Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:50 AM
Connect Directly

The Real Dirt on Whitelisting

The choice for blacklisting versus whitelisting isn't really black and white

It’s déjà vu all over again. Whitelisting technology has enjoyed a resurgence of interest lately, with antivirus companies such as Symantec, McAfee, and Microsoft planning to add it to their blacklisting-based malware detection tools and some enterprises even dropping AV altogether in favor of whitelisting alone. All thanks to the proliferation of botnets, stealthier malware, and the near-epidemic in data breaches that have led vendors and enterprises to search for something other than the standard approach of blacklisting known threats. (See AV Gets a Facelift and Texas Bank Dumps Antivirus for Whitelisting.)

Whitelisting, the concept of which dates back to the mainframe days of locked-down and controlled applications, lets only approved and authorized applications run on user machines. Today whitelisting is becoming a first layer of defense in some organizations, says Tom Murphy, chief strategist for Bit9, which sells a whitelisting solution. “Over time, what we see is an erosion of value for blacklisting because more machines will be using whitelisting,” he says.

Murphy predicts that within two years, most every machine will have some element of whitelisting security, whether it runs blacklisting-based antivirus software or not. And AV vendors are starting to jump on board: Bit9 recently announced that Kaspersky Lab, for instance, is now using its Global Software Registry database of clean, whitelisted applications to build out some of its technology.

Symantec made waves in April at the RSA Conference when CEO John Thompson mentioned it as a promising technology in his keynote address. But that doesn’t mean Symantec is dropping blacklisting for whitelisting: “What John was talking about was that the shift to whitelisting makes sense, but it’s not going to happen overnight. Symantec believes you have to combine the two approaches, whitelisting and blacklisting, for effective protection,” says Kevin Murray, senior director of product marketing for Symantec’s endpoint security group. (See Symantec Chairman Calls for Information-Centric Approach to Security.)

Murray says combating the malware threat requires a “gradual tweaking” of the two technology approaches. “We are looking at both application control and the behavioral approach” to fighting malware proliferation, he says.

Other experts argue that whitelisting is a wash. “It will work as long as your machine is never connected to the Internet, and if you have a gold CD installed on it,” says Greg Hoglund, CEO for HBGary, which offers an alternative to blacklisting and whitelisting. It’s the attachments and desktop browser exploits that infect machines, notes Hoglund, and malware aimed at browser plug-ins, for instance, isn’t always easily detectable, and often hides its processes in memory. “If a bad guy wants to attack a computer, he can pick a process that’s been whitelisted... and inject a thread or DLL. Now the malware is living inside the process that matches the name on the [list], so it’s considered trusted,” Hoglund says.

But most experts don’t expect whitelisting to replace blacklisting, and even Bit9, one of the hottest whitelisting firms, today uses blacklisting to vet the applications in its whitelist database. “When they build their whitelist, they run the executables through 20 different AV products,” says John Pescatore, Gartner. “So they can’t have whitelisting without blacklisting.”

The only way whitelisting could truly stand alone, Pescatore says, is if an enterprise or user were to return to the old-fashioned whitelisting lockdown mode, where users can only run specific, approved apps and nothing else -- no browser add-ins, gadgets, etc., Pescatore says. But that’s obviously unrealistic for most organizations: “Most companies today have got to let their users install some [other] things,” he says.

A better fit is what Pescatore calls “uber-whitelisting,” similar to Bit9’s approach. “This helps fill in where AV falls apart,” he says. “And there’s always going to be a greylist, something that’s not on the blacklist or whitelist.”

And just how safe are those whitelisted apps from getting infected? Bit9’s Murphy notes that his company uses three cryptographic hashes to maintain trust, and application vendors’ digital signatures also help ensure their integrity. “As long as those trusted methods are there, then the whitelist by itself will be secure and protected,” he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The security team seem to be taking SiegeWare seriously" 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-05
An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64.DLL driver, version 26.20.13001.29010. A specially crafted pixel shader can cause out-of-bounds memory read. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be trigger...
PUBLISHED: 2019-12-05
A Security Bypass vulnerability exists in the phpCAS 1.2.2 library from the jasig project due to the way proxying of services are managed.
PUBLISHED: 2019-12-05
An authentication flaw in the AVPNC_RP service in Aviatrix VPN Client through 2.2.10 allows an attacker to gain elevated privileges through arbitrary code execution on Windows, Linux, and macOS.
PUBLISHED: 2019-12-05
Weak file permissions applied to the Aviatrix VPN Client through 2.2.10 installation directory on Windows and Linux allow a local attacker to execute arbitrary code by gaining elevated privileges through file modifications.
PUBLISHED: 2019-12-05
Norton Password Manager, prior to, may be susceptible to a cross origin resource sharing (CORS) vulnerability, which is a type of issue that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served.