Phase 3: Define Trusted Change Policies
Create policies that support Trusted Change on your endpoints. These policies automate whitelist maintenance and reduce the burden of managing software changes in your environment. Investing time into creating sufficient policies is key to successfully implementing Application Control.
In this phase you will:
-
Review the applications in your environment and develop strategies for how to support change in the applications
-
Refrain from placing endpoints into lockdown until after you have defined policies
-
Define Trusted Change policies including Trusted Updater, Trusted Publisher, and Trusted Path policies
-
Communicate with users so that you understand which applications they use and how to update them. See Appendix 2 for sample end user communications.
Develop a Change Management Strategy
You should develop a strategy for managing changes and updates to the applications in your environment, including determining which applications you will allow users to update themselves and which applications you will update centrally.
You can approach change management in two ways:
-
Use the Easy Auditor logs, which tell you when changes have occurred on your endpoints. Then you can determine how to manage the change with policies.
-
Identify applications that you know are going to change and put policies in place proactively.
In this phase we assume that you have already run the Easy Auditor scan, but you can also define policies prior to using Easy Auditor. Once the initial endpoints are scanned and you have created policies for them, you should apply these policies to additional endpoints before you scan them with Easy Auditor. Applying policies reduces the number of Easy Auditor log events that you need to review, since the Easy Auditor: Applications Blocked When Enforcement is Enabled log query only creates logs for executed files that are not on the whitelist or are not covered by a Trusted Change policy.
Don't Put Endpoints into Lockdown Just Yet
It's important that you create Trusted Change policies for your endpoints before putting your endpoints into lockdown. After creating your policies, spend at least one month monitoring the Application Event logs for any additional changes not already accounted for in the existing policies. This monitoring period should include at least one Patch Tuesday and, ideally, a major event like quarter-end. You need this time to validate that policies are working correctly because some applications may only make updates once per month or less frequently.
Bottom line: Resist putting endpoints into lockdown until you have policies in place to support changes in the endpoints' applications. Otherwise, when the applications update they will be blocked from executing, since the updated files are not on the endpoint whitelist.
Types of Trusted Change Policies
You can use the following Trusted Change policies to manage change in the applications in your environment. The following sections explain each policy in detail.
-
Trusted Updater: allows you to install and automatically authorize software patches or new applications without additional overhead.
-
Trusted Publisher: automatically authorizes software installers, updates, and new applications to execute when they have been signed by trusted certificates.
-
Trusted Path: authorizes applications to run based on their location instead of adding them to a whitelist.