Effectively securing desktops and servers requires two tenants: Block the bad and control the good. Achieving security against threats comes quickly with Bouncer, as it immediately begins blocking the execution of unauthorized code. More broadly, the ability to control the execution of otherwise good but still unapproved software is where Bouncer delivers real value. Through the centralized management of application control, Bouncer efficiently controls what software can and cannot execute. By making it simple to define and enforce policies, Bouncer provides IT staff with an entirely new approach to application control and device control for easily and effectively achieving the perfect combination: User-friendly Windows lockdown and Business-friendly whitelisting.
Application Control Policies
Bouncer’s application control policies classify software into three categories:
- Approved software that has been officially authorized by IT (whitelisted)
- Banned software that is categorically prevented from running (blacklisted)
- New software that has not yet been seen, for which IT needs more information (graylisted)
Application control policies are then defined with respect to these categories. For example, your call center organization may be locked down, meaning no new software is allowed to run unless specifically pre-approved. On the other hand, a field support group may have a monitor-only policy, which means they can install and run new software, but IT has the ability to ban anything unwanted.
Bouncer then uses three core capabilities to maintain and enforce these policies:
Monitor software activity on each PC
Bouncer application control and device control software on each desktop constantly monitors the PC to identify any new software. When a file is written to the system disk, Bouncer calculates a cryptographic hash of its contents. This unique fingerprint assigns a definitive identity to the file, preventing software from using a different name or directory to circumvent policy.
Bouncer’s abilities to detect software that does’t properly register with Windows and to handle large amounts of this information without affecting system performance are two of the key technological advances pioneered by CoreTrace.
Analyze each software module
Each software module is then analyzed to determine if it should be trusted. Bouncer application control consults various sources for this assessment, such as your software deployment systems, policy tools, and digital certificates, among others. So, for example, any software that is rolled out through a deployment or patch management system could be automatically approved to run on desktops with no intervention by IT.
In this fashion, the vast majority of new files on your desktops are automatically approved (whitelisted) or banned (blacklisted). Those that remain are truly unknown (graylisted) and deserving of further investigation by IT before a permanent policy is associated with them.
Block it or let it run
At this point, CoreTrace application control enforces one or more policies to block banned software and let approved software run. Any software that has been classified as unknown can be blocked from running, depending on the policy of the host PC. This unknown software is also immediately fed back to the Bouncer Control Center, where it shows up in the Bouncer.
Administrators can then use Bouncer to learn where the software is and how it is spreading. Through its constant connection with cloud-based CoreTrace Reputation Service, the Bouncer Control Center receives context about the software — facts such as who published it, what products it came with, if it poses any security risk, and more.
Bouncer Components and Architecture
The Bouncer architecture is comprised of the following components:
Bouncer Control Center (BCC): This is a virtual appliance that is installed on a suitable virtual server using VMWare. The BCC ships turn-key with all the components you need to run it and features a powerful web interface with drag and drop technology designed to manage the installed agent base.
Bouncer Agent: The Bouncer agent is initially deployed by the BCC (or other traditional software deployment systems). It scans the endpoint upon installation and creates a definitive whitelist unique to that endpoint. Once the scan is complete, the system is ready to learn and ultimately be secured. The Bouncer agent maintains constant contact with the BCC. But should the endpoint be detached from network, not to worry. It is still protected against its definitive whitelist. The Bouncer agent is invisible on the desktop; no tray icons, no banner advertising, no pop-ups. Unless they are told, users of protected endpoints never know Bouncer is at work.
CoreTrace Reputation Service (CRS): CRS is a dual function, cloud-based information system. It plugs into the BCC in real-time and is used as needed to report on known good and known bad residing on the endpoint. It contains an ever-expanding database of several billion hashes of known good software, which the BCC uses to make comparisons to what is installed in your endpoints. It also contains intelligence to scan against several dozen malware scanning engines, allowing your files to be evaluated for possible threats. Combined, the CRS delivers immeasurable provenance to the Bouncer administrator about what is installed in your environment.