The Real Dirt on Whitelisting

The choice for blacklisting versus whitelisting isn't really black and white

It’s déjà vu all over again. Whitelisting technology has enjoyed a resurgence of interest lately, with antivirus companies such as Symantec, McAfee, and Microsoft planning to add it to their blacklisting-based malware detection tools and some enterprises even dropping AV altogether in favor of whitelisting alone. All thanks to the proliferation of botnets, stealthier malware, and the near-epidemic in data breaches that have led vendors and enterprises to search for something other than the standard approach of blacklisting known threats. (See AV Gets a Facelift and Texas Bank Dumps Antivirus for Whitelisting.)

Whitelisting, the concept of which dates back to the mainframe days of locked-down and controlled applications, lets only approved and authorized applications run on user machines. Today whitelisting is becoming a first layer of defense in some organizations, says Tom Murphy, chief strategist for Bit9, which sells a whitelisting solution. “Over time, what we see is an erosion of value for blacklisting because more machines will be using whitelisting,” he says.

Murphy predicts that within two years, most every machine will have some element of whitelisting security, whether it runs blacklisting-based antivirus software or not. And AV vendors are starting to jump on board: Bit9 recently announced that Kaspersky Lab, for instance, is now using its Global Software Registry database of clean, whitelisted applications to build out some of its technology.

Symantec made waves in April at the RSA Conference when CEO John Thompson mentioned it as a promising technology in his keynote address. But that doesn’t mean Symantec is dropping blacklisting for whitelisting: “What John was talking about was that the shift to whitelisting makes sense, but it’s not going to happen overnight. Symantec believes you have to combine the two approaches, whitelisting and blacklisting, for effective protection,” says Kevin Murray, senior director of product marketing for Symantec’s endpoint security group. (See Symantec Chairman Calls for Information-Centric Approach to Security.)

Murray says combating the malware threat requires a “gradual tweaking” of the two technology approaches. “We are looking at both application control and the behavioral approach” to fighting malware proliferation, he says.

Other experts argue that whitelisting is a wash. “It will work as long as your machine is never connected to the Internet, and if you have a gold CD installed on it,” says Greg Hoglund, CEO for HBGary, which offers an alternative to blacklisting and whitelisting. It’s the attachments and desktop browser exploits that infect machines, notes Hoglund, and malware aimed at browser plug-ins, for instance, isn’t always easily detectable, and often hides its processes in memory. “If a bad guy wants to attack a computer, he can pick a process that’s been whitelisted... and inject a thread or DLL. Now the malware is living inside the process that matches the name on the [list], so it’s considered trusted,” Hoglund says.

But most experts don’t expect whitelisting to replace blacklisting, and even Bit9, one of the hottest whitelisting firms, today uses blacklisting to vet the applications in its whitelist database. “When they build their whitelist, they run the executables through 20 different AV products,” says John Pescatore, Gartner. “So they can’t have whitelisting without blacklisting.”

The only way whitelisting could truly stand alone, Pescatore says, is if an enterprise or user were to return to the old-fashioned whitelisting lockdown mode, where users can only run specific, approved apps and nothing else -- no browser add-ins, gadgets, etc., Pescatore says. But that’s obviously unrealistic for most organizations: “Most companies today have got to let their users install some [other] things,” he says.

A better fit is what Pescatore calls “uber-whitelisting,” similar to Bit9’s approach. “This helps fill in where AV falls apart,” he says. “And there’s always going to be a greylist, something that’s not on the blacklist or whitelist.”

And just how safe are those whitelisted apps from getting infected? Bit9’s Murphy notes that his company uses three cryptographic hashes to maintain trust, and application vendors’ digital signatures also help ensure their integrity. “As long as those trusted methods are there, then the whitelist by itself will be secure and protected,” he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5