On one hand, whitelisting stops all unauthorized applications from running, essentially blocking any malicious/unauthorized software from executing on all network endpoints–regardless of whether it was a previously known application/attack or a new, unknown one. But as Richard Stiennon observes, simple whitelisting can be too restrictive and potentially require too much administrative overhead to maintain. On the other hand, blacklisting stops known bad applications from exploiting a system, but lets programs execute on a system by default if they are not on the blacklist. This reactive approach means users can execute software, including malicious attachments, thereby leaving networks and data vulnerable until after a threat is identified. Blacklisting also forces a steady stream of patching requirements and fire-drill reactions that become a black hole of IT time and money (e.g., trouble shooting poorly functioning machines, reimaging and even purchasing new systems prematurely).

As the whitelisting versus blacklisting debate rages on, instead of focusing on the limitations or weak points of each technology, what we should really be discussing are the strengths that these two fraud detection super powers bring to the table — and when used together — can help organizations gain complete control over all applications across their enterprise. CoreTrace calls this Total Application Control (TAC). (Basically, we need to create the “Blue Ocean” strategy for endpoint security. If you are unfamiliar with the concept/book, check out: www.blueoceanstrategy.com.)

First, we need to clear some of the misconceptions that many still have, such as whitelisting being the same as “lockdown,” or that it doesn’t include cloud-based blacklists. The truth is, today’s leading application control solutions like CoreTrace Bouncer have evolved beyond straightforward whitelisting functionality. They’ve addressed the shortcomings around basic application whitelisting and blacklisting products by leveraging both technologies to provide the visibility organizations require to see all known good and bad applications in their environment. For a solution to achieve Total Application Control, it minimally needs to include three essential components:

1. Application Whitelisting: Whitelisting on all endpoints as the enforcement mechanism to ensure established policies are enforced and all unauthorized applications are prevented.

2. Change Management: The ability to seamlessly handle change (new authorized applications and upgrades) even in dynamic environments without impacting IT production or user productivity.

3. Cloud-based Whitelists… and Blacklists: Cloud-based reputation service to assign risk profiles to all applications, including identifying known-good applications and any known pieces of malware. “Cloud-based” is key phrase: use the information in a offline capacity, so as to not impact system performance with onerous scans.

I’ve often wondered if hackers are taking full advantage of the rhetoric that goes on between competitive security vendors, who despite having the same anti-malware objectives, continue to create a cloud of confusion throughout the industry that actually stalls innovation, and new proactive ways to defend networks against more dangerous modern malware. Maybe bringing longtime adversaries like whitelisting and blacklisting together to create Total Application Control is the last thing cyber criminals want to see. We certainly think so.

So stop debating and start controlling your systems with a blend of the top defense mechanisms. Move past confusion and into enlightenment and receive all the control and performance benefits of whitelisting with the reporting and compliance benefits of offline blacklisting.

But as cyber crime evolves and targets change, Mac users who once operated with the mindset that attackers are only focused on Windows systems, need to think again.

While the Mac OS X is touted as a highly secure operating system, the growing market share of Mac products and applications–especially by high-value targets like executives and generals–has caught the attention of cyber criminals. This has created a major shift in the systems hackers are targeting today. As they move away from Windows PCs and target other operating systems and platforms, Mac users are now facing many of the same types of security challenges that Microsoft users face.

In my research, I continue to find more and more signs of how Macs aren’t as immune to malware attacks as one may think they are, including:

• If Macs were perfectly secure, Apple would not be constantly releasing security updates for Mac OS and its applications.
• Mac kernel-level rootkits have already been discussed in Phrack magazine.
• “The Mac Hacker’s Handbook” examines how Mac OS X can be attacked, and how to best handle security weaknesses.
• Traditional antivirus vendors are selling Mac security products utilizing traditional blacklisting technology.

As we head into the second decade of the 21st Century, it’s important to understand that Mac OS is not inherently more secure than Windows or any other OS, and that the days of Mac users operating under the radar from malware, viruses and other worms, are over.

The bottom line is Mac malware does exist. It would be naive to think that Macs are invulnerable to attacks, and even worse not to run third-party security solutions like so many Mac users continue to do. The real question is what solution to use? As Toney Jennings recently blogged about here on WhiteSpace, CoreTrace believes that deploying 25-year-old reactive technology that has been proven ineffective in the Windows world is not the answer. For Mac users, this is an opportunity to start fresh by implementing proactive protection based on application whitelisting. In doing so, IT teams and users receive three key benefits:

• Advanced threat prevention
• Configuration control
• Application intelligence

1. Blended threats will become the norm; Stuxnet clones will be rampant, but the real threats will be far more dangerous and sophisticated: My concern is that Stuxnet was far too public and easily discovered. While Stuxnet clones will have a profound impact in the security industry, these threats may be the tip of the iceberg for real threats that are far more powerful and dangerous.
2. Previously safe platforms will be attacked: Information and users of iOS and mobile platforms, once considered safe because there were fewer to exploit, will be targeted by hackers. This will create a need to rapidly secure such devices that were previously believed to be safe.
3. Emergence of a new combination of endpoint security and control solutions: Worlds will collide as previously separate — even competitive — endpoint security and control solutions will increasingly overlap with PC lifecycle management offerings. Anti-malware solutions will include both blacklisting and application whitelisting, each playing a critical role to effectively protect network endpoints from more sophisticated cyber attacks.
4. Security for virtual environments will become increasingly competitive; performance impacts will be a primary differentiator: Virtual desktops and servers will require continued protection against targeted attacks in 2011. In addition to effectively detecting malware, a key differentiator for security solutions will be the ability to stop the execution of exploits without impacting performance.
5. The term “Advanced Persistent Threat” will expand beyond adversaries specifically targeting the federal government: The military term “Advanced Persistent Threat” (APT) has gone from describing sophisticated, foreign state-sponsored cyber attacks against the United States to inaccurately sell security products. While vendors will continue to misuse the term for marketing purposes, the term will expand to well-funded cyber attacks targeting organizations and individuals outside the federal government.

I would be very interested in your thoughts about these predictions, and what other areas you think might have a significant impact in the security market in 2011.

First, I couldn’t agree more with his general outlook:

• Mobile devices are the wave of the future
• Microsoft is not going to be the end-all, be-all dominant player in the corporate environment
• Whitelisting and blacklisting in combination is the way the security world is going
• Blacklisting is moving to the cloud rather than directly on every single device

This is again a great affirmation from a traditional antivirus leader of the shift that’s occurring towards a modern, antivirus approach that combines blacklisting and whitelisting, with application whitelisting as the primary mechanism for preventing the execution of malicious applications. These points are in line with what we are seeing, and I couldn’t agree more with his assessments. However, the one point I have to disagree with was the conclusion:

“Because Windows is so complex, a whitelisting list would almost be as big as the blacklisting list.”

I have a problem with the statement itself, and how it implies that there are too many applications on Windows to be able to know what to do with in terms of managing legitimate change. First, I guess if someone was trying to create the world’s largest repository for all known-good applications on the planet, then he’s correct. But we at CoreTrace have never believed in that theory. We’ve always believed that it’s a unique whitelist for every individual device that should be auto-generated from that device, which is not a monolithic exercise.

Second, to once again debunk the myth that whitelisting is too complicated for the Windows environment, I know this because every one of our customers has Windows, every one of the them uses it, it deploys rapidly, and it handles changes, updates and dynamic environments.

As a result, we are going to keep on eye an whether or not he continues to propagate the myth of saying that application whitelisting does not apply to Windows because it is too complex. I’d be very interested because I, for one, know this is simply not true.

This is why I’ve made it my personal crusade to make sure security and operations professionals everywhere have the most updated information about application whitelisting. Not only did I feel compelled, but I felt it was my obligation to publish the new security brief, “Top Seven Things You Need to Know about Application Whitelisting,” to dispel the myths and outdated perceptions that surround application whitelisting. The list provides up-to-date knowledge of the capabilities of today’s leading application whitelisting solutions such as CoreTrace’s BOUNCER, and includes:

• Application whitelisting’s malware protection is far better than that provided by blacklist-based antivirus products
• Blacklisting scans kill performance; application whitelisting scans are quick and imperceptible
• Application whitelisting is not the same as “lockdown”; leading solutions are built to address user-driven dynamic environments like desktops and laptops
• Leading solutions actually include cloud-based blacklists
• Leading solutions go beyond security to provide intelligence about all applications in a network — including usage and prevalence

I invite you to join me in my webinar of the same title on Thursday, November 18th at 2:00 p.m. EDT/ 11:00 a.m PDT, where I will share insights I’ve amassed from hundreds of discussions I’ve had with enterprise and government agencies. I look forward to talking with you soon.