TrustHub Introduction

Virsec TrustHub is the repository that is utilized to determine the Trust Score of the executables discovered on workloads. The TrustHub components are a part of the Trust Blade Engines - Blades 1c and 1d - associated with Provenance.

Through TrustHub, Virsec aims to cover all the packages that may exist in the workloads:

1. First-party code that is developed by the customer and any (third-party general or customized) code where customer has ownership through their vendors (Ensure that this code is provided to Virsec)
2. Third-party code from the customer's vendors (ISV-provided code that exists on the workloads)

Trust in Supply Chain

1. ISV Repository – Virsec Global TrustHub is a common repository for third party code that is expanded continuously using nightly processes to provide maximum coverage for common OS files. If any third party package does not have a match in our Global TrustHub, it triggers an email to the Hub Admin with the package information. This package is then added to the global repository. Click here for more information
2. Customer Repository - Enterprise TrustHub is a customer-specific repository for their code that can be expanded by providing the code repository information in CMS. Click here for more information
3. Workload - Maintenance Mode is an intermediate mode for configured hosts. In this mode, the probe goes into an “observer” state, allowing the execution of new packages during the change control window. No Incidents are reported and new executables are automatically added to the allowlist
4. Sandbox Analysis (Work in Progress)  - Trust score for executables are determined based on the execution of the files in a Sandbox environment 
5. Auto-Allowlist - When this option is enabled, files with equal and above the configured Trust threshold value in Host Profile are auto allowlisted for the workload

TrustHub in Action

In this section we look at the TrustHub working through a workflow:

1. Whenever a package is discovered on a workload or repository, based on Trust Score determined by the Trust Blades Engines, it is determined whether the package is allowlisted or not
2. In cases where the TrustHub determines that the package is safe, the reason in the allowlist is displayed as "Trusted by TrustHub". This can be viewed in Host Profile > Edit Allowlist
   1. Hover the mouse over the Trust Score indicator to view
   2. Alternatively, click on the required allowlist entry
3. In a scenario where the file is not trusted, a validation is performed on the package. If the file is not found safe:
   1. It is not allowed to execute if PROTECT mode is enabled
   2. A corresponding incident is reported
4. If the validation is successful, depending on the executable and requirement, it can be either added to Enterprise (through Trusted Repositories) OR Global (through Virsec team) TrustHub. The added entries are scanned and updated once in 24 hours through an automated process
   1. Before this 24-hour period, the package is NOT added to the allowlist and the status is shown as "Pending"
5. Once the entries are updated, 
   1. Package is added to the allowlist
   2. It is allowed to execute and no incidents are reported
   3. Existing incidents related to the package are auto-acknowledged