Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:05 PM

Endpoint Security

End user security requires layers of tools and training as employees use more devices and apps

Walled Gardens

Whitelisting -- allowing the download only of approved applications -- has become more popular as attackers have gotten better at hiding the malicious files and applications. Like blacklisting, whitelisting is no longer just about comparing an executable file to a list of signatures. Instead of just approving application binaries, whitelisting has become a set of policies, says Harry Sverdlove, CTO for application control company Bit9.

Increasingly, whitelisting is about evaluating behavior and reputation and giving apps a score that places them on a spectrum. These evaluations take into account who's asking to run an application, says Randy Abrams, research director at security consultancy NSS Labs. An employee in accounting shouldn't be running a system administration tool, and a receptionist shouldn't be accessing a human-resources application. Managers may not want to allow consumer applications or sites such as games, Craigslist or dating sites on any of their employees' computers.

"There are really good apps out there that are perfectly harmless, but that doesn't mean they're appropriate for work computers," Sverdlove says. "Definitely, software apps that IT is using should never be on the accountant's computer."

Despite improvements, application whitelisting still poses management quandaries. For companies that want to give employees some freedom in what applications they run and where they go online, whitelisting can be a headache. "No company, or very few, could ever implement whitelisting for the Web," says Michael Gough, a senior security analyst for a midsize gaming company. "There are way too many sites to be able to manage this quickly and effectively. Can you really approve each and every executable or website or email recipient?"

Apple's App Store shows that whitelisting of a sort can work. The company has kept its iOS-based devices free of malware. While some malicious applications have evaded Apple's vetting process, the company has had almost no security incidents, even though researchers reported 387 vulnerabilities in iOS components last year. That record compares with Android's 12 security incidents despite having fewer vulnerabilities; more than a hundred malware lines targeted the mobile operating system in 2012.

Apple limited choice and reduced complexity, and it also reduced the chance of outside tampering. "You can't hack around with [iOS] like you can with an Android device," says Wendy Nather, research director for security at the 451 Group, an analyst firm.

Businesses could replicate the Apple App Store model by creating their own app stores and using mobile device management to keep their employees' devices secure.

Cage The Beast

Beyond whitelisting and application control, another approach is to isolate applications to keep malicious apps from infecting the device. Companies such as Invincea, Trusteer and Bromium are creating virtual containers for applications that limit the harm malicious applications can do and to potentially generate forensic data to analyze the threat.

Such systems run as kernel drivers, wrapping a specific application -- or in some cases all running code -- in a virtual container. When a program or file attempts to take a forbidden action, the virtual container blocks it. Rather than detecting bad behavior or focusing on suspicious programs, the software focuses on potentially dangerous actions, says Anup Ghosh, CEO of Invincea.

The fundamental difference between these kernel driver systems and behavioral detection is that with behavioral detection you have to detect the threat in order to protect the machine. "In a container-based approached, the threat always runs inside a container," Ghosh says.

Another technique to limit the risk of getting malicious applications on a device is wrapping applications in code that limits how they can be used and how they can handle data. Known as application management, the technique lets IT administrators control what applications are allowed on a device and how they handle data, even if the endpoint isn't company-owned.

Microsoft has taken a similar approach with its Information Rights Management system, which encrypts data into rights-protected documents and then issues licenses to authorized users to access the data.

To be effective, however, containers have to isolate threats from the system while letting workers share data and communicate. It's tricky to do: A virtual container that's too rigorous could prevent workers from saving and sharing data, while attackers will easily find their way around one that's too permissive.

Data-Driven Endpoint Security

Rather than focus on securing endpoints, other technologies aim to protect corporate data. "The moment you start touching the employee's device, a lot more complexity comes into play," says Suresh Balasubramanian, CEO of Armor5, a cloud security vendor that lets employees access corporate applications and data through a cloud service.

Technology such as virtual desktop infrastructure (VDI) lets users access data without allowing any malware on the endpoint access to either the data or the network, says Natalie Lambert, director of product marketing for Citrix, a networking and virtualization technology provider. "The data never resides on the endpoint, and so it can never be sent out," she says.

But VDI relies on an Internet connection. "The Internet seems ubiquitous, but it's not," says Brett Hansen, executive director of end user product strategy at Dell Software. "VDI is an option. It certainly provides a level of security, but it doesn't address how we work today."

chart: Personally Owned Endpoints commonly used

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio


Recommended Reading:

2 of 4
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). A dangerous AT command was made available even though it is unused. The LG ID is LVE-SMP-200010 (June 2020).
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS software before 2020-06-01. Local users can cause a denial of service because checking of the userdata partition is mishandled. The LG ID is LVE-SMP-200014 (June 2020).
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). Code execution can occur via a custom AT command handler buffer overflow. The LG ID is LVE-SMP-200007 (June 2020).
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). Code execution can occur via an MTK AT command handler buffer overflow. The LG ID is LVE-SMP-200008 (June 2020).
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 9 and 10 (MTK chipsets). An AT command handler allows attackers to bypass intended access restrictions. The LG ID is LVE-SMP-200009 (June 2020).