Stop Never Stopping online
watch Popstar: Never Stop Never Stopping film online now
trailer film Popstar: Never Stop Never Stopping 2016
film Popstar: Never Stop Never Stopping 2016 online streaming
watch Popstar: Never Stop Never Stopping 2016 movie online now
Popstar: Never Stop Never Stopping 2016 Full Episodes Online
Popstar: Never Stop Never Stopping 2016 Episodes Watch Online
live streaming film Popstar: Never Stop Never Stopping
Watch Popstar: Never Stop Never Stopping 2016 Online Putlocker
streaming movie Popstar: Never Stop Never Stopping 2016
Popstar: Never Stop Never Stopping 2016 HD English Full Episodes Download
Popstar: Never Stop Never Stopping 2016 Watch Online
Popstar: Never Stop Never Stopping 2016 For Free Online
Popstar: Never Stop Never Stopping 2016 HD Full Episodes Online
film Popstar: Never Stop Never Stopping trailer
Watch Popstar: Never Stop Never Stopping 2016 Online Megashare
film Popstar: Never Stop Never Stopping streaming
Watch Popstar: Never Stop Never Stopping 2016 Online Free Putlocker
Popstar: Never Stop Never Stopping 2016 English Full Episodes Free Download
Popstar: Never Stop Never Stopping 2016 Episodes Online
Watch Popstar: Never Stop Never Stopping 2016 Online Free Viooz
Watch Popstar: Never Stop Never Stopping 2016 Online Free putlocker
Popstar: Never Stop Never Stopping 2016 English Full Episodes Download
live streaming film Popstar: Never Stop Never Stopping online
Popstar: Never Stop Never Stopping 2016 English Episodes
Popstar: Never Stop Never Stopping 2016 English Episodes Free Watch Online
Watch Popstar: Never Stop Never Stopping 2016 Online Free
Popstar: Never Stop Never Stopping 2016 For Free online
Popstar: Never Stop Never Stopping 2016 English Full Episodes Watch Online
Popstar: Never Stop Never Stopping 2016 live streaming film
movie Popstar: Never Stop Never Stopping 2016 trailer
Popstar: Never Stop Never Stopping 2016 Online Free Megashare
Popstar: Never Stop Never Stopping 2016 English Episode
movie Popstar: Never Stop Never Stopping download
Popstar: Never Stop Never Stopping movie download
Watch Popstar: Never Stop Never Stopping 2016 Online Free megashare
Popstar: Never Stop Never Stopping 2016 English Full Episodes Online Free Download
Popstar: Never Stop Never Stopping live streaming movie
download movie Popstar: Never Stop Never Stopping now
Watch Popstar: Never Stop Never Stopping 2016 Online Viooz
Popstar: Never Stop Never Stopping 2016 Full Episode
Popstar: Never Stop Never Stopping 2016 Full Episodes Watch Online

Top 4 Complaints About Application Control

application controlThere is no way to skirt this subject. Many organizations have had less than stellar experiences with application control technologies in the decade the technology has been available.

The complaints tend to revolve around a few issues:

1. Employees can’t do their jobs

This one is obvious. Employees are highly motivated to get work done and disinterested in (security) slowing them down.

Application control defines a set of applications they can run and blocks everything else, which can impede their ability to perform job functions. Some of the criticism is unwarranted — there may not be a business requirement to run iTunes or Gears of War on a corporate device.

But the inability of a knowledge worker to install a new application when they need it is a legitimate concern. With the integration of more plug-ins and code execution within browsers, application control can also break the user experience of web browsing if it blocks plug-ins.

2. It requires another agent

This is another legitimate gripe. In order to enforce application control policies on a device, you need a software agent of some sort to run on it. There is no way around this.

In the best case, the application control product can leverage another agent already on the device (for endpoint management, for instance).

3. It’s hard to manage

In any organization of scale, employees want to do things and install code on their devices, all day, every day. Someone needs to approve or disapprove all these programs and determine their appropriateness. That takes time, and it’s not like security folks have a ton of extra time for new responsibilities.

Don’t forget the need to authorize every patch or update for every application in use.

4. It doesn’t work

This criticism is squishy, but given the examples of Microsoft’s patching process being exploited, as well as malicious code running within authorized applications (such as browsers and Adobe Reader), it is possible to evade application control defenses. As with every other security control, nothing provides 100 percent security. Organizations need to understand the compromises involved in establishing their trust model for application control.

These criticisms are all reasonable. Application control does impact user experience — it needs to. It’s as simple as that. If employees can load arbitrary software onto their machines and execute code in their browsers and other applications, devices will be compromised. Every organization needs to weigh the trade-offs of security against usability to allow employees to do their jobs, balancing that risk against the productivity impact of locking down devices via security controls.

Approaches focusing on isolation or detection during (or after) compromise impact user experience less, but they depend on being right every time and catching every attack. They have historically proven unsuccessful. That doesn’t mean any of the new isolation or advanced heuristics approaches holds promise. But at this point, we do not know whether any new techniques can adequately address malware.

Take command of your application control with AppSense. Download your free copy below.

SANS_BlogCTA_Banner

On March 14, 2016,  LANDESK acquired AppSense, the leading provider of secure user environment management solutions. Check the AppSense section of the blog for all of our AppSense-related content.

Why Application Control Is Essential for Your OS

Protection concept of digital and technological.When an operating system is at the end of its life and no longer receiving security updates, it is a sitting duck. Attackers have free rein to continue finding exploitable defects with no fear of patches to cramp their style.

In this post, we’ll look at how application control is one of the best defenses against security threats on XP and more.

Windows XP security updates officially ended April 2014, at which point, organizations still using XP were out of luck (as if luck has anything to do with it…).

We know you wonder why on Earth any organization serious about security — or even not so serious — would still use XP. That is a legitimate question with two very reasonable answers.

1. Legacy applications

For one, some legacy applications still only run on XP. It may not be worth the investment — or even possible, depending on legal/ownership issues — to migrate to a modern operating system.

2. Compliance requirements

A similar situation arises with compliance requirements to have applications qualified by a government agency.

We see this a lot in healthcare, where the OS cannot even be patched without going through a lengthy and painful qualification process. That doesn’t happen, so on XP it stays. Despite Microsoft’s best efforts, XP isn’t going away any time soon.

The solution: application control

Unfortunately, that means XP will still be a common target for attackers, and organizations will have little choice but to protect vulnerable devices somehow. Locking them down may be one of the few viable options. In this situation, using application control in default deny mode (allowing only authorized applications to run) works well.

  • Kiosks, ATMs, and other fixed-function devices

Another use case we see frequently is fixed function devices, such as kiosks running embedded operating systems. Think ATM or payment station, where you never see the underlying operating system. These devices only run a select few applications built specifically for them.

In this scenario, there is no reason for any software besides authorized applications to run. Customers shouldn’t be browsing the Internet on an ATM machine, so application control is appropriate on kiosks.

  • Computer labs, libraries, call centers, etc.

Similarly, some desktop computers in places like call centers and factory floors only run very stable and small sets of applications. Locking them down provides protection both from malware and employees loading unauthorized software or stealing data.

In both these use cases, you will get little to no pushback from employees about their inability to install and run arbitrary software. Nothing in their job description indicates they should be loading software or accessing anything but the applications they need to do their jobs.

So in these scenarios, application control is an excellent fit.

  • Server devices

Another clear use case for application control is server devices.

Servers tend to be dedicated to a handful of functions, so they can be locked down to those specific applications. Servers don’t call the Help Desk to request access to iTunes, and admins can be expected to understand and navigate the validation process when they have a legitimate need for new software. Locking down servers can work very well — especially since servers, as the repository of most sensitive data, are the ultimate target of most attacks.

  • General purpose devices

There has always been a desire to lock down general-purpose devices, which are among the most frequently compromised. Those employees keep clicking stuff and are notoriously hard to control.

Theoretically, if you could stop unauthorized code from running on these devices, you could protect employees from themselves. End users push back against this because sometimes they legitimately need to install additional software. People get grumpy if they can’t do their jobs.

Application control does have a role on general-purpose desktops — so long as there is sufficient flexibility for knowledge workers to load legitimate software. In most cases, the application control software allows a grace period of a few hours to a day or so to run a new application, before it needs to be explicitly authorized by a manager or IT person.

There are other situations where application control’s trust model needs to be more flexible to meet the realities of enterprise use — such as permitting authorized software distribution products, authorized publishers, and trusted users to install and run software.

Loosening application control’s trust model introduces a window of vulnerability for new malware to compromise devices. This enables employees to run new software to get their jobs done, but presents a tricky trade-off which requires careful balancing. Many organizations deploy application control successfully this way, but be sure you have other controls in place — such as network security monitoring and malware callback detection — to identify compromised devices when application control isn’t tight enough.

SANS_BlogCTA_Banner

On March 14, 2016,  LANDESK acquired AppSense, the leading provider of secure user environment management solutions. Check the AppSense section of the blog for all of our AppSense-related content.