Host Protection Capabilities and Overview

The host security module of VSP forms the foundational aspect of the server workload protection by ensuring that only authorized, trusted and safe executables are running on a server, thereby ensuring that even zero-day threats are blocked immediately from execution. This stops a large majority of kill chains at the initial stage of the typical attack kill chain itself, not leaving any room for post-exploitation execution.

This feature of VSP protects end-point executables. It collects the profile of a Probe at a specific point in time or over a period of time. It also provides an option to import executable information from a template. VSP provides two modes of host monitoring – Detect and Protect.

Workflow

The workflow at a high level is provided below:

1. Create a Host Profile (for VM) or Host Template (for Containers) 
2. Configure App Control Policy (Optional) - To allow control over the dynamic execution of otherwise genuine binary applications
3. Associate Hosts (VM only) - Associate the required VM hosts if not done during Probe installation
4. Monitor - Incidents are reported on the CMS with relevant information about the attack/threat. Dashboard and Reports are the other ways to monitor VSP Host Protection

Protection Capabilities

Executable Allow Listing

Virsec’s Executable Allow Listing defines all the executables allowed to execute.

• Trustworthiness is established by verifying the pristineness based on trusted publishers and reputation based on our reputation database
• Establish and enforce system-wide allow-listing for executables based on trustworthiness
• Monitor deviations during run-time and mitigate   any instances of executables that have been added or modified

Application Control Policy

Executable Allow Listing capability of VSP ensures that only the executables that are trusted and safe can execute on the server workloads.  Application Control Policies (ACP) ensure that malicious actors cannot leverage advanced defense evasion techniques to compromise a workload.

 Typical use cases for Application Control Policies are:

• Script-based attack prevention
• Living-off-the-land attack prevention
• Protection against defense evasion techniques
• Critical data collection
• Lateral movement prevention
• Protection against persistence
• Remote-code execution

 Application Control Policies allow the user to:

• Enforce dynamic execution control on allow-listed executables to stop living-off-the-land attacks
• Block malicious activities from the otherwise trusted operating system-related executables
• Enforce parent-child process controls to stop RCE and lateral movement
• Add additional runtime controls to allow/disallow binary applications to spawn child processes within the scope of the binary application
• Enforce additional access controls on binaries via allow or deny list for processes so that either a specific set of users are allowed to run a defined set of applications or a specific set of users are always denied running a defined set of applications
• During the execution  of a defined  set of binaries:
  • Enforce specific command-line arguments and flags are allowed 
  • Some risky command-line arguments and flags are denied 
•  Block binary applications from running under all circumstances, even if they are generally trusted