• 52% of IT professionals surveyed are considering discontinuing anti-virus
• Anti-virus’ days are numbered
• Microsoft prepares for biggest patch Tuesday Ever – Endpoint security has never been worse

That, however, is not the topic of today’s post. Today I want to talk about application whitelisting as a compliment to, or alternative for, antivirus and the importance of managing additions and updates to legitimate applications – with the least amount of operational friction.

For the purpose of this post, I will make the assumption that most IT professionals are dissatisfied with their current endpoint security, are looking for alternatives, and that application whitelisting is on the short list of possibilities. This is certainly the case at Gartner Group if you look at their recent postings like this one.

If application whitelisting is one of the possible approaches to addressing the current sorry state of endpoint security, what is holding it back? Typically, there are two primary objections to application whitelisting that we encounter. First, IT professionals are worried about baselining a whitelist off of an existing system for the fear that malware will get whitelisted. Taking a step back and looking at this objection, it seems to be more evidence that companies should look to move to whitelisting as soon as possible. If you truly believe that your existing systems are overrun with malware, then you should move to stop the bleeding immediately and employ whitelisting to prevent any further infections that antivirus is simply incapable of preventing. Then existing infections can be identified and eliminated through the use of signature based solutions like antivirus. Eventually you will reach a steady state of clean systems.

The second objection is that managing changing applications is simply too cumbersome and that relying on an uber cloud-based white list is essentially another form of signature based security and will be too operationally disruptive to be effective. That is where we believe a “trusted change” system becomes an essential element of all application whitelisting solutions.

Managing change shouldn’t only rely upon the master whitelist, but rather should flexible enough to allow change from multiple points within the organization. For example, a good application whitelisting solution should be able to define a number of avenues from which change can take place. This could include defining your points of accepted change; for example software vendors where digitally signed applications and updates are accepted, trusting a software distribution application, a specified trusted user, or software in a specific trusted network share. Essentially, application whitelisting must encompass the way users work with their PCs today and ideally should result in minimal disruption to their productivity and routine.

Trusted change is the backbone of CoreTrace’s BOUNCER solution and we feel strongly that application whitelisting solutions must easily enable legitimate additions and changes. Those solutions that do not have this capability will languish on single purpose servers and never to see the light of day in the general enterprise where they are so sorely needed.

Consider the recent post from long-time industry expert, Robin Bloor, titled The Beginning of the End For AntiVirus. Robin has been a long time advocate of moving away from a clearly broken anti-virus technology and moving toward a more proactive solution that can solve the problem of zero day threats and root kits. He had this to say about the growth of whitelisting and the fall of AV in his article:

“Eventually, however, the whitelisting success stories began to emerge and in the mean time, AV products continued to fail. There were two particular areas of concern for security conscious organizations:

1. Zero day threats
2. Root kits

AV technology has a terrible record against zero day threats for the laughingly obvious reason that the bad guys buy the AV software and test their malware against it, before they let it loose on the unprepared. AV technology was always about slamming the stable door after the horse had bolted, and zero day threats proved it time and again. When we began to witness the emergence of root kits, then IT security folk who understood the nature of the threat started to become very nervous.”

Next, let’s look at another recent article pointing to the potential for the first major worm effecting Windows Vista titled “The stage is set for a Vista worm, as Microsoft scrambles to ready SMB2 patch.” Microsoft has issued a heightened security advisory on this vulnerability, but what is happening today?

What is happening is what always happens on important security advisories. Sophisticated IT shops are trying to implement work around fixes while they wait for a patch. Once the patch is out they will try to distribute to all their systems to ensure they are protected. As for blacklist AV software, they need to wait for the exploit before they can be protected. Comforting isn’t it? Is it any wonder that self propagating threats like Conficker still make their impact felt?

Opinions vary on whether this latest exploit will lead to a Vista worm, but consensus is building toward endpoint security solutions, like whitelisting, that provide a viable alternative to anti-virus. Need more evidence of the trend away from blacklist anti-virus? Check out our latest research report that shows that 52% of IT professionals are continuing discontinuing anti-virus.

Last week, I highlighted Gartner Group Analyst, John Pescatore’s call to start over again on desktop security and it appears that the over 200 IT professionals that we surveyed agreed. 52% of the respondents to our survey indicated that they were considering discontinuing blacklist anti-virus all together. Given their lack of faith in its effectiveness and their concern over the performance impact of an increasingly bloated application, it should be no surprise.

We will be talking about these and many other trends in a webinar next week presenting the details of the survey. I hope that you are able to join us and begin participating in the discussion of how to start over on desktop security.

John, makes a reference to the Government’s Cash for Clunkers program and I think the analogy is an appropriate one. There are many desktop security companies that are heavily invested in the way things are today. Their recurring revenue model is based on subscriptions to a bloated blacklist. Their security solutions work on a find and clean model and not a preventative model. The likelihood that they will “start over” on security is slim to none and more likely they will keep trying to add a fresh coat of paint, change the tires and oil and patch things together with new additions. The problem is the engine is broken and won’t last much longer.

The problem was evident again this month when we witnessed the largest theft of credit cards in history. Over 130 million credit cards were stolen by Albert Gonzalez and his accomplices using in many cases exploits that have been around for years. One of the primary exploits was a SQL injection attack against a vulnerability that has been fixed for some time and is definitely preventable.

This attack and the ongoing proliferation of botnets has led to a number of articles indicting everything from PCI DSS standards to overall security practices. An article last week in Forbes looks to offer advice in the article “Safeguarding Against Data Breaches.” It does a good job of describing the problem, but the solution falls short, oversimplifying a very difficult problem.

Sadly, advice is not enough. There are too many attacks that penetrate organizations that take security very seriously to think that it is a common sense and education issue as suggested in the Forbes article. Desktop security is broken plain and simple. The problem lies in trying to create a known signature for every piece of malware and attack that might be out there. It’s simply not feasible anymore to identify an attack, create a signature, distribute it to customers and have the customers update their systems before the attack affects them.

This company was founded on the premise that desktop security needs to fundamentally change. It is far easier to define what is allowed to run on a computer and block everything else than it is to identify and prevent every known attack. Last month we outlined what we think needs to happen to transition organizations to a more rational approach to desktop security, application whitelisting.

• Protect – First we must baseline our systems to prevent any new infections
• Purify – We then transition into a process that cleans our existing systems of any residual malware
• Manage Change – A new approach to desktop security requires that people can still use their computer productively and allow for new and updated software

Next week we will be publishing the results of our Anti-Malware Survey of IT Professionals and it is eye opening to say the least.

In two weeks we are also hosting a webinar on the results with Aaron Goldberg, vice president and principal analyst for Ziff Davis Enterprise, and Diane Hagglund, founder and principal of Dimensional Research.

The trojan itself is highly dangerous, targeting both online banking credentials as well as personal identity information. It is funny that this trojan is so prevalent, because it was identified by security vendors like Symantec back in early 2008. The problem with today’s malware is that they simply don’t stay static. Each trojan, virus or worm morphs into thousands of variations that avoid traditional blacklist antivirus.

The hard facts are that blacklist antivirus simply provides no protection at all. By the time you react and update your signatures, another version of the malware is on its way out the door. Identifying infection and cleaning up the mess is important, but it simply isn’t the type of protection that people need for their valuable IT assets. It is time for everyone to begin a process to move toward a system that can prevent infection in the first place. As we highlighted in our Rational Transition to Whitelisting series of posts, we think the answer to that problem is application whitelisting.