This is the fourth and final post in a series introducing CoreTrace’s view of the inevitable transition that desktop security must make to a protection focused, application whitelisting solution and how that will happen practically. We believe that the recognition that traditional blacklist antivirus can no longer protect PCs has arrived and that it is time for IT and security professionals to discuss how a transition to a protective system can take place.
Of course this will not happen overnight. There have been significant investments made in existing blacklist antivirus technology as well as the operational processes to support this technology. These processes exist not only to update and manage blacklisting, but also support the necessary ongoing updating of operating systems and applications that are vulnerable to new malware attacks. We believe that application whitelisting is the logical next evolution of desktop security and that there are three critical steps that will take place for an organization to adopt this technology. We have addressed the first two in previous posts:
- Step 1 Protect – Organizations desperately need to implement a system that can protect their systems against zero day attacks.
- Step 2 Purify – Once their systems are protected, there will be a purification process that eventually cleans all existing systems of any infections, unauthorized software, or malware.
The third step, change management, is addressed in this post and has been the single biggest obstacle to widespread adoption of application whitelisting. The ability to completely lock down a system has been around for years. IT professionals have long been able to define and restrict applications that are allowed to run on a given system to an explicit approved list. Clearly, this would solve the problem of malware infections, since by definition malware couldn’t run since it wouldn’t be on the list. So why hasn’t it been adopted? Simply put, a security system that doesn’t allow for the inevitable change that must take place to the application environment on a PC is doomed to failure.
The answer to the question posed above, why don’t organizations just lock down their PCs, is that to date the cure has been worse than the disease. Given the significant costs of rampant malware infections and the costs of the measures being taken to protect against them, detect them and clean up after them, that is saying a lot. A simple lock down system may prevent new malware infections, but unfortunately it also causes so many problems for IT management and users who need the ability to support updated and new applications that its costs are prohibitive.
An intelligent change management process is the sine qua non for a successful application whitelisting solution. Once an organization has achieved a transition to protected systems and have purified those systems, they must have a process with the least amount of organizational friction for both IT and end users to update and add applications to their PCs.
At CoreTrace, we have invested heavily in providing a system that can deal with the changes that must occur in a way that is transparent to end users and easier than the current desktop management overhead for IT managers. We have patents pending on our “Trusted Change” process and let me outline some of the key principals:
- First, IT defines change construct.
IT organizations have ultimate control to set policies around when an application change is allowed. These policies are driven by the needs of the users combined with risk tolerance for those systems. Examples of these trust constructs are allowing updates or additions of applications that are signed by trusted vendors. This could also include allowing changes through a trusted process or from a trusted share directory. - Second, provide a secure infrastructure for change.
It is critical that the infrastructure to support these changes is secure itself from being spoofed or circumvented. Online criminals have already shown their ingenuity at bypassing existing security systems. The application whitelisting solution should be highly resistant to attacks and bypass. - Third, allow users to operate seamlessly within the construct.
User acceptance of new security technology is essential to its success. If there is too much disruption of user productivity the application whitelisting solution will fail. Once a construct for approved change is defined by IT, users should be able to work within that construct without interacting with IT. - Finally, the solution must accommodate a variety of applications.
Over time a good application whitelisting solution shouldn’t limit itself to .exe or DLL files, but should encompass all applications that could pose a risk to a PC such as ActiveX and embedded applicaitons.
If you are considering application whitelisting you ought to spend a significant amount of your time addressing change management and what the operational impact of the solution will be for the systems you are protecting. Beware of solutions that simply rely upon another central list. Whether this is a centrally managed “cloudlist” where a vendor approves all the whitelist applications, or the more dangerous “crowdlist” where individuals submit applications and those applications are scanned for infections they both come with security and operational risks. Centrally maintained whitelists can compliment application whitelisting solutions for both cleanup as well as helping with change management, but they should not be the foundation for approving application changes and they must not create any additional friction or latency for the users. If a valid application is not yet on the list, it can introduce unnecessary operational friction with IT and end users. On the other hand, it is also possible for some of these lists to get malware on the list and give a false sense of security during a change approval. Most essential is the construct to define approved changes and to deal with anomalies that rarely come up individually.
[...] A process for managing change. Change management is critical to a successful application whitelisting application. Ultimately a new protective technology should be minimally visible by the end user and should be a net reduction to overall IT desktop management efforts. [...]
[...] Manage Change – A new approach to desktop security requires that people can still use their computer productively and allow for new and updated software [...]