Trust Blade Engines

Introduction

In a workload server environment, there exists different types of executables (processes, libraries and scripts) that can be first party (developed by customers), third party code or Operating System drivers. When VSP is installed, it first scans all these executables and determines the Trust Scores for each of them. This is achieved through a series of Trust Blade Engines described in this article. Based on these Trust Scores, VSP determines whether they can be allowed to execute or must be blocked.

Trust Score

An Application Trust score is a metric used to measure the credibility and trustworthiness of application packages, executables (processes, libraries and scripts), OS drivers and locally compiled files present on a workload server environment.

At Virsec, we measure Trust in terms of a multiplier of Provenance, Integrity and Authorization on a scale of 1 to 100 of the above packaged and non packaged code on workloads.

Trust Blades

Trust Blade Engines consist of the below components with the highest Fidelity to Provenance blades and the lowest to Integrity blade. They are described in detail in this section.

The Trust Blade engines are based on the below three major factors:

1. Provenance: It refers to the origin of the file. This is the first Blade and carries highest Trust scores
   1. Trusted Publisher Certificate - This is based on the Trusted certificates issued by publishers to determine the Trust Score
   2. Windows SFC Signature - SFC certificates of the Windows OS files and drivers are utilized to determine the Trust Score
   3. ISV Provenance – Virsec Global TrustHub is a common repository for third party code that is expanded continuously using nightly processes to provide maximum coverage for common OS files. If any third party package does not have a match in our Global TrustHub, it triggers an email to the Hub Admin with the package information. This package is then added to the global repository
      NOTE

      RHEL packages are fully available as part of the Global TrustHub. The packages for other Operating Systems are being added.
   4. Customer Repo Provenance - Virsec Enterprise TrustHub is generated from a customer's repository as a list of executables with their checksum values that are inherently trusted. This is specific for each customer
2. Authorization: This is the second Blade and carries high Trust scores 
   1. Deemed Safe by Customer: The customer authorizes the packages that can execute on the workloads in CMS by adding them to the allowlist
3. Integrity:This is the last Blade and carries the least Trust scores 
   1. Reputation Analysis: This is performed using Virsec Threat Intelligence Service or Virus Total that is configured on CMS. The reputation received from them is used to allowlist the packages or block them from execution