Whitelisting is good for ATMs, not so good for humans
While it’s relatively easy for an administrator to build a whitelist for a locked-down server with popular apps, it is much more difficult for a typical corporate or home PC user, argued Carey Nachenberg, a Symantec Fellow with the company’s security technology and response team.
“Users install millions of legitimate applications every day from literally hundreds of thousands of software vendors,” he noted. “Thus, it’s all but impossible for the average company, or for that matter even most security vendors, to maintain a comprehensive, up-to-date whitelist.”
Fighting malware, he continued, takes a hybrid approach that uses blacklisting and whitelisting, a strategy Symantec is calling “reputation-based security.”
“Just as consumers use ratings on Amazon.com to glean information for their shopping choices, we believe that application and URL reputation – derived from the wisdom of our tens of millions of opt-in customers – will ultimately help us identify and rank these millions of “long-tail” applications, both good and bad, that would otherwise be missed by both whitelisting and blacklisting approaches,” he said.
McAfee meanwhile just acquired SolidCore Systems a few weeks ago, which specialised in whitelisting technology for POS devices. According to statements by the company at the time, the purchase was in part meant to combine SolidCore’s dynamic whitelisting and real-time file integrity monitoring with the security and compliance management capabilities of McAfee ePolicy Orchestrator.
It’s not either-or
In the end, it is not an either or situation for organisations, Gartner analyst John Pescatore opined: “What it really comes down to is needing both – block known bad with the same engine that allows only known good,” he said. “That will still be reactive – there will always be a “graylist” of apps/executable/browser helper objects/applets/ActiveX/Javascript/etc that aren’t on either list. That’s where application control approaches… are needed to deal with the increasing problem of the greylist.”
Page: 1 2
Workers at unionised Apple store in Maryland vote to authorise first ever strike, after delays…
Elon Musk loses bid to avoid court order to force him to testify in SEC…
Explore how cutting-edge technologies are reshaping decision-making, driving innovation, and propelling businesses into the data-driven…
Anthem used by protesters in Hong Kong is blocked by YouTube, as critics lash out…
'Unexpected behaviour' of Waymo's self-driving vehicles triggers investigation by American safety regulators
Group of TikTok creators in the United States attempt to block recent law that will…
View Comments
A full blown solution such as from CoreTrace is very powerful. And this vendor has done much to make it easier for an enterprise than its competitors.
My firm offers a solution for the enterprise that cannot afford to enumerate all of the allowed binaries. Its a mini-white list feature from either our AppGuard or EdgeGuard security software products. They prevent unauthorized writes into Program Files and Windows directories. And, they snuff out executable launches from user-space, unless they are "guarded". User-space is where the vast majority of the baddies are because executables can be written there whether the end-user is logged in with or without local admin rights.
BTW, user-space is desktop, My Documents, extra hard drives, etc. 'Guarded' refers to an executable that is allowed to run but prevented from writing into the common target areas of malware attacks.
So, snuffing-out all unguarded executable launches amounts to having a mini-white list: 'what may run in user-space'. A legit example common in the enterprise is gotomeeting.exe. An il-legit one is limewire.exe.
A full-blown white list solution, using SHA1 hash checksums, represents extremely robust protection and control. It also requires some effort to deploy and maintain. AppGuard and EdgeGuard can be fully deployed in minutes, providing protection from the vast majority of what threatens an enterprise. Thus, if you prioritize, and focus on probabilities more so than possibilities, AppGuard or EdgeGuard represent practical, effective protection. There are solutions out there that stop a higher percentage of attack vector types. However, the reality of using those alternatives is that they their complexity results in under-utilization, particularly with host intrusion prevention system (HIPS) products.
That said, if I were going full white list, I'd go with CoreTrace. McAfee purchasing SolidCore fills me with grave doubts about McAfee's judgement.