Traditional endpoint security based on patching and after the fact antivirus blacklisting is drawing to a conclusion of its useful life. It’s a topic that has been in the news much of 2009 and has comprised the topic of many of my own posts. For a sampling of this topic check out any of the following posts:
- 52% of IT professionals surveyed are considering discontinuing anti-virus
- Anti-virus’ days are numbered
- Microsoft prepares for biggest patch Tuesday Ever – Endpoint security has never been worse
That, however, is not the topic of today’s post. Today I want to talk about application whitelisting as a compliment to, or alternative for, antivirus and the importance of managing additions and updates to legitimate applications – with the least amount of operational friction.
For the purpose of this post, I will make the assumption that most IT professionals are dissatisfied with their current endpoint security, are looking for alternatives, and that application whitelisting is on the short list of possibilities. This is certainly the case at Gartner Group if you look at their recent postings like this one.
If application whitelisting is one of the possible approaches to addressing the current sorry state of endpoint security, what is holding it back? Typically, there are two primary objections to application whitelisting that we encounter. First, IT professionals are worried about baselining a whitelist off of an existing system for the fear that malware will get whitelisted. Taking a step back and looking at this objection, it seems to be more evidence that companies should look to move to whitelisting as soon as possible. If you truly believe that your existing systems are overrun with malware, then you should move to stop the bleeding immediately and employ whitelisting to prevent any further infections that antivirus is simply incapable of preventing. Then existing infections can be identified and eliminated through the use of signature based solutions like antivirus. Eventually you will reach a steady state of clean systems.
The second objection is that managing changing applications is simply too cumbersome and that relying on an uber cloud-based white list is essentially another form of signature based security and will be too operationally disruptive to be effective. That is where we believe a “trusted change” system becomes an essential element of all application whitelisting solutions.
Managing change shouldn’t only rely upon the master whitelist, but rather should flexible enough to allow change from multiple points within the organization. For example, a good application whitelisting solution should be able to define a number of avenues from which change can take place. This could include defining your points of accepted change; for example software vendors where digitally signed applications and updates are accepted, trusting a software distribution application, a specified trusted user, or software in a specific trusted network share. Essentially, application whitelisting must encompass the way users work with their PCs today and ideally should result in minimal disruption to their productivity and routine.
Trusted change is the backbone of CoreTrace’s BOUNCER solution and we feel strongly that application whitelisting solutions must easily enable legitimate additions and changes. Those solutions that do not have this capability will languish on single purpose servers and never to see the light of day in the general enterprise where they are so sorely needed.