Carbon Black Protection uses automated software execution controls to make servers more secure. This is done by strict enforcement of organizational software execution policies. For this to be effective, sysadmins need to pay close attention to how they install software on their servers, and use the following methods to automate the approval of new software.
Deliver software through a trusted installer
It is very effective to package and deploy new required software with BigFix or SCCM. If new software deployments are packaged for delivery by an installation mechanism Cb Protection recognizes as trusted, then approvals are automatic. This approach scales well across large numbers of systems. You may first need to create a custom rule for your trusted installer, and add it your organization’s enforcement policy.
Pre-approve by first deploying in a Development environment
Software deployments can be manually pre-approved by using a test environment. Model your production environment in a development environment, but without any High Risk Data. With Cb Protection in Visibility mode, all file system activity is logged, but not blocked. Deploy your software, then use the admin console to find the event logs for New Unapproved File Traffic, and approve the activity.
Approval using Local Approval Mode
With this approval mechanism, the primary sysadmin has management privileges in the Cb Protection console, and creates custom rules to control dynamically generated content. Application admins have sufficient admin console rights to move their development machines into Local Approval Mode during maintenance windows. After installations, the admin console is used to identify the file activity events associated with the upgrades, and to create file rules to control this content across the organization’s policies. This method allows production machines hosting High Risk Data to remain in High enforcement mode.
Approval by hash for large manual install packages
Large software installer packages can be manually approved by hash as Trusted Installers. When moved to systems and executed, these installers will be permitted to run, and the files these installers create will be automatically approved. Any sub-installers Cb Protection identifies will inherit approval as Trusted Installers. This approach is less desirable, because Cb Protection does not reliably identify sub-installers as Trusted Installers.