Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:10 AM
Connect Directly

Texas Bank Dumps Antivirus for Whitelisting

Tired of AV and malware, First National Bank of Bosque County adopts application whitelisting instead

Brent Rickels, senior vice president at First National Bank of Bosque County, had grown tired of dealing with antivirus software. He was tired of regularly updating virus signatures, tired of hackers constantly tweaking malware, and tired of worrying about what users had downloaded onto their PCs. So Rickels dumped the bank’s AV software for a whitelisting product and in the process, become one of its first commercial customers.

First National Bank of Bosque County, which serves the Waco, Texas, area and manages approximately $100 million in assets, had seen the volume of spam and spyware it had to beat back increase tenfold in four years. So when it was time for the bank to renew its Symantec AV license at the end of 2006, the timing was right to make a change.

“It seemed like the antivirus updates came out only after new malware had already been released,” Rickels says. Running a routine system scan with hundreds of thousands of signatures was taking half an hour or more. So the bank’s tiny IT department of only a handful of employees was spending more time maintaining its security software and less time on business applications.

The financial services firm decided to look for a different solution that was simpler to maintain and more effective. It considered GreenBorder, which quarantines any software downloaded via a user’s browser until someone moves it to the main system. But that option appeared to still require a fair amount of manual intervention.

FNB was intrigued by Lumension Security’s Sanctuary Device and Application Control systems, which offered theoretical rather than proven benefits at the time. The tools let users run administratively approved programs only and restricts any unknown and unauthorized executables from springing to life. “We liked the product’s basic design; it is easier to contain a known universe than an unknown one,” Rickels says.

The software had other appealing features. Because user software was restricted, there would be less administrative work, and Sanctuary actually ran better than AV software because it was a lighter program. And the final selling point was that the Lumension system cost about 30 percent less than the Symantec option.

Moving to Sanctuary requires scanning all of the EXC and DLL files for approved programs into a central database -- something that a small- or medium-sized business can do, but may prove cumbersome for a larger enterprise. Mirror images are then stored on individual systems, and the two communicate before providing users with access to different programs.

FNB started off running the software in non-blocking mode, basically letting users continue to use their PCs as normal. The security system includes a reporting function, so the IT department can examine what programs each user accessed. After walking users through an instance or two of what blocked applications would look like, the bank turned on the blocking mode.

But whitelisting has its tradeoffs. Currently, the bank has to install new versions of applications as well as items like Microsoft patches on both its central system and all of the user machines on an ongoing basis. Automating such tasks is something the bank would like to see in a future release. Overall, however, it sees its gamble of trading AV for whitelisting a good decision.

Because whitelisting is a relatively nascent technology, other companies may not be as willing to go there. “Whenever I talk to individuals about our experiences, they are skeptical that a whitelisting approach can work because the idea is so new,” Rickels says. But if they become frustrated enough with AV, they may be willing to try an alternative such as whitelisting.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Lumension Security Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Navigating Security in the Cloud
    Diya Jolly, Chief Product Officer, Okta,  12/4/2019
    4 Tips to Run Fast in the Face of Digital Transformation
    Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: Our Endpoint Protection system is a little outdated... 
    Current Issue
    The Year in Security: 2019
    This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-12-11
    Orca has arbitrary code execution due to insecure Python module load
    PUBLISHED: 2019-12-11
    RubyGem omniauth-facebook has an access token security vulnerability
    PUBLISHED: 2019-12-11
    JBossWeb Bayeux has reflected XSS
    PUBLISHED: 2019-12-11
    node-connect before 2.8.2 has cross site scripting in methodOverride Middleware
    PUBLISHED: 2019-12-11
    Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote cod...