This blog post was written by Teresa Wingfield.
In a previous blog, we talked about how McAfee Application Control uses local and global intelligence to simplify whitelist updates and briefly mentioned our Dynamic Trust Model. Now, let’s take a deeper look at the flexibility our Dynamic Trust Model offers to automatically update whitelists based on four trusted updaters as shown in the following diagram.
DYNAMIC TRUST MODEL
To better understand the value of McAfee Application Control’s Dynamic Trust Model, let’s begin with Trusted Processes. These include applications that frequently create or update other applications. Once a process is marked as an updater, all applications that it creates or modifies are automatically whitelisted. For example, provisioning tools such as Microsoft System Center Configuration Manager (SCCM) and Puppet Enterprise are obvious candidates for a Trusted Process.
Finding Trusted Processes is easy. McAfee Application Control prepackages common updaters and comes with a discovery tool known as Observation Mode to find uncommon updaters. We usually recommend that customers turn on Observation Mode and put their system through its regular workload so that McAfee Application Control can automatically suggest new updaters that are needed in your enterprise.
Trusted Certificates are the second way you can trust new applications. You can trust applications from a known vendor. Or, another popular use case is self-signing where you create your own internal certificates and sign your applications with them.
Trusted Directories are used to indicate trusted programs in remote file shares. McAfee Application Control offers the option to make files in Trusted Directories updaters.
For Trusted Users, our Dynamic Trust Model offers three ways for allowing users to update whitelists:
- IT administrators can be configured as a trusted administrator so that all of their changes are permitted. Active Directory integration makes it easy to find and import these users.
- Advanced users can be given the privilege to approve non-whitelisted applications. This is best suited for users/systems who make frequent changes. The administrator can audit these self-approvals and accept or reject them after review.
- End user notifications allow any end user to request approval for a blocked application through email which the administrator can accept or reject. If the administrators approves the request, the email has a direct link to the application to automate policy creation in McAfee ePolicy Orchestrator, a centralized console for managing McAfee solutions.
Using a Dynamic Trust Model, keeping whitelists up-to-date doesn’t have to be a time consuming and labor-intensive process. Click here to learn more about how McAfee Application Control puts whitelisting on autopilot. For all of our latest industry updates, follow us on Twitter at @McAfee.