More companies than ever are looking at alternatives to blacklist antivirus. It isn’t hard to see why. Rampant botnets, endless patching, and signature distribution that simply can’t keep up with the threat are just a few of the reasons why IT and security professionals are looking for viable alternatives to protect their endpoints. Even Gartner group has said it is time to start over on desktop security.
As people search for alternatives, application whitelisting has moved to the front as the most promising technology to address today’s endpoint security failures. That said, as with any new technologies, there are challenges to be addressed. With whitelisting, this can include how to properly baseline an existing system that may be infected, as well as how to managed updates and changes to applications. Another challenge with whitelisting systems is how to address attacks that target applications that are whitelisted with memory based attacks.
Attacks that inject code into existing processes in memory can bypass most of today’s whitelisting solutions (not to mention almost all blacklist based ones) and is an important consideration for companies considering moving to application whitelisting. Ideally, a whitelisting solution should be able to look at all running processes and track the originating binary application rather than associating it to the application that loaded it. On our site, we provide a demonstration of how these attacks can work, to take advantage of a browser application for example, and explain the approach we take to stop these attacks.
Protection from these types of attacks are particularly important on servers that tend to run continuously and rarely are restarted. Single purpose machines, point of sales systems, SCADA systems and other servers are especially attractive targets for memory based attacks.
The discussion has already begun. Companies are very seriously looking at how application whitelisting can be added to their endpoint security strategy. Be sure you don’t neglect protecting against attacks that target active processes in memory.
[...] whitelisting should handle memory based attacks – I recently posted on the importance of preventing memory based attacks. The essence of this is that a simple whitelist of approved applications isn’t enough to stop [...]