- 14 Sep 2023
- 2 Minutes to read
Host Protection Capabilities and Overview
- Updated on 14 Sep 2023
- 2 Minutes to read
The term executables is used to indicate processes, libraries and scripts.
The host security module of VSP forms the foundational aspect of the server workload protection by ensuring that only authorized, trusted and safe executables are running on a server, thereby ensuring that even zero-day threats are blocked immediately from execution. This stops a large majority of kill chains at the initial stage of the typical attack kill chain itself, not leaving any room for post-exploitation execution.
This feature of VSP protects end-point executables. It collects the profile of a Probe at a specific point in time or over a period of time. It also provides an option to import executable information from a template. VSP provides two modes of host monitoring – Detect and Protect.
The workflow at a high level is provided below:
- Create a Host Profile (for VM) or Host Template (for Containers)
- Configure App Control Policy (Optional) - To allow control over the dynamic execution of otherwise genuine binary applications
- Associate Hosts (VM only) - Associate the required VM hosts if not done during Probe installation
- Monitor - Incidents are reported on the CMS with relevant information about the attack/threat. Dashboard and Reports are the other ways to monitor VSP Host Protection
Executable Allow Listing
Virsec’s Executable Allow Listing defines all the executables allowed to execute.
- Trustworthiness is established by verifying the pristineness based on trusted publishers and reputation based on our reputation database
- Establish and enforce system-wide allow-listing for executables based on trustworthiness
- Monitor deviations during run-time and mitigate any instances of executables that have been added or modified
Application Control Policy
Executable Allow Listing capability of VSP ensures that only the executables that are trusted and safe can execute on the server workloads. Application Control Policies (ACP) ensure that malicious actors cannot leverage advanced defense evasion techniques to compromise a workload.
Typical use cases for Application Control Policies are:
- Script-based attack prevention
- Living-off-the-land attack prevention
- Protection against defense evasion techniques
- Critical data collection
- Lateral movement prevention
- Protection against persistence
- Remote-code execution
Application Control Policies allow the user to:
- Enforce dynamic execution control on allow-listed executables to stop living-off-the-land attacks
- Block malicious activities from the otherwise trusted operating system-related executables
- Enforce parent-child process controls to stop RCE and lateral movement
- Add additional runtime controls to allow/disallow binary applications to spawn child processes within the scope of the binary application
- Enforce additional access controls on binaries via allow or deny list for processes so that either a specific set of users are allowed to run a defined set of applications or a specific set of users are always denied running a defined set of applications
- During the execution of a defined set of binaries:
- Enforce specific command-line arguments and flags are allowed
- Some risky command-line arguments and flags are denied
- Block binary applications from running under all circumstances, even if they are generally trusted