In my previous post, I talked about my personal crusade to update security and operational professionals about application whitelisting. Part of that mission is to dispel some of the misconceptions about application whitelisting that people are spreading across the Internet, and shed some light on how application whitelisting is now a widely accepted security and operational solution that secures thousands of systems across all major vertical markets and organizational sizes.
The recent article, “Taking Cybersecurity Lessons To The Bank,” articulates outdated perceptions of application whitelisting, the limitations of blacklisting, and how education is virtually helpless against the growing magnitude of today’s targeted cyber threats. While I agree with most of the article’s assertions around blacklisting and education, the viewpoint on application whitelisting is an example of the quick and trite, and completely outdated, perception of whitelisting that incumbent antivirus companies want people to believe. If security professionals read articles like this one and continue believing the outdated notions, our computers and data will remain easy targets for hackers — and they really don’t have to be.
In the article, James Lyne, a senior technologist for Sophos, said current cyber attacks on banks show how blacklisting cannot keep up with the changing threats — especially targeted and zero day attacks. He is completely correct and the fact is well documented. But then he reinforces the old notion that whitelists are too hard to maintain in general-use computing environments. This is simply no longer the case. Application whitelisting is not the same as “lockdown”. Unlike lockdown-only products, application whitelisting solutions are not just for fixed-function systems and servers; leading solutions such as CoreTrace’s BOUNCER can easily handle dynamic, rapidly changing desktop and laptop environments.
And here is another fact about today’s application whitelisting solutions that traditional antivirus companies do not want you to know: leading application whitelisting solutions actually include cloud-based blacklists! These solutions use whitelisting as the primary mechanism to prevent the execution of unknown and malicious applications, and off-line, cloud-based blacklists for reporting and compliance purposes. A prime example of this is the CoreTrace Software Intelligence (CSI) service, which includes a cloud-based blacklist.
When it comes to application whitelisting, remaining under the cloud of misconception only limits banks and other financial institutions’ ability to implement effective solutions capable of defending their networks against sophisticated modern cyber attacks.
Twitter
Linkedin
YouTube
Google +
Facebook
Blog
What about malware that doesn’t touch the disk and is strictly in memory?
Excellent question! Hope you don’t mind, but this is directly from my recent “Top 7 Things You Need to Know About Application Whitelisting” brief (after all, why recreate the wheel each time!):
All good Application Whitelisting solutions stop vulnerability-leveraging payloads that are deposited to disk from executing, but leading solutions like BOUNCER are designed to help stop attacks inside legitimate, whitelisted applications by controlling the code running in memory. By preventing the execution of any process that is not launched by an approved application, BOUNCER stops attempts like DLL injections or attempts to write to kernel memory.
Pingback: Top Endpoint Security Stories for November 2010 — If malware is a top security concern, then why does it take so long to fix known vulnerabilities?