What is Bit9 Parity and Application Whitelisting?

What is Bit9 Parity?

This product is the recognized leader in Application Whitelisting.

What is Application Whitelisting?

Whitelisting is the ability to control file execution based upon a list of approved file hashes. Files hashes used by Bit9 (MD5, SHA1, SHA256) are extremely accurate in identifying a specific version of a file whereas using simple name and path pattern matching techniques are easily spoofed and circumvented plus leave little ability to identify version and other important characteristics of the file in question. Whitelisting takes a ‘Default Deny’ stance that we are all familiar with in the security realm. The vast majority of security systems from firewalls to authentication mechanisms take this position while technology that tends to lag and is less effective takes the default Allow approach such as IDS and AV. You would never protect your house by maintaining a list of all the known bad people in the world…

What is a Hash?

A hash is a one-way mathematical function that creates a single unique fixed length output from a variable length input. This means that if we hash a specific file such as Application.dll, which happens to be version 4.3.2.167 of this DLL, it will create a fixed length output based on the Hash type, as an example:

MD5: 1C7A843CF8FAE4FD8B043934522CD12F
SHA-1: 4F9B72D9751F534D10CD3C17D15B11373D12787E
SHA-256: F5072CA93D7D9C2A3C8596A84F323A260B8115344B03554AAAA85C6C2048F378

This means that if this file were changed in any way at all (even just a single bit within the file), the 3 above hashes would now all differ from what we had previously computed. This allows us to 100% guarantee it is not the same file and is potentially suspect.

How can Whitelisting prevent Day Zero attacks?

 Whether an attack is Day Zero or a known attack is not important to the Bit9 Parity agent. Whitelisting works by maintaining a list of known good applications as determined by the administrator of the enterprise with help from the Parity Knowledge service. Files marked as white listed are allowed to execute and files marked as banned are explicitly denied. As an attack is attempted and files on a protected system are attempted to be dropped in place or overwritten, these files can be easily prevented from execution leaving the system unaffected from the attack. It does not matter how the file gets to the system, just that they are not approved.

What about new files that are not explicitly banned or allowed?

From an attack perspective, this is exactly what we want to prevent so these files, depending on the policy configuration, will be either monitored and allowed, outright denied, or provide interaction with the user to make the decision. It is quite simply the administrator’s decision on how to handle this scenario.

What about the ongoing management of this whitelist?

Bit9 has created a concept called ‘Trust’ which makes whitelisting a viable and manageable solution for companies today. Trust is the ability for the administrator of the solution to determine and pre-approve specific mechanisms in your organization that can install or approve software based on definable characteristics. As examples, you can pre-approve installation packages from BigFix, SMS, Altiris, files signed with specific code-signing certificates like files signed by Microsoft, files installed by auto-updaters like Adobe and Webex, and also files installed by specific user and group accounts. The concept of trust allows your systems to function as expected on an ongoing basis while still maintaining control of the systems with your whitelisting solutions.