Well, I find myself in the position today of being the doting parent. Only in this case, the “child” is a major overhaul of our flagship product, BOUNCER V6.0. With this new release the “child” has grown into an adult. You’ll have to pardon my metaphor here, but I believe building a product is, in many ways, like watching your kid grow up. With V6, we’re realizing the vision we developed for the product when I joined CoreTrace more than 3 years ago.

Why is this release so special? As I’ve said many times before, the historical “knock” against whitelisting (largely propagated by blacklist-based antivirus companies with a revenue stream to protect) was the notion that the management overhead outweighed the significant security benefits. At CoreTrace we’ve focused like a religion on “operationalizing” application whitelisting. By this I mean being able to realize the security advantages of whitelisting while at the same time becoming increasingly transparent to the end users and actually easing the burden on the IT shop. The best of both worlds, if you will.

With whitelisting, that means making it very easy and simple to add and subtract applications from the “whitelist”. With V6, we do this by adding “self-approval queues” to our already best-in-class “Trusted Change” mechanisms (even the names of these new user privilege options are cool–”AllowQ” and “BlockQ”–with the “Q” meaning “queue”). In addition, we’re adding “Application Intelligence” to our product so that the BOUNCER admin can quickly determine if they want to ban or allow applications that are requested through these queues. Not only does our new CoreTrace Software Intelligence (CSI) service include millions of “known good” applications, it also even includes millions of “known bad” pieces of malware. That is right; it provides intelligence based on blacklisting! We have always felt that whitelisting and blacklisting would coexist–we fundamentally believe that the primary enforcement mechanism will be based on whitelisting (for efficacy and performance reasons) and blacklists will be used in a supporting capacity (like ensuring that any *known* malware is identified, stopped and removed from all systems).

Add in a slick new web-based interface and enterprise-class scalability improvements (including a software-only solution, with the management servers shipping as virtual appliances) and it’s recipe for me whipping out my wallet and showing some pictures. In fact, you can go here for more detailed info on BOUNCER V6.

We’ve been able to preview this release with a great many customers, partners, and analysts. In all cases, I asked for brutal honesty and feedback. The reactions have been overwhelmingly positive. Can’t wait to get this into production environments.

You know, it’s pretty cool when your baby really ISN’T ugly…

Congratulations to you and your entire team on being named the top provider in InfoWorld’s inaugural application whitelisting product review, just edging out second place finisher, CoreTrace. Roger Grimes did an excellent job of assessing each of the solutions. While we honestly believe that our BOUNCER solution is the better product (as you would expect), we wanted to congratulate you on your win this round.

We are very excited that the application whitelisting market is coming of age, and that all of the benefits are becoming well known and documented. Reviews like this one, combined with increasing customer adoption and Microsoft’s big push of AppLocker, are all clear evidence of this sea change.

Roger’s review reflects what we both know and are experiencing in competitive deals everyday: it is quickly becoming a two horse race between our two companies. This review is further evidence that any company considering Bit9 should look at CoreTrace, and vice versa.

We are looking forward to jointly growing the application whitelisting market with Bit9, and to competing aggressively with you going forward.

Congratulations again and good luck in the future,

Toney

In our opinion there are only two things holding back application whitelisting.

1. An easy adoption process that implements protection and does no harm.
   The first goal of an application whitelisting solution should be to stop new threats without disrupting any existing applications.
2. A process for managing change.
   Change management is critical to a successful application whitelisting application. Ultimately a new protective technology should be minimally visible by the end user and should be a net reduction to overall IT desktop management efforts.

At CoreTrace we are taking steps to address both of these issues and are advocating a rational approach to whitelisting that gradually and painlessly moves our customers to a more secure and easier to manage environment.

A second indication of momentum this week was McAfee’s continued promotion of application whitelisting and their recent acquisition of Solidcore. George Kurtz, a Senior VP at McAfee and personal colleague had this to say about his impression of the reception of application whitelisting:

“I have been traveling around the world the last two months, and the reception to this technology has been overwhelming. One bank I met with was keenly interested in protecting their ATMs and could not have DAT files pushed to each ATM because they had a whopping 8K of bandwidth. Yes – you read that correctly – 8K! Our Solidcore technology was a perfect fit for this application as well as many others – especially in a fixed function and constrained environment.”

We agree George, the reception to application whitelisting is tremendous, but think it goes way beyond fixed and constrained environments. Fundamentally, blacklist antivirus is no longer capable of providing the protection our desktops need against malicious code. Ultimately all important desktop assets need to look to a new model of security and application control that can prevent unauthorized applications from running.

The timing is right for anyone responsible for configuration management and security on PCs to look at application whitelisting as an evolution of desktop security and one with an important future.

Of course this will not happen overnight. There have been significant investments made in existing blacklist antivirus technology as well as the operational processes to support this technology. These processes exist not only to update and manage blacklisting, but also support the necessary ongoing updating of operating systems and applications that are vulnerable to new malware attacks. We believe that application whitelisting is the logical next evolution of desktop security and that there are three critical steps that will take place for an organization to adopt this technology. We have addressed the first two in previous posts:

• Step 1 Protect – Organizations desperately need to implement a system that can protect their systems against zero day attacks.
• Step 2 Purify – Once their systems are protected, there will be a purification process that eventually cleans all existing systems of any infections, unauthorized software, or malware.

The third step, change management, is addressed in this post and has been the single biggest obstacle to widespread adoption of application whitelisting. The ability to completely lock down a system has been around for years. IT professionals have long been able to define and restrict applications that are allowed to run on a given system to an explicit approved list. Clearly, this would solve the problem of malware infections, since by definition malware couldn’t run since it wouldn’t be on the list. So why hasn’t it been adopted? Simply put, a security system that doesn’t allow for the inevitable change that must take place to the application environment on a PC is doomed to failure.

The answer to the question posed above, why don’t organizations just lock down their PCs, is that to date the cure has been worse than the disease. Given the significant costs of rampant malware infections and the costs of the measures being taken to protect against them, detect them and clean up after them, that is saying a lot. A simple lock down system may prevent new malware infections, but unfortunately it also causes so many problems for IT management and users who need the ability to support updated and new applications that its costs are prohibitive.

An intelligent change management process is the sine qua non for a successful application whitelisting solution. Once an organization has achieved a transition to protected systems and have purified those systems, they must have a process with the least amount of organizational friction for both IT and end users to update and add applications to their PCs.

At CoreTrace, we have invested heavily in providing a system that can deal with the changes that must occur in a way that is transparent to end users and easier than the current desktop management overhead for IT managers. We have patents pending on our “Trusted Change” process and let me outline some of the key principals:

• First, IT defines change construct.
  IT organizations have ultimate control to set policies around when an application change is allowed. These policies are driven by the needs of the users combined with risk tolerance for those systems. Examples of these trust constructs are allowing updates or additions of applications that are signed by trusted vendors. This could also include allowing changes through a trusted process or from a trusted share directory.
• Second, provide a secure infrastructure for change.
  It is critical that the infrastructure to support these changes is secure itself from being spoofed or circumvented. Online criminals have already shown their ingenuity at bypassing existing security systems. The application whitelisting solution should be highly resistant to attacks and bypass.
• Third, allow users to operate seamlessly within the construct.
  User acceptance of new security technology is essential to its success. If there is too much disruption of user productivity the application whitelisting solution will fail. Once a construct for approved change is defined by IT, users should be able to work within that construct without interacting with IT.
• Finally, the solution must accommodate a variety of applications.
  Over time a good application whitelisting solution shouldn’t limit itself to .exe or DLL files, but should encompass all applications that could pose a risk to a PC such as ActiveX and embedded applicaitons.

If you are considering application whitelisting you ought to spend a significant amount of your time addressing change management and what the operational impact of the solution will be for the systems you are protecting. Beware of solutions that simply rely upon another central list. Whether this is a centrally managed “cloudlist” where a vendor approves all the whitelist applications, or the more dangerous “crowdlist” where individuals submit applications and those applications are scanned for infections they both come with security and operational risks. Centrally maintained whitelists can compliment application whitelisting solutions for both cleanup as well as helping with change management, but they should not be the foundation for approving application changes and they must not create any additional friction or latency for the users. If a valid application is not yet on the list, it can introduce unnecessary operational friction with IT and end users. On the other hand, it is also possible for some of these lists to get malware on the list and give a false sense of security during a change approval. Most essential is the construct to define approved changes and to deal with anomalies that rarely come up individually.

• May 15th – McAfee Acquires Solidcore
• June 20th – Microsoft announced the debut of its free antivirus public beta, Microsoft Security Essentials
• June 23th – CoreTrace redefines endpoint protection with the Bouncer 5.0 announcement and two key advances.
  • First, it extended protection to prevent critical memory attacks.
  • Second, it continued is mission to overcome the biggest challenge for whitelisting solutions, the ability to dynamically add new applications or upgrades, by extending it’s patent pending “Trusted Change” feature—including the industry’s first ability to allow users to safely install trusted applications in a browser.
• June 26th – Brian Prince of eWeek poses the question, “Will the Antivirus Market Be Challenged or Complemented by Whitelisting”

Much of the discussion has centered around whether or not blacklist-based antivirus will be replaced or complimented by whitelisting, but there is relatively no discussion of whether or not whitelisting is important to the future of desktop security. Starting next week we are going to put forth a series of blogs that describe our vision for a rational transition to whitelisting. This series will address the major questions about the stages of the transition and an approach to solving the key challenges for application whitelisting.