Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:50 AM
Connect Directly

The Real Dirt on Whitelisting

The choice for blacklisting versus whitelisting isn't really black and white

It’s déjà vu all over again. Whitelisting technology has enjoyed a resurgence of interest lately, with antivirus companies such as Symantec, McAfee, and Microsoft planning to add it to their blacklisting-based malware detection tools and some enterprises even dropping AV altogether in favor of whitelisting alone. All thanks to the proliferation of botnets, stealthier malware, and the near-epidemic in data breaches that have led vendors and enterprises to search for something other than the standard approach of blacklisting known threats. (See AV Gets a Facelift and Texas Bank Dumps Antivirus for Whitelisting.)

Whitelisting, the concept of which dates back to the mainframe days of locked-down and controlled applications, lets only approved and authorized applications run on user machines. Today whitelisting is becoming a first layer of defense in some organizations, says Tom Murphy, chief strategist for Bit9, which sells a whitelisting solution. “Over time, what we see is an erosion of value for blacklisting because more machines will be using whitelisting,” he says.

Murphy predicts that within two years, most every machine will have some element of whitelisting security, whether it runs blacklisting-based antivirus software or not. And AV vendors are starting to jump on board: Bit9 recently announced that Kaspersky Lab, for instance, is now using its Global Software Registry database of clean, whitelisted applications to build out some of its technology.

Symantec made waves in April at the RSA Conference when CEO John Thompson mentioned it as a promising technology in his keynote address. But that doesn’t mean Symantec is dropping blacklisting for whitelisting: “What John was talking about was that the shift to whitelisting makes sense, but it’s not going to happen overnight. Symantec believes you have to combine the two approaches, whitelisting and blacklisting, for effective protection,” says Kevin Murray, senior director of product marketing for Symantec’s endpoint security group. (See Symantec Chairman Calls for Information-Centric Approach to Security.)

Murray says combating the malware threat requires a “gradual tweaking” of the two technology approaches. “We are looking at both application control and the behavioral approach” to fighting malware proliferation, he says.

Other experts argue that whitelisting is a wash. “It will work as long as your machine is never connected to the Internet, and if you have a gold CD installed on it,” says Greg Hoglund, CEO for HBGary, which offers an alternative to blacklisting and whitelisting. It’s the attachments and desktop browser exploits that infect machines, notes Hoglund, and malware aimed at browser plug-ins, for instance, isn’t always easily detectable, and often hides its processes in memory. “If a bad guy wants to attack a computer, he can pick a process that’s been whitelisted... and inject a thread or DLL. Now the malware is living inside the process that matches the name on the [list], so it’s considered trusted,” Hoglund says.

But most experts don’t expect whitelisting to replace blacklisting, and even Bit9, one of the hottest whitelisting firms, today uses blacklisting to vet the applications in its whitelist database. “When they build their whitelist, they run the executables through 20 different AV products,” says John Pescatore, Gartner. “So they can’t have whitelisting without blacklisting.”

The only way whitelisting could truly stand alone, Pescatore says, is if an enterprise or user were to return to the old-fashioned whitelisting lockdown mode, where users can only run specific, approved apps and nothing else -- no browser add-ins, gadgets, etc., Pescatore says. But that’s obviously unrealistic for most organizations: “Most companies today have got to let their users install some [other] things,” he says.

A better fit is what Pescatore calls “uber-whitelisting,” similar to Bit9’s approach. “This helps fill in where AV falls apart,” he says. “And there’s always going to be a greylist, something that’s not on the blacklist or whitelist.”

And just how safe are those whitelisted apps from getting infected? Bit9’s Murphy notes that his company uses three cryptographic hashes to maintain trust, and application vendors’ digital signatures also help ensure their integrity. “As long as those trusted methods are there, then the whitelist by itself will be secure and protected,” he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-14
GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exceeded.
PUBLISHED: 2019-10-14
tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition.
PUBLISHED: 2019-10-14
In ImageMagick before 7.0.8-62, TraceBezier in MagickCore/draw.c has a use-after-free.
PUBLISHED: 2019-10-14
Centreon 19.04 allows attackers to execute arbitrary OS commands via the Command Line field of main.php?p=60807&type=4 (aka the Configuration > Commands > Discovery screen).
PUBLISHED: 2019-10-14
In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NULL pointer dereference and possibly unspecified other impact when there is no valid close function pointer.