BREAKING NEWS: “Endpoint Security Earthquake Hits: McAfee Actively Endorses Application Whitelisting. Magnitude & Ramifications Are Significant.”

This week, McAfee, one of the two dominant forces in reactive, blacklist-based endpoint security, actively and unequivocally endorsed Application Whitelisting. Ironically, in hard coverage of Symantec’s recent problems with pcAnywhere, the industry is actively recommending application whitelisting too.

First, let’s cover the major quake: McAfee’s active endorsement of application whitelisting—for corporate desktops and laptops. In a series of videos on the popular video sharing site, YouTube, McAfee joins CoreTrace in educating the market about the shortcomings of traditional blacklist-based solutions, the advantages of application whitelisting, and McAfee Application Control’s purported advantages (most of which are unique compared to other whitelisting solutions but are not unique compared to CoreTrace (e.g., trusted change and memory protection)). You can view the initial video here here . While you are at YouTube, make sure to check out CoreTrace’s video channel too.

While CoreTrace has successfully competed with our friends from McAfee on application whitelisting projects on fixed function systems (e.g., critical infrastructure, POS terminals, servers), the antivirus giant has never publically announced that whitelisting can and should be used on corporate desktops and laptops—until now. In the introductory video, McAfee senior product manager Swaroop Sayeram directly states: “Simplistic whitelisting might fit just fixed function systems… Dynamic whitelisting is a great fit for servers… and it is now a good fit for corporate desktops as well. These days, most of the deals we are seeing are to secure servers and corporate desktops.”

Second, let’s cover the story of the related tremors: The industry’s recommendations to utilize application whitelisting to solve problems like those created by Symantec’s pcAnywhere code theft. While Symantec’s own advisory to pcAnywhere users only includes its boilerplate old-school recommendations, experts throughout the industry are recommending whitelisting as one of the main solutions. As an example, as a part of his recommendations in a FoxNews.com interview , Anup Ghosh, founder and CEO of Virginian security firm Invincea, told FoxNews.com “Businesses should deploy application ‘whitelisting.’ This will prevent unauthorized malware from running on computers.”

So, McAfee has dramatically shifted the endpoint anti-malware landscape. Now the question is, with the ground shifting beneath its feed, what will Symantec do? Stay tuned for future coverage of this developing story…

Sadly this scenario is now playing itself out more than ever. This is especially true with a loosely managed group of hactivists that call themselves ‘Anonymous’. The list of companies affected by Anonymous is large enough to raise national media attention—which is not exactly where your company wants to have its name mentioned.

The Problem:
Despite significant improvements to website server security, major companies continue to be the victimized by this type of vandalism. The motivation behind such attacks range from citizen protestors (“hacktivists”), to good old fashion revenge. Regardless of the motivation, you now have a very embarrassing problem on your hand.

Despite best practices of ‘locking down’ your website data files to prevent changes to them, it does no good if someone is able to gain root level access to the server; the attacker can simply open up the privileges for the data files with a single command. You need to be able to lock down these files at a lower level than standard operating system controls provides.

A Solution:
What can be done to prevent these defacements? The fundamental problem boils down to the fact that unauthorized changes are being made to the website files. The affected files could be simple html, cgi, or php, etc., but even a simple change to a .htaccess file can ruin your day. Regardless of how someone gains access to these files (there are many, many techniques that can be used to gain access such as sql injection, javascript vulnerabilities, etc), wouldn’t it be nice to know that they would not be able to modify or delete these files in any way? If you can tell your management team that the website is secure from defacement, then everyone would rest a lot easier at night.

As readers of our blog know, CoreTrace Bouncer is an application whitelisting product. The main benefit of this technology is that only programs that are explicitly defined on the whitelist are allowed to execute. Any programs not on the whitelist are considered to be ‘unauthorized’ so Bouncer prevents these unauthorized programs from executing. Bouncer takes the firewall paradigm of ‘default deny’ for network ports and applies it to program execution within the operating system.

Not only does Bouncer enforce the whitelist but Bouncer must also protect the integrity of the whitelisted applications as well. How effective would a whitelisting product be if someone could simply delete an authorized application such as notepad.exe, and replace it with a tainted program that has been renamed to notepad.exe? Bouncer blocks (from the kernel) all modifications to program files that are on the whitelist by default. Bouncer Administrators are able to define vectors of authorized change which enables transparent changes to these files so that upgrades and patches can easily be applied without difficulty.

CoreTrace has extended this kernel level ‘file integrity protection’ capability to any file which you wish to protect. While the html files will never execute, you can rest much more easily knowing that any file you wish to add to the list has this low level extra measure of protection available. This can also be applied to any file that you wish such as c:\boot.ini or the hosts file.

By the way, here are some examples that clearly show what you don’t want to deal with:

Some of the issues they explored include:

1. You have more virtual systems than you know: Virtual sprawl is the ability to rapidly provision systems. However, it can also increase vulnerabilities such as unknown systems that aren’t properly patched or kept up with from a configuration or security standpoint. Understanding everything in your environment is a major problem in the virtual world. It’s really all about inventory, and keeping up with systems and making sure you’ve got change management in place.

2. You aren’t leveraging virtualization for security: Virtualization is like a double-edged sword from a security and operational efficiency perspective. On one side, virtualization gives an organization the ability to tighten and standardize everything in an environment, making sure it is all being kept up to date. On the flip side, if the foundations aren’t in place from the start things like change management can go completely off track.

3. You need more visibility: In the virtual world, you have to keep tabs on everything in your physical and virtual environments. Monitoring virtual network traffic, particularly between VMs, can be difficult. In order to understand everything that’s running in a virtualized environment, organizations need to take a step back and look at what their entire security looks like. Visibility is critical to making sure you know the condition of all your systems and servers, and that they are being fully utilized.

4. All eggs are in one basket: Dumping the responsibility of running and maintaining virtualized platforms onto one group is a frightening picture, not to mention a step backwards in the concept of separation of duties. While nobody wants one group to have this type of control over their infrastructure, that’s exactly what’s happening with most of these virtualized platforms. What you want is very specific rules within an organization so each group can maintain their own areas.

5. You’re back to 1997 for network security: The reality of virtual environments is you don’t get in-depth security capabilities out-of-the-box with any virtual solution. Often times, you find yourself relying on VLANs for security because that’s all you’ve got. As far as security is concerned, that’s like stepping back into 1997 for network security, and that’s no place you want to be. To meet your security and policy requirements, you need to think about your existing physical infrastructure and try to match that inside your virtual environment.

6. Your existing security programs are probably not adapted for virtualization: Most security programs need to adapt a bit to accommodate virtualization. Evaluating where virtualization affects security operations and creating policies that address virtual systems or include virtualization in existing policies is a good place to start. While things are going to vary from organization to organization, the fact is infrastructures are changing, which makes it worthwhile to move ahead and adapt like everyone else.

7. Your auditors probably don’t know what’s going on: Most auditors are not comfortable with virtualization technology. They generally don’t understand the fundamental concepts of virtualization and how everything impacts different data classification levels and compliance data versus non-compliance data. Part of the education process includes making sure all internal audit teams understand all of the controls that are inherently available within the platforms and tools that are already in place.

8. Storage is a huge security hole: Storage is fundamental to virtualization deployment. Unfortunately, security and storage don’t often mingle in the same circles. Because there are typically no strong access control mechanisms in place with most storage deployments, which can create flaws in the virtualization platform, it’s now critical that organizations implement a defense-in-depth strategy in the storage infrastructure for protecting their virtual environments.

9. Virtualization software DOES have vulnerabilities: No system is perfect. Even for virtualization software, exploit POC code and malware attack toolkits are available for hackers to penetrate a virtual environment. The key is to keep up with what’s going on in the realm of virtualization and vulnerabilities, which are constantly evolving and becoming more sophisticated every day.

10. Availability is the new No. 1: While most security folks focus on confidentiality and integrity, virtualization architectures require availability to be a top priority for your business and operational teams. With a shared pool of resources relying on the availability of multiple systems, a different approach is needed. Organizations need to change the way they use traditional antivirus and anti-malware agents that are increasingly ineffective and consuming too many resources that impact day-to-day operations.

In order to succeed in the virtual world, there are lots of things to think about when it comes to security. The first step is to re-evaluate what you are doing today and figure out how your existing security processes can be re-worked to accommodate virtualization. This requires working with the virtualization and other IT teams to make sure you’ve carefully delineated the roles to better match what you’ve had in place to begin with. Also, making sure the storage infrastructure is secure should not get left out.

All in all, putting more new tools that are a little more “virtualization conscious”, and that have resource-consumption issue top of mind, are critical to alleviating security tools that eat up resources. This is part of the reason why people are turning to application whitelisting and application control for virtual environments. With solutions like CoreTrace’s Bouncer application whitelisting, you’re not running virus scans that consume valuable resources on every virtual machine, which is resulting in poor performance and denial of service incidents. You have a sure list of what’s allowed to run and what’s not allowed to run.

While blacklisting is still useful for identifying known malware already on your endpoints, the fact is organizations are getting hit more than ever despite running the latest security sweeps from all the major vendors. Blacklist simply cannot keep up anymore. Having total control of what is running on your box prevents the malware from executing. As your infrastructure changes with virtualization, you have to adapt for the long haul. This is why we believe application whitelisting and application control is the approach that’s needed to protect today’s rapidly changing virtual environments.

Hackers move quickly to evade the latest security updates

In June, we saw two examples of how quickly cyber criminals can adopt to change. Security updates to both Macs and Windows held hackers back only long enough for them to create new variants that allowed them to resume active attacks on the same fixed vulnerabilities a few hours later.

According to the article, “Apple’s malware detection update circumvented in 8 hours,” malware developers were able to rewrite code overnight to evade the latest Mac updates. In another incident, “Hackers move fast to exploit just-patched IE bug,” just three days after Microsoft patched 11 bugs in Internet Explorer, cyber criminals were exploiting one of the patched vulnerabilities.

With hackers working non-stop to develop new malware and malware variants that can bypass even the most recent updates and signatures, organizations need a solution that doesn’t place a band-aid on known vulnerabilities that criminals can peel off hours later. Security tools like application whitelisting do this by simply preventing the execution of all unauthorized applications.

Poor user updating practices creating unclosed security holes

While security patches have their own challenges keeping cyber criminals from returning to exploit known vulnerabilities (see above), a recent study by G Data SecurityLabs found that users certainly aren’t helping (which is not a surprise to any InfoSec pro).

In the article, “Malware Authors Relying on Poor User Updating Practices,” cyber criminals are taking advantage of users’ negligence around installing the latest security updates. As a result, hackers are targeting both current and older unclosed security holes, said Ralf Benzmüller, head of G Data SecurityLabs.

“Even though an enormous number of program updates are being provided, users should not be fooled into deactivating automatic update functions. Not only does this apply to Java, but it should also apply in general to all browser plug-ins used and all applications installed on the PC.”

Whitelisting a top strategy for combating modern malware attacks

As cyber criminals exploit any vulnerability they can to infect corporate networks, implementing security strategies that stop targeted attacks that quietly stealing sensitive data is critical for combating modern day cyber threats.

The article, “Top five strategies for combating modern computer security threats,” outlines some techniques for protecting computer systems from unauthorized and malicious software from exploiting a user’s laptop or computer. One of the recommended solutions is application whitelisting.

While there are valid concerns around preventing attacks like memory exploits and handling dynamic environments without impacting user and IT productivity, advancements in leading whitelisting solutions have resolved these issues to provide Total Application Control (TAC) that allows organizations to proactively defend their network endpoints from modern malware attacks.

A key goal of today’s cyber attacks: Establishing a “persistent point of presence”

Today’s cyber criminal is not your stereotypical crook who breaks in, steals the loot, and gets out as fast as he can. According to Gartner analyst John Pescatore, the goal behind many of today’s attacks is to surreptitiously establish a persistent point of presence inside a network and use that to snoop on and steal information.

“A common thread through many damaging incidents is targeted executables getting installed on critical servers or high value employee PCs.”

In the article, “Attacks on IMF, Lockheed and others highlight need for defenses against targeted attacks,” a recent rash of successful cyber attacks against supposedly secure organizations has prompted the need for enterprises to deploy stronger defenses to protect their networks against highly targeted and persistent threats. Using whitelisting products alongside other AV tools to automatically block any unapproved applications from running on a system is one way to defend endpoints against custom Trojans that have been seen in many recent attacks.

Thanks for reading this month’s recap on some of the security industry’s biggest stories. I encourage you to regularly stop by to read our blog. Your thoughts on these important stories are always welcome.

On one hand, whitelisting stops all unauthorized applications from running, essentially blocking any malicious/unauthorized software from executing on all network endpoints–regardless of whether it was a previously known application/attack or a new, unknown one. But as Richard Stiennon observes, simple whitelisting can be too restrictive and potentially require too much administrative overhead to maintain. On the other hand, blacklisting stops known bad applications from exploiting a system, but lets programs execute on a system by default if they are not on the blacklist. This reactive approach means users can execute software, including malicious attachments, thereby leaving networks and data vulnerable until after a threat is identified. Blacklisting also forces a steady stream of patching requirements and fire-drill reactions that become a black hole of IT time and money (e.g., trouble shooting poorly functioning machines, reimaging and even purchasing new systems prematurely).

As the whitelisting versus blacklisting debate rages on, instead of focusing on the limitations or weak points of each technology, what we should really be discussing are the strengths that these two fraud detection super powers bring to the table — and when used together — can help organizations gain complete control over all applications across their enterprise. CoreTrace calls this Total Application Control (TAC). (Basically, we need to create the “Blue Ocean” strategy for endpoint security. If you are unfamiliar with the concept/book, check out: www.blueoceanstrategy.com.)

First, we need to clear some of the misconceptions that many still have, such as whitelisting being the same as “lockdown,” or that it doesn’t include cloud-based blacklists. The truth is, today’s leading application control solutions like CoreTrace Bouncer have evolved beyond straightforward whitelisting functionality. They’ve addressed the shortcomings around basic application whitelisting and blacklisting products by leveraging both technologies to provide the visibility organizations require to see all known good and bad applications in their environment. For a solution to achieve Total Application Control, it minimally needs to include three essential components:

1. Application Whitelisting: Whitelisting on all endpoints as the enforcement mechanism to ensure established policies are enforced and all unauthorized applications are prevented.

2. Change Management: The ability to seamlessly handle change (new authorized applications and upgrades) even in dynamic environments without impacting IT production or user productivity.

3. Cloud-based Whitelists… and Blacklists: Cloud-based reputation service to assign risk profiles to all applications, including identifying known-good applications and any known pieces of malware. “Cloud-based” is key phrase: use the information in a offline capacity, so as to not impact system performance with onerous scans.

I’ve often wondered if hackers are taking full advantage of the rhetoric that goes on between competitive security vendors, who despite having the same anti-malware objectives, continue to create a cloud of confusion throughout the industry that actually stalls innovation, and new proactive ways to defend networks against more dangerous modern malware. Maybe bringing longtime adversaries like whitelisting and blacklisting together to create Total Application Control is the last thing cyber criminals want to see. We certainly think so.

So stop debating and start controlling your systems with a blend of the top defense mechanisms. Move past confusion and into enlightenment and receive all the control and performance benefits of whitelisting with the reporting and compliance benefits of offline blacklisting.