Brent Rickels, senior vice president at First National Bank of Bosque County, had grown tired of dealing with antivirus software. He was tired of regularly updating virus signatures, tired of hackers constantly tweaking malware, and tired of worrying about what users had downloaded onto their PCs. So Rickels dumped the banks AV software for a whitelisting product and in the process, become one of its first commercial customers.
First National Bank of Bosque County, which serves the Waco, Texas, area and manages approximately $100 million in assets, had seen the volume of spam and spyware it had to beat back increase tenfold in four years. So when it was time for the bank to renew its Symantec AV license at the end of 2006, the timing was right to make a change.
It seemed like the antivirus updates came out only after new malware had already been released, Rickels says. Running a routine system scan with hundreds of thousands of signatures was taking half an hour or more. So the banks tiny IT department of only a handful of employees was spending more time maintaining its security software and less time on business applications.
The financial services firm decided to look for a different solution that was simpler to maintain and more effective. It considered GreenBorder, which quarantines any software downloaded via a users browser until someone moves it to the main system. But that option appeared to still require a fair amount of manual intervention.
FNB was intrigued by Lumension Securitys Sanctuary Device and Application Control systems, which offered theoretical rather than proven benefits at the time. The tools let users run administratively approved programs only and restricts any unknown and unauthorized executables from springing to life. We liked the products basic design; it is easier to contain a known universe than an unknown one, Rickels says.
The software had other appealing features. Because user software was restricted, there would be less administrative work, and Sanctuary actually ran better than AV software because it was a lighter program. And the final selling point was that the Lumension system cost about 30 percent less than the Symantec option.
Moving to Sanctuary requires scanning all of the EXC and DLL files for approved programs into a central database -- something that a small- or medium-sized business can do, but may prove cumbersome for a larger enterprise. Mirror images are then stored on individual systems, and the two communicate before providing users with access to different programs.
FNB started off running the software in non-blocking mode, basically letting users continue to use their PCs as normal. The security system includes a reporting function, so the IT department can examine what programs each user accessed. After walking users through an instance or two of what blocked applications would look like, the bank turned on the blocking mode.
But whitelisting has its tradeoffs. Currently, the bank has to install new versions of applications as well as items like Microsoft patches on both its central system and all of the user machines on an ongoing basis. Automating such tasks is something the bank would like to see in a future release. Overall, however, it sees its gamble of trading AV for whitelisting a good decision.
Because whitelisting is a relatively nascent technology, other companies may not be as willing to go there. Whenever I talk to individuals about our experiences, they are skeptical that a whitelisting approach can work because the idea is so new, Rickels says. But if they become frustrated enough with AV, they may be willing to try an alternative such as whitelisting.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.