Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/11/2008
05:10 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Texas Bank Dumps Antivirus for Whitelisting

Tired of AV and malware, First National Bank of Bosque County adopts application whitelisting instead

Brent Rickels, senior vice president at First National Bank of Bosque County, had grown tired of dealing with antivirus software. He was tired of regularly updating virus signatures, tired of hackers constantly tweaking malware, and tired of worrying about what users had downloaded onto their PCs. So Rickels dumped the bank’s AV software for a whitelisting product and in the process, become one of its first commercial customers.

First National Bank of Bosque County, which serves the Waco, Texas, area and manages approximately $100 million in assets, had seen the volume of spam and spyware it had to beat back increase tenfold in four years. So when it was time for the bank to renew its Symantec AV license at the end of 2006, the timing was right to make a change.

“It seemed like the antivirus updates came out only after new malware had already been released,” Rickels says. Running a routine system scan with hundreds of thousands of signatures was taking half an hour or more. So the bank’s tiny IT department of only a handful of employees was spending more time maintaining its security software and less time on business applications.

The financial services firm decided to look for a different solution that was simpler to maintain and more effective. It considered GreenBorder, which quarantines any software downloaded via a user’s browser until someone moves it to the main system. But that option appeared to still require a fair amount of manual intervention.

FNB was intrigued by Lumension Security’s Sanctuary Device and Application Control systems, which offered theoretical rather than proven benefits at the time. The tools let users run administratively approved programs only and restricts any unknown and unauthorized executables from springing to life. “We liked the product’s basic design; it is easier to contain a known universe than an unknown one,” Rickels says.

The software had other appealing features. Because user software was restricted, there would be less administrative work, and Sanctuary actually ran better than AV software because it was a lighter program. And the final selling point was that the Lumension system cost about 30 percent less than the Symantec option.

Moving to Sanctuary requires scanning all of the EXC and DLL files for approved programs into a central database -- something that a small- or medium-sized business can do, but may prove cumbersome for a larger enterprise. Mirror images are then stored on individual systems, and the two communicate before providing users with access to different programs.

FNB started off running the software in non-blocking mode, basically letting users continue to use their PCs as normal. The security system includes a reporting function, so the IT department can examine what programs each user accessed. After walking users through an instance or two of what blocked applications would look like, the bank turned on the blocking mode.

But whitelisting has its tradeoffs. Currently, the bank has to install new versions of applications as well as items like Microsoft patches on both its central system and all of the user machines on an ongoing basis. Automating such tasks is something the bank would like to see in a future release. Overall, however, it sees its gamble of trading AV for whitelisting a good decision.

Because whitelisting is a relatively nascent technology, other companies may not be as willing to go there. “Whenever I talk to individuals about our experiences, they are skeptical that a whitelisting approach can work because the idea is so new,” Rickels says. But if they become frustrated enough with AV, they may be willing to try an alternative such as whitelisting.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Lumension Security Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    For Cybersecurity to Be Proactive, Terrains Must Be Mapped
    Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
    A Realistic Threat Model for the Masses
    Lysa Myers, Security Researcher, ESET,  10/9/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-17593
    PUBLISHED: 2019-10-14
    JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
    CVE-2019-17594
    PUBLISHED: 2019-10-14
    There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
    CVE-2019-17595
    PUBLISHED: 2019-10-14
    There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
    CVE-2019-14823
    PUBLISHED: 2019-10-14
    A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...
    CVE-2019-17592
    PUBLISHED: 2019-10-14
    The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.