From WikiAnswers:
Q: What is a watershed moment?
A: A critical turning point.
Microsoft’s decision to include AppLocker, a technology for application whitelisting, in Windows 7 is no less than a critical turning point for the future of endpoint security. You might think it strange that the CEO of an application whitelisting company is saying such a thing about a free software offering that many might see as a competitor. Not so.
AppLocker is an incredibly important step forward toward the realization that application whitelisting is the future cornerstone of a sound endpoint security strategy. Today, Roger Grimes, product reviewer for InfoWorld, wrote reviews for the leaders in application whitelisting, including a comprehensive look at CoreTrace. The results are impressive. Roger writes:
Whitelisting security has always taken a backseat to blacklisting approaches. After all, when there is far more good software running on computers and networks than bad software, it’s just easier to block the bad than to approve all the good. But that was then, and this is now.
In 2009, the computer security defense world quietly marked a momentous threshold that should have us all looking anew at the value of whitelisting. Last year, the number of unique malicious programs and variants that were created outstripped all the legitimate software published in the world, straining the accuracy of anti-virus solutions like never before. It’s a disturbing fact that suggests whitelisting is now more suitable as a primary security defense than traditional anti-virus scanners, which are really nothing more than blacklisting programs.
Roger is spot on and when people look back five years from now, they will see the introduction of AppLocker as a key moment that led to the adoption of enterprise class application whitelisting, like that offered by my company CoreTrace and others. People have understood for some time now that it is time to start over on endpoint security. Gartner, I and others have written about this numerous times over the course of the last year. The reason AppLocker is so important is that it is a confirmation to many that whitelisting is the future and it will allow businesses to get experience with the technology for free before they move to an enterprise class solution.
Now the fun begins. Yesterday, I congratulated Patrick Morley of Bit9 on their first place finish in the review. While we aren’t satisfied with our second place finish (you can bet we’re gunning for #1 in the next review), we are more than happy to stack our technology up against anyone head to head and look forward to the competition in the future.
What is important about this moment is that people should move past looking for where the future of endpoint security is moving. It’s moving to application whitelisting. Now is the time to focus on how application whitelisting will be successful during a transition to a better approach to desktop security. At the core, we believe there are several critical areas that must be addressed for application whitelisting to be successful.
-
Application whitelisting must manage change – Handling change well is what will separate good application whitelisting solutions from the bad. It is the difference between seamless adoption of whitelisting and IT and user revolt. Roger Grimes highlighted CoreTrace’s handling of change in his review.
One of the biggest challenges for any whitelisting product is handling complicated product updates. Here Bouncer shines. First, any update operating under a Trusted User, Trusted Application, or Trusted Network Share is allowed to run, and the new whitelisting rule is generated. Bouncer can even handle multiboot, chained installs and major service pack updates, automatically generating the necessary new rules.
Bouncer goes even further in one seemingly small step that, although not unique among the products in this review, means big things. Any trusted application is allowed to install other applications. For example, administrators could trust the Windows Update service, Microsoft’s Systems Management Server or Systems Center Configuration Manager, or their regular, controlled patching program. Any program installed using those predefined trusted pathways is automatically trusted and a new whitelist rule is generated. This allows companies to officially sanction their primary installer application without having to manually update the whitelist rules.
-
Application whitelisting should handle memory based attacks – I recently posted on the importance of preventing memory based attacks. The essence of this is that a simple whitelist of approved applications isn’t enough to stop sophisticated attacks. A strong application whitelisting solution must be able to protect running applications from being used as a conduit for malware to bypass whitelisting.
-
Application whitelisting must be cross platform – While AppLocker is a good step forward in raising awareness for application whitelisting, its limitation to Windows 7 Enterprise edition only won’t do it any favors. Ultimately, a good application whitelisting solution should be able to handle more than one limited version of the Windows OS. Additionally developments in support of other operating systems with the same central administrative interface will be essential to a solution’s success.
-
Transition to whitelisting should be painless – There are two keys to making this happen. First, deployment of an application whitelisting solution should not require fresh, cleaned systems. Deployment of a new solution should first ensure that existing applications don’t break and that there isn’t a massive IT re-imaging initiative required. Second, the solution should have a strong central management capability that is enterprise grade. No organization configures all systems alike and a good solution must be able to manage these different endpoint environments as painlessly as possible.
The future of endpoint security has never been closer. We are excited to be a part of it.