This is the third post in a series addressing what we see as an inevitable, protection focused, transition to application whitelisting and how that should take place practically. The posts already up on our blog are:
- Intro – Here we provide an overview of what is driving this transition.
- Part 1 Protect – This post highlights the need for companies to consider immediately adding application whitelisting to protect their endpoints.
We think that the transition will take place in three logical steps. First, adding protection to existing systems. Second, purifying those systems of any remnants of malware over time. Finally, providing a strong change management process that will allow users to be productive and deal with the inevitable changes to approved applications while still ensuring the protection that application whitelisting affords.
This blog entry deals with cleaning of endpoints that have gone through the protection step of the process. With a brand new clean system that begins with application whitelisting, this process will not be necessary, but in the shift toward application whitelisting, it is quite possible that after you lock down an existing system and protect it, that there may be malware that resides on the system that antivirus has not yet caught.
This is actually one of the roles that antivirus may continue to play during the transition. While traditional antivirus’ inability to prevent new, unknown and targeted attacks is well known, the solutions efficacy improves somewhat over time as new threats are discovered. Rather than being the primary anti-malware protection, antivirus products are being relegated to a role of detecting infections once the blacklists are updated to identify them, and second, to clean them off the system. Antivirus will likely continue to play this role once whitelisting has locked down the system. A major difference on a whitelist-protected solution is that the protected system will only continue to become more pure since no new threats will execute.
There are other technologies that may possibly assist in the purification process. For example, cloudlist whitelists, those application listings that reside at a central location and not on the desktop, may be able to play a role if their lists can be updated with the latest versions of valid applications and if they remain pure themselves. Behavioral detection of threats may also assist in identifying any threat that may have existed at the point of protection. The point here though, is that by protecting your systems with a minimal of disruption you can allow the cleaning software to gradually get you to a purified state without the disruption in your IT group and your end users.
As we stated in the second post, we feel that client-based whitelisting is far superior for a first step toward whitelisting because of the seamless transition it provides. Trying to purify all systems right out of the gate using cloudlisting or crowdlisting, a whitelist submitted by users, will face the inevitable problem of blacklists in this respect. Having solved the biggest inhibiter to whitelisting adoption – being able to handle new applications without creating friction for users or IT; step three in the transition plan and the subject of the next part of this blog series – CoreTrace is committed to exploring and creating a variety options that can assist in the cleaning process.
Eventually, your organization will get to a point where blacklist antivirus and other cleaning mechanisms will serve as an after the fact analysis tool only. If you are protecting your systems properly with application whitelisting then they will no longer be dealing with the ongoing malware threat and your management of your desktops from a security point of view will be limited to the change management process as you add and update applications on these devices.
[...] Step 2 Purify – Once their systems are protected, there will be a purification process that eventually cleans all existing systems of any infections, unauthorized software, or malware. [...]
[...] Purify – We then transition into a process that cleans our existing systems of any residual malware [...]