A-Listing Your Apps

Whitelisting is getting a second look by some enterprises worried that unknown threats might get past antivirus and other blacklisting systems.

Whitelisting, the process of spelling out exactly which applications can run on a client machine, traces its roots to the mainframe and is typically considered overkill in today's networks, as well as a potential management headache. But the rise in zero-day attacks and paranoia about users running whatever they want on their machines (think peer-to-peer apps), or introducing malware via USB sticks, has led some organizations to think retro.

"It's back to the future with some of this," says Andrew Jaquith, program manager for security research at the Yankee Group.

Jaquith says the current approach of identifying and blocking the bad is starting to fail, with malware samples increasing at a rate of around 50 percent annually. "The notion that we're going to enumerate and block it –- we passed that point long ago," he says. "You almost have to enumerate the things that are good. That's arguably becoming an easier job.

"Whitelisting is increasingly becoming part of a well-balanced diet on the client," he says.

And it's quietly and slowly catching on beyond vendors such as SecureWave, Savant Protection, and Bit9 that have made a business out of whitelisting applications. Microsoft acquired the technology via Winternals, and Symantec has this feature in its Critical System Protection product, Jaquith notes.

Many of the early whitelisting adopters today are small- to medium-sized organizations, where deploying this technology across desktops wouldn't be as major an undertaking at say, a major Fortune 100 company. Most use it as another security layer along with their AV, anti-spyware, spam filtering and IPSes, for instance.

SourceMedia has been testing Savant Protection's endpoint software with whitelisting for several months. "Conceptually, it makes a ton of sense," says Ivan Latanision, vice president of information technology for SourceMedia, who adds the company hasn't made its final decision on whether to purchase the tool yet. "We're constantly patching workstations, constantly getting virus updates. We've had a couple of situations where we didn't get a [AV] patch installed quickly enough and had some outbreaks here."

Savant uses unique cryptographic algorithms and signature keys for each application on each desktop, rather than a server-based access control list. "So the crypto key for Adobe running on System A is different from the one on System B," says Ken Steinberg, Savant's CEO and founder. "So if I mistakenly let something run and give it a key, it will never work anywhere else, so it can't spread."

Patton Harris Rust & Associates has been running SecureWave's Sanctuary software for whitelisting since last year -- initially for device control and later for application control as well. John Loyd, vice president and director of IT for PHR&A, says the company installed the software for protection against zero-day attacks, ensuring its users aren't installing illegal software, and to ensure the quality of apps its engineers use.

"There are lots of little pieces of software engineers use to calculate things," he says. "Some are old and have math errors in them that produce bad data, and we want to make sure the calculators we're using are right and not older versions of the software. That's a quality issue."

But whitelisting has a down side. These endpoint tools come with plenty of administrative overhead as well as security risks. "The institutional overhead in maintaining them is extreme," says Thomas Ptacek, a researcher with Matasano Security. "Some poor group of souls in IT is charged with deciding which applications every sales person or project manager can run, and has to backstop all the ensuing arguments."

William Bell, manager of security operations at CWIE, who says he runs SecureWave's Sanctuary for bridging the gap between the known and unknown threats, says there's an initial "heavy front-load" in deploying whitelisting, but SecureWave helped with that process and the ongoing administration of the whitelist is now fairly low maintenance. "You have to get a whitelist developed."

And the technology doesn't technically combat zero-day attacks any more than blacklisting does, security experts say. "Application whitelisting doesn't do a single thing to prevent zero-days," says Marc Maiffret, CTO and chief hacking office for eEye Digital Security, whose Blink tools do both blacklisting and whitelisting.

Maiffret says the real value of whitelisting is to control the apps your users are running. "It's not to provide a level of prevention from remote attackers."

Dennis Szerszen, vice president of marketing and corporate strategy of SecureWave, says antivirus blacklisting and Sanctuary's whitelisting work best together. That's why SecureWave is developing toolkits to try to attract AV vendors to integrate their tools, he says. "We need to be triggering the AV processes so they can clean up what" they found.

And because endpoint security products introduce software agents, they are risky, says Ptacek of Matasano, which tests agent-based security and management tools. "To date, we've found a grand total of one product that survived an audit without the discovery of game-over vulnerabilities that transformed the agents into pre-installed latent bot infections."

It's better to wait for Vista's security, he says. "Enterprises will gain a much greater resistance to software attacks by the new Windows Vista security features than they will from the myriad of endpoint security products now being marketed."

CWIE's Bell admits adding agent software poses some risk. "You have to make a judgment call before you deploy this type of utility. If the level of protection provided by the system outweighs any holes that could be exploited by having another service on your computer," then it make sense, he says. Such an attack wouldn't be so easy: He says an attacker would need to have a binary that could manipulate code at the OS level. "I would bet the service would block the attempt before it was exploited."

Meanwhile, whitelisting could replace security tools in some organizations. Louise Dube, assistant vice president of technology at Connecticut River Bank NA, isn't ruling out her Savant software eventually replacing the bank's antivirus, antispyware, and anti-spam tools altogether. But Dube says the bank won't pull up its IPS for whitelisting. "We would always keep IPS in place."

— Kelly Jackson Higgins, Senior Editor, Dark Reading