What is Whitelisting
The Evolution in Application Whitelisting
The current approach to protecting your endpoints is ineffective, and this is costing your organization time and money. Malware has exploded; endpoint complexity continues to increase due to the many 3rd party and so-called Web 2.0 applications; and security products today are more complicated than ever. Adding to your challenges are stagnate IT budgets.
Application whitelisting, sometimes referred to as application control, is one of the original security models. It prevents any program file / executable from running unless explicitly permitted in the whitelist. By creating a whitelist of known good applications, everything else – malware, unwanted applications, unknown programs, etc. – is blocked until authorized to run. While few doubt its efficacy as a security tool, historically it has not been flexible enough for the modern enterprise.
At the dawn of the modern computing age, computers and devices arrived with all features, services, and ports turned off by default – and that’s where they stayed until someone explicitly authorized and enabled (or “whitelisted”) them. As computer use flourished outside of the server room and as more users required a growing number of new applications, IT managers found whitelisting too restrictive, too inflexible, and too difficult to manage within the modern enterprise. So, while effective, application whitelisting became a security tool generally reserved for static environments such as mission critical servers, kiosks, POS systems, and the like.
For desktop environments at home and business, blacklisting (in the form of antivirus programs), which identifies known bad executables and creates defensive signatures to block them, became the primary component of endpoint security.
Today, the vulnerabilities in operating systems and 3rd party applications are increasing; according to NSS Labs, historically about 6,000 to 7,000 vulnerabilities were found in applications in any given year, but in the first half of 2010 approximately 4,500 vulnerabilities have been made public with the final 2010 count expected to be about 10,000. And the malware being pushed out to exploit vulnerabilities have exploded both in number and sophistication. Hackers are layering obfuscation methods that subtly alter single pieces of malware to make them look like hundreds of different applications to the blacklist signature (AV) engines.
Not only is it increasingly difficult for standalone AV solutions to identify signatures, there is a lag in getting new signature definitions out to market. This obviously results in an increasing risk window. Additionally, as malware has exploded, so have the costs associated with it, including rising help desk calls, tier 2 and 3 event management, HD re-imaging, network downtime, lost employee productivity, and so on.
A constantly shifting IT risk environment coupled with technology tools that are no longer effective at preventing cyber-attacks or providing visibility over endpoints – no wonder many organizations are feeling less secure today than they did one year ago.
One can distill the root causes of most endpoint security issues to a single core issue: a breakdown in change control. Whether that manifests itself through malware or end users installing unauthorized applications, the lack of an established change-control policy – or the ability to enforce this policy – is adding to the security and operational overhead in today’s IT environments.
Advances in application whitelisting now focus on making the technology more flexible for today’s dynamic endpoint. New levels of intelligence are being added through trusted change engines and whitelist management can integrate with other tools like patch management. And no longer is application whitelisting either/or to antivirus. AV will continue to play a role in endpoint security, as will patch management and other technologies like device control. But now application whitelisting will play an increasingly important role in your defense-in-depth approach to endpoint protection.