Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:50 AM
Connect Directly

The Real Dirt on Whitelisting

The choice for blacklisting versus whitelisting isn't really black and white

It’s déjà vu all over again. Whitelisting technology has enjoyed a resurgence of interest lately, with antivirus companies such as Symantec, McAfee, and Microsoft planning to add it to their blacklisting-based malware detection tools and some enterprises even dropping AV altogether in favor of whitelisting alone. All thanks to the proliferation of botnets, stealthier malware, and the near-epidemic in data breaches that have led vendors and enterprises to search for something other than the standard approach of blacklisting known threats. (See AV Gets a Facelift and Texas Bank Dumps Antivirus for Whitelisting.)

Whitelisting, the concept of which dates back to the mainframe days of locked-down and controlled applications, lets only approved and authorized applications run on user machines. Today whitelisting is becoming a first layer of defense in some organizations, says Tom Murphy, chief strategist for Bit9, which sells a whitelisting solution. “Over time, what we see is an erosion of value for blacklisting because more machines will be using whitelisting,” he says.

Murphy predicts that within two years, most every machine will have some element of whitelisting security, whether it runs blacklisting-based antivirus software or not. And AV vendors are starting to jump on board: Bit9 recently announced that Kaspersky Lab, for instance, is now using its Global Software Registry database of clean, whitelisted applications to build out some of its technology.

Symantec made waves in April at the RSA Conference when CEO John Thompson mentioned it as a promising technology in his keynote address. But that doesn’t mean Symantec is dropping blacklisting for whitelisting: “What John was talking about was that the shift to whitelisting makes sense, but it’s not going to happen overnight. Symantec believes you have to combine the two approaches, whitelisting and blacklisting, for effective protection,” says Kevin Murray, senior director of product marketing for Symantec’s endpoint security group. (See Symantec Chairman Calls for Information-Centric Approach to Security.)

Murray says combating the malware threat requires a “gradual tweaking” of the two technology approaches. “We are looking at both application control and the behavioral approach” to fighting malware proliferation, he says.

Other experts argue that whitelisting is a wash. “It will work as long as your machine is never connected to the Internet, and if you have a gold CD installed on it,” says Greg Hoglund, CEO for HBGary, which offers an alternative to blacklisting and whitelisting. It’s the attachments and desktop browser exploits that infect machines, notes Hoglund, and malware aimed at browser plug-ins, for instance, isn’t always easily detectable, and often hides its processes in memory. “If a bad guy wants to attack a computer, he can pick a process that’s been whitelisted... and inject a thread or DLL. Now the malware is living inside the process that matches the name on the [list], so it’s considered trusted,” Hoglund says.

But most experts don’t expect whitelisting to replace blacklisting, and even Bit9, one of the hottest whitelisting firms, today uses blacklisting to vet the applications in its whitelist database. “When they build their whitelist, they run the executables through 20 different AV products,” says John Pescatore, Gartner. “So they can’t have whitelisting without blacklisting.”

The only way whitelisting could truly stand alone, Pescatore says, is if an enterprise or user were to return to the old-fashioned whitelisting lockdown mode, where users can only run specific, approved apps and nothing else -- no browser add-ins, gadgets, etc., Pescatore says. But that’s obviously unrealistic for most organizations: “Most companies today have got to let their users install some [other] things,” he says.

A better fit is what Pescatore calls “uber-whitelisting,” similar to Bit9’s approach. “This helps fill in where AV falls apart,” he says. “And there’s always going to be a greylist, something that’s not on the blacklist or whitelist.”

And just how safe are those whitelisted apps from getting infected? Bit9’s Murphy notes that his company uses three cryptographic hashes to maintain trust, and application vendors’ digital signatures also help ensure their integrity. “As long as those trusted methods are there, then the whitelist by itself will be secure and protected,” he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-10
Mibew Messenger before 3.2.7 allows XSS via a crafted user name.
PUBLISHED: 2020-08-10
CS2 Network P2P through 3.x, as used in millions of Internet of Things devices, suffers from an authentication flaw that allows remote attackers to perform a man-in-the-middle attack, as demonstrated by eavesdropping on user video/audio streams, capturing credentials, and compromising devices.
PUBLISHED: 2020-08-10
CS2 Network P2P through 3.x, as used in millions of Internet of Things devices, suffers from an information exposure flaw that exposes user session data to supernodes in the network, as demonstrated by passively eavesdropping on user video/audio streams, capturing credentials, and compromising devic...
PUBLISHED: 2020-08-10
Firmware developed by Shenzhen Hichip Vision Technology (V6 through V20, after 2018-08-09 through 2020), as used by many different vendors in millions of Internet of Things devices, suffers from buffer overflow vulnerability that allows unauthenticated remote attackers to execute arbitrary code via ...
PUBLISHED: 2020-08-10
Firmware developed by Shenzhen Hichip Vision Technology (V6 through V20), as used by many different vendors in millions of Internet of Things devices, suffers from cryptographic issues that allow remote attackers to access user session data, as demonstrated by eavesdropping on user video/audio strea...