Deepening Endpoint Defense: Implementing Application Control and FIM (Activity 2.3.3) 

We’re progressing through the Zero Trust Device pillar, establishing device inventory and health assessment (2.1.1), forging strong identities for devices and NPEs with PKI (2.1.2), integrating those NPEs with our IdP (2.1.3), and enforcing compliance-based network access via C2C (2.2.1). Now, we dive deeper into the security of the endpoints and service applications themselves by focusing on controlling execution and monitoring critical files. This brings us to Zero Trust Activity 2.3.3: Implement Application Control & File Integrity Monitoring (FIM) Tools. 

This activity mandates that organizations procure and implement File Integrity Monitoring (FIM) and Application control (e.g., execution deny/allow listing, containment, isolation) solutions. These are critical preventative and detective controls that operate directly on the systems hosting data and running applications.  

FIM’s role is to ensure any data altered is authorized, and unauthorized changes are detected, providing a layer of defense against tampering and data breaches.  

Application control focuses on isolating any suspicious behavior or permissions to prevent any malicious lateral movement, expanding traditional execution containment to a more sophisticated level.  

The activity explicitly links these capabilities to Comply to Connect (C2C) orchestration, demonstrating how device compliance can influence these controls, and emphasizes expanding the capabilities and response of traditional executable containment while highlighting the continued development of the Device, Data, and Application & Workload pillars. 

The outcomes for Activity 2.3.3 highlight the successful deployment and integration of these tools: 

1. Application control and FIM tooling is implemented on all service applications and endpoint devices with C2C orchestration. 

2. Endpoint Detection and Response (EDR) tooling covers maximum amount of services applications and endpoint devices. 

The ultimate end state envisions a tightly integrated security ecosystem: Organizations deploy FIM and application control tooling in alignment with EDR, SOAR, and UEM. C2C orchestration and regular control audits and alerts are in place. This allows for automated defense and response driven by the combined intelligence of these security layers. 

Solutions for Achieving Activity 2.3.3 Implement Application Control & File Integrity Monitoring (FIM) Tools 

Implementing effective FIM and Application Control in alignment with Activity 2.3.3 increasingly points towards leveraging the capabilities of a comprehensive EDR solution that provides the capabilities.  This approach simplifies deployment, integration, and ongoing management compared to procuring disparate tools. 

1. File Integrity Monitoring (FIM) Tools:  
   • What It Is: FIM tools monitor specific files and directories for changes (creations, deletions, modifications to content or permissions). They compare the current state of files against a known baseline and generate alerts on unauthorized alterations. 
   • Solutions: Modern Endpoint Detection and Response (EDR) platforms have evolved significantly and now commonly include integrated FIM capabilities as part of their core offering. Dedicated FIM solutions also exist, but the most mature FIM solutions are part of a broader EDR platform. By selecting an EDR solution that provides these features, you can implement FIM using the same agent and management console as your endpoint detection and response. 

2. Application Control Solutions: 
   • What It Is: Application control solutions regulate which applications are allowed to execute on a system. This can be based on allow lists (only trusted applications can run) or deny lists (block known malicious applications). More advanced capabilities include containment and isolation of suspicious processes or applications to limit their potential impact and prevent lateral movement. 
   • Solutions: Similar to the solution for FIM tools, modern Endpoint Detection and Response (EDR) platforms have evolved significantly and now commonly include integrated Application Control capabilities as part of their core offering. Dedicated Application Control solutions also exist, but the most mature solutions are part of a broader EDR platform. By selecting an EDR solution that provides these features, you can implement Application Control using the same agent and management console as your endpoint detection and response. 

3. Integration and Orchestration: 
   • Integrated EDR Capabilities: By using an EDR with built-in FIM and Application Control, the integration between these functions is inherent. The EDR’s threat intelligence and behavioral analysis can directly inform FIM alerts or trigger Application Control containment. 
   • Use UEM to Deploy to Endpoints:  Leverage your Unified Endpoint Management (UEM) solution to deploy the single EDR agent (that includes FIM and Application Control) to all your service applications and endpoint devices. 
   • Ensure your C2C Policy Checks for FIM and Application Control: Make sure your C2C policy includes the appropriate check that the endpoint has the expected FIM and Application Control. For example, a non-compliant device (flagged by C2C) might automatically have stricter application control policies applied or enhanced FIM monitoring enabled or rejected to connect. 
   • Integration with SOAR: Connect FIM and Application Control alerts—really, all your EDR alerts when FIM and Application Control capabilities are part of your EDR solution–to your SIEM and Security Orchestration, Automation, and Response (SOAR) platform. This enables automated response actions based on detected unauthorized file changes or attempts to run unauthorized applications (e.g., isolate the device, trigger an investigation workflow). 

Key Items to Consider: 

• Selecting a Capable EDR: Prioritize EDR solutions that have mature and comprehensive FIM and Application Control features that meet your specific security requirements.  

• Defining Granular Policies: Establishing effective FIM policies requires carefully identifying critical files and directories to monitor. For application control, creating and maintaining accurate allow lists or deny lists is crucial, especially in dynamic environments. 

• False Positives: Poorly configured FIM or Application Control can generate excessive alerts (false positives), overwhelming security teams. Careful tuning and baselining are essential. 

• Integration with Existing Stack: Ensure the chosen EDR platform integrates effectively with your existing UEM, C2C/NAC, and SOAR solutions to enable the necessary orchestration and automated response. 

• Managing Exceptions: A process for managing exceptions to application control policies (e.g., allowing a specific legitimate but untrusted application for a limited time) is necessary. 

• Deployment and Management Scale: Deploying and managing FIM and Application Control across a large number of endpoints and service applications requires robust management tools (like UEM) and automation. 

The Technical Buyer’s Deep Defense Mandate: 

Activity 2.3.3 is about strengthening your endpoint and service application defenses with critical controls that prevent unauthorized execution and detect data tampering. For technical buyers, the most efficient and effective path to achieving this activity’s outcomes is often by selecting a comprehensive EDR solution that includes integrated FIM and Application Control capabilities, such as those offered by Trellix and other leading vendors. This integrated approach simplifies deployment and management. Successfully implementing this activity means leveraging your EDR platform to enforce granular application control and FIM policies, orchestrating these controls with your C2C solution, and integrating alerts with your SOAR platform for automated response. This moves you towards a more mature and proactive Zero Trust security posture, where your endpoints are actively defended against unauthorized changes and malicious code execution. 

Pillar: Device 

Capability: 2.3 Device Authorization with Real Time Inspection 

Activity: 2.3.3 Implement Application Control and FIM Tools 

Phase: Target Level 

Predecessor(s): None 

Successor(s): None