Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/30/2013
07:05 PM
50%
50%

Endpoint Security

End user security requires layers of tools and training as employees use more devices and apps

Walled Gardens

Whitelisting -- allowing the download only of approved applications -- has become more popular as attackers have gotten better at hiding the malicious files and applications. Like blacklisting, whitelisting is no longer just about comparing an executable file to a list of signatures. Instead of just approving application binaries, whitelisting has become a set of policies, says Harry Sverdlove, CTO for application control company Bit9.

Increasingly, whitelisting is about evaluating behavior and reputation and giving apps a score that places them on a spectrum. These evaluations take into account who's asking to run an application, says Randy Abrams, research director at security consultancy NSS Labs. An employee in accounting shouldn't be running a system administration tool, and a receptionist shouldn't be accessing a human-resources application. Managers may not want to allow consumer applications or sites such as games, Craigslist or dating sites on any of their employees' computers.

"There are really good apps out there that are perfectly harmless, but that doesn't mean they're appropriate for work computers," Sverdlove says. "Definitely, software apps that IT is using should never be on the accountant's computer."

Despite improvements, application whitelisting still poses management quandaries. For companies that want to give employees some freedom in what applications they run and where they go online, whitelisting can be a headache. "No company, or very few, could ever implement whitelisting for the Web," says Michael Gough, a senior security analyst for a midsize gaming company. "There are way too many sites to be able to manage this quickly and effectively. Can you really approve each and every executable or website or email recipient?"

Apple's App Store shows that whitelisting of a sort can work. The company has kept its iOS-based devices free of malware. While some malicious applications have evaded Apple's vetting process, the company has had almost no security incidents, even though researchers reported 387 vulnerabilities in iOS components last year. That record compares with Android's 12 security incidents despite having fewer vulnerabilities; more than a hundred malware lines targeted the mobile operating system in 2012.

Apple limited choice and reduced complexity, and it also reduced the chance of outside tampering. "You can't hack around with [iOS] like you can with an Android device," says Wendy Nather, research director for security at the 451 Group, an analyst firm.

Businesses could replicate the Apple App Store model by creating their own app stores and using mobile device management to keep their employees' devices secure.

Cage The Beast

Beyond whitelisting and application control, another approach is to isolate applications to keep malicious apps from infecting the device. Companies such as Invincea, Trusteer and Bromium are creating virtual containers for applications that limit the harm malicious applications can do and to potentially generate forensic data to analyze the threat.

Such systems run as kernel drivers, wrapping a specific application -- or in some cases all running code -- in a virtual container. When a program or file attempts to take a forbidden action, the virtual container blocks it. Rather than detecting bad behavior or focusing on suspicious programs, the software focuses on potentially dangerous actions, says Anup Ghosh, CEO of Invincea.

The fundamental difference between these kernel driver systems and behavioral detection is that with behavioral detection you have to detect the threat in order to protect the machine. "In a container-based approached, the threat always runs inside a container," Ghosh says.

Another technique to limit the risk of getting malicious applications on a device is wrapping applications in code that limits how they can be used and how they can handle data. Known as application management, the technique lets IT administrators control what applications are allowed on a device and how they handle data, even if the endpoint isn't company-owned.

Microsoft has taken a similar approach with its Information Rights Management system, which encrypts data into rights-protected documents and then issues licenses to authorized users to access the data.

To be effective, however, containers have to isolate threats from the system while letting workers share data and communicate. It's tricky to do: A virtual container that's too rigorous could prevent workers from saving and sharing data, while attackers will easily find their way around one that's too permissive.

Data-Driven Endpoint Security

Rather than focus on securing endpoints, other technologies aim to protect corporate data. "The moment you start touching the employee's device, a lot more complexity comes into play," says Suresh Balasubramanian, CEO of Armor5, a cloud security vendor that lets employees access corporate applications and data through a cloud service.

Technology such as virtual desktop infrastructure (VDI) lets users access data without allowing any malware on the endpoint access to either the data or the network, says Natalie Lambert, director of product marketing for Citrix, a networking and virtualization technology provider. "The data never resides on the endpoint, and so it can never be sent out," she says.

But VDI relies on an Internet connection. "The Internet seems ubiquitous, but it's not," says Brett Hansen, executive director of end user product strategy at Dell Software. "VDI is an option. It certainly provides a level of security, but it doesn't address how we work today."

chart: Personally Owned Endpoints commonly used

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Previous
2 of 4
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17513
PUBLISHED: 2019-10-18
An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur.
CVE-2019-8216
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8217
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-8218
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8219
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .