Hi,
By leveraging technology used to detect software that is installed on the endpoints it is possible to raise security alerts based on the detection of changes in the file system.
Next version of BigFix Inventory can provide data which can be used for that purpose.
Our next step is to use this data with White List and Black List mechanisms to provide the information which can be used to detect security exposures.
Let’s assume, that a White List is a list of file names, sizes and file hashes calculated on some set of files.
All entries represents files that can legitimately exists in the infrastructure.
A Black List is a list of file names, sizes and file hashes calculated on some set of files, which represents files that are not allowed to exist in the infrastructure for any reason.
My understanding of how Wite List concept can be used in BigFix Inventory is to collect file hashes (MD5 or SHA256 or both) in a stable environment which can be treated as a baseline and save this collection as initial White List.
Having that list each subsequent scans will provide new hashes, which can be compared with the White List.
All deltas should be analysed and decision should be made whether a delta should be used to modify or extend the White List or used for construction or extension of a Black List. The Black List can be obtained also from external indication of compromises (IoC) databases.
I would like to initiate a discussion on White and Black Lists - what is your experience in construction fo such lists ?
Should they be collected from external resources or created in the way I described above ?
Do you know IoC databases that you would like to use to create the Black List ?
Bogdan