CoreTrace’s latest release of its BOUNCER solution is one of the industry’s first enterprise-ready application whitelisting solution that is engineered for all the major versions of Windows and Solaris rolled into one solution.

While AppLocker provides adequate protection for one or two Windows 7 clients, it has its limitations. One of the key shortcomings is the inability to ensure users always have the latest updates. For example, AppLocker still requires ongoing manual tuning of whitelists, a time-intensive procedure that can set back enterprises’ security. Along with stopping the most sophisticated malware attacks out there, BOUNCER is the only application whitelisting solution that creates customized whitelists for each computer, automatically updates the whitelists for new applications and upgrades, and provides centralized management and reporting. This is a cut above AppLocker and other application whitelisting solutions currently available.

Depending on the level of protection needed to secure an enterprise, AppLocker provides the right ingredients to make IT organizations more secure. However, there remains limitations inherent within AppLocker that other tools such as BOUNCER can help fill. To understand more about BOUNCER and how it takes application whitelisting to the next level, download our complimentary whitepaper, “Application Whitelisting: Microsoft AppLocker and Beyond.”

First, let’s look at what changes.

• Define good applications, don’t focus on finding bad ones. Application whitelisting completely changes the paradigm for endpoint security. The new requirement for desktop security is putting in a place a process to define what applications are allowed to run on your systems. The blacklisting antivirus approach will likely remain in a transition to find and clean up any residual infections.
• Focus is on prevention not detection. The days of rushing out a new signature for antivirus or operating system patch are over. Application whitelisting will protect your systems agains new threats, even zero day and custom targeted threats. What this means is that your whole operational process for updating endpoints can evolve to a saner scheduled update process that includes patch testing to ensure that the patch doesn’t break anything.
• Establish a process for application updates and additions. System changes will now conform to the policies you set. You will establish rules for when change is appropriate and who is authorized to make changes. What this results in is more control of the endpoint environment as a whole.

Now that you know the changes that are coming, what is going to be important to your success in implementing application whitelisting?

• Prevent user revolt – first do no harm – Application whitelisting can not rely upon a master approved list and arbitrarily shut off unknown applications. A good solution must start from the premise of first preventing any new malware from getting on the system and not disabling unknown applications. Doing otherwise will result in users with applications that crash because of their new whitelisting implementation.
• Transition AV to a clean up role – Traditional blacklist antivirus won’t just disappear, but it’s role will. It will no longer be seen as a preventative solution but rather as a clean up tool. This will play an important role in identifying the remnants of malware that may have been on a system when you loaded whitelisting and will assist in removing unwanted malicious applications.
• Managing change makes all the difference – This is where good enterprise class application whitelisting systems will distinguish themselves. Adding and updating software will never go away on endpoints. It is a natural part of the productivity process. Application whitelisting must support this goal and be able to make this process as painless as possible. This means defining under what circumstances change can occur on an endpoint without IT interaction. For example, you may want to allow users to update digitally signed software from a major software vendor. Managing change effectively is at the heart of a strong application whitelisting solution.

Application whitelisting will certainly be coming to your systems in the near future. Take the time to think about how this will change your endpoint security and operations strategies and you will be well prepared to get the most benefits from it.

Q: What is a watershed moment?
A: A critical turning point.

Microsoft’s decision to include AppLocker, a technology for application whitelisting, in Windows 7 is no less than a critical turning point for the future of endpoint security. You might think it strange that the CEO of an application whitelisting company is saying such a thing about a free software offering that many might see as a competitor. Not so.

AppLocker is an incredibly important step forward toward the realization that application whitelisting is the future cornerstone of a sound endpoint security strategy. Today, Roger Grimes, product reviewer for InfoWorld, wrote reviews for the leaders in application whitelisting, including a comprehensive look at CoreTrace. The results are impressive. Roger writes:

Whitelisting security has always taken a backseat to blacklisting approaches. After all, when there is far more good software running on computers and networks than bad software, it’s just easier to block the bad than to approve all the good. But that was then, and this is now.

In 2009, the computer security defense world quietly marked a momentous threshold that should have us all looking anew at the value of whitelisting. Last year, the number of unique malicious programs and variants that were created outstripped all the legitimate software published in the world, straining the accuracy of anti-virus solutions like never before. It’s a disturbing fact that suggests whitelisting is now more suitable as a primary security defense than traditional anti-virus scanners, which are really nothing more than blacklisting programs.

Roger is spot on and when people look back five years from now, they will see the introduction of AppLocker as a key moment that led to the adoption of enterprise class application whitelisting, like that offered by my company CoreTrace and others. People have understood for some time now that it is time to start over on endpoint security. Gartner, I and others have written about this numerous times over the course of the last year. The reason AppLocker is so important is that it is a confirmation to many that whitelisting is the future and it will allow businesses to get experience with the technology for free before they move to an enterprise class solution.

Now the fun begins. Yesterday, I congratulated Patrick Morley of Bit9 on their first place finish in the review. While we aren’t satisfied with our second place finish (you can bet we’re gunning for #1 in the next review), we are more than happy to stack our technology up against anyone head to head and look forward to the competition in the future.

What is important about this moment is that people should move past looking for where the future of endpoint security is moving. It’s moving to application whitelisting. Now is the time to focus on how application whitelisting will be successful during a transition to a better approach to desktop security. At the core, we believe there are several critical areas that must be addressed for application whitelisting to be successful.

• Application whitelisting must manage change – Handling change well is what will separate good application whitelisting solutions from the bad. It is the difference between seamless adoption of whitelisting and IT and user revolt. Roger Grimes highlighted CoreTrace’s handling of change in his review.

  One of the biggest challenges for any whitelisting product is handling complicated product updates. Here Bouncer shines. First, any update operating under a Trusted User, Trusted Application, or Trusted Network Share is allowed to run, and the new whitelisting rule is generated. Bouncer can even handle multiboot, chained installs and major service pack updates, automatically generating the necessary new rules.

  Bouncer goes even further in one seemingly small step that, although not unique among the products in this review, means big things. Any trusted application is allowed to install other applications. For example, administrators could trust the Windows Update service, Microsoft’s Systems Management Server or Systems Center Configuration Manager, or their regular, controlled patching program. Any program installed using those predefined trusted pathways is automatically trusted and a new whitelist rule is generated. This allows companies to officially sanction their primary installer application without having to manually update the whitelist rules.

• Application whitelisting should handle memory based attacks – I recently posted on the importance of preventing memory based attacks. The essence of this is that a simple whitelist of approved applications isn’t enough to stop sophisticated attacks. A strong application whitelisting solution must be able to protect running applications from being used as a conduit for malware to bypass whitelisting.

• Application whitelisting must be cross platform – While AppLocker is a good step forward in raising awareness for application whitelisting, its limitation to Windows 7 Enterprise edition only won’t do it any favors. Ultimately, a good application whitelisting solution should be able to handle more than one limited version of the Windows OS. Additionally developments in support of other operating systems with the same central administrative interface will be essential to a solution’s success.

• Transition to whitelisting should be painless – There are two keys to making this happen. First, deployment of an application whitelisting solution should not require fresh, cleaned systems. Deployment of a new solution should first ensure that existing applications don’t break and that there isn’t a massive IT re-imaging initiative required. Second, the solution should have a strong central management capability that is enterprise grade. No organization configures all systems alike and a good solution must be able to manage these different endpoint environments as painlessly as possible.

The future of endpoint security has never been closer. We are excited to be a part of it.

Congratulations to you and your entire team on being named the top provider in InfoWorld’s inaugural application whitelisting product review, just edging out second place finisher, CoreTrace. Roger Grimes did an excellent job of assessing each of the solutions. While we honestly believe that our BOUNCER solution is the better product (as you would expect), we wanted to congratulate you on your win this round.

We are very excited that the application whitelisting market is coming of age, and that all of the benefits are becoming well known and documented. Reviews like this one, combined with increasing customer adoption and Microsoft’s big push of AppLocker, are all clear evidence of this sea change.

Roger’s review reflects what we both know and are experiencing in competitive deals everyday: it is quickly becoming a two horse race between our two companies. This review is further evidence that any company considering Bit9 should look at CoreTrace, and vice versa.

We are looking forward to jointly growing the application whitelisting market with Bit9, and to competing aggressively with you going forward.

Congratulations again and good luck in the future,

Toney

• Windows 7 Security is Front and Center – On October 22nd Microsoft Windows 7 officially went on sale and much of the news is concerning it’s improved security. eWeek highlighted the new Windows 7 security features in a recent article. Among the changes highlighted is the new AppLocker capability. I will be writing much more about this feature in the coming weeks, but for this post suffice it to say that they have the right idea with extremely poor execution. AppLocker brings application whitelisting to Windows 7 with some glaring omissions. The first problem, of course, is it only works on Windows 7, and even then only on enterprise editions. Another key problem is the lack of central administration which is the key to successful migration to application whitelisting. As I said, I will be spending much more on this topic in the coming weeks.
• Windows 7 still vulnerable to 80% of viruses – Despite touting Microsoft’s new OS as being much more secure, IT Pro is reporting that Windows 7 is vulnerable to 8 out of 10 viruses that it was exposed to right out of the box without anti-virus. This test was conducted by AV vendor Sophos and included tests of the new User Account Control (UAC) feature and found that it only prevented 2 of the 10 new threats they tested. More than anything this showed Microsoft’s continued reliance on AV vendors to provide security and that is just more of the same problem we have today.
• Microsoft breaks record with largest patch Tuesday ever – Microsoft was cleaning up its zero day threats from September with a record breaking patch Tuesday. Microsoft issued 13 updates, with 8 of them deemed critical in October to fix the recently revealed vulnerabilities that impacted both legacy systems and the new Windows 7 OS.
• The result of the patching? Cleaning up bugs of course – Following it’s large month of patching Microsoft is now cleaning up the bugs with new updates. This is the classic problem with the current patching and signature reliant security paradigm. Patches come out too slow to prevent infections, malware is sophisticated enough to avoid blacklist antivirus solutions, and the patches that are released introduce bugs and potentially disrupt operations.
• President Obama declares October “National Cybersecurity Awareness Month” – Amidst all the security news, U.S. President Obama declared October National Cybersecurity Awareness Month and highlighted the problems created by rampant malware and scammer attacks. His campaign is primarily recognizing our IT infrastructure as a critical national resource and focusing on raising awareness on how individuals and businesses can combat this threat.
• Fake antivirus attacks demand ransom – As if ineffective antivirus weren’t bad enough, PC World is reporting that fake antivirus solutions are out there that will lock up computer files and demand payment to un-quarantine your personal files.

There were many other stories regarding new threats and exploitation of botnets, but the main news from our standpoint is that despite continued efforts to improve a broken system, the fundamental approach toward endpoint security remains flawed and urgently needs to be changed. Microsoft and others are recognizing that application whitelisting will play an increasingly central role in addressing security weaknesses and now the discussion can shift to how that role will most effectively be accomplished.