After rolling out a whitelisting solution on thousands of endpoints, the IT security department at staffing and recruiting agency Manpower noticed a drastic drop in malware across its network.
“Our infections and malware went down significantly,” says Lance Fahey, a technical security specialist for the company. “There was a clear difference between pre- and post-installation.”While whitelisting technology has been around for some 10 years, it hasn't garnered a mainstream following, as has its counterpart, traditional anti-virus (AV) software. Both offerings are intended to prevent malware, but whitelisting is the yin to the yang of anti-virus. Instead of allowing any program to run, except for a blacklist of known malware like traditional signature-based anti-virus scanners, the concept behind whitelisting is to prevent the execution of any software, except what is on a whitelist, which is comprised of approved applications that are known to be legitimate. So, when a user is surfing the web and stumbles on a malicious website that attempts to silently install a virus on the system, the malware will not execute because it is not on the whitelist.
The IT department at Manpower initially turned to whitelisting so its primary business application, a staffing tool, could function better, Fahey says. The company chose an offering from Bit9 and rolled it out to employee endpoints across its 800 offices in North America. The whitelisting solution was deployed remotely, enabling the IT department to manage the product through a centralized web console.Since the rollout was completed this past August, the performance of computers has noticeably improved and users have been more productive because they are not downloading and installing malware, Fahey says. As a side benefit, the IT department has received a measurable decrease in calls to the help desk.
“It really controls the social engineering aspect where individuals are tricked into downloading and installing a potentially malicious piece of software,” Fahey says. “With the policies we have in place, it can't happen. It takes the human error away.”Whitelisting has always been a great idea and an effective technology, one of the key pieces for creating a reliable and secure model, says Byron Hynes, an independent technology strategist. “The holdup is it's been hard to do.”
Retail organizations have been early adopters of whitelisting technology, implementing it on PCs running point-of-sale (PoS) card-processing systems to protect customers' credit card information, says Tom Murphy (left), chief strategist at Bit9.This type of solution has been ideal in retail environments because the software running on PoS systems is generally static and doesn't change often. In the mainstream desktop environment, however, there are significant numbers of applications and frequent patches so whitelisting becomes more challenging.
But, technology advances have seen numerous whitelisting tools become available today that have made the solution more flexible and workable for the mainstream desktop environment, experts say. Many of these tools can be configured to accept updates from trusted applications and allow various endpoints to be configured differently so they can run diverse software. And, these offerings are appealing to more organizations due to a recent explosion in malware, experts say.“While the technology has been around for awhile, it's become more compelling in the past year based on the malware activity,” says Bob Kamsler, VP of engineering at Savant Protection, an application whitelisting vendor.
It is clear that AV companies are having trouble keeping up with the rise in malware, a problem that experts say will elevate application whitelisting technology from just a good idea to a mainstream, widely deployed security defense.
Joel Rosenblatt (right), manager of computer and network security at Columbia University's Information Security Office, began looking into application whitelisting technology about a year and a half ago, believing that AV was no longer enough to keep up with the latest malware threats. The initiative came to fruition when the university deployed a new financial aid application processing system that is used to store sensitive information, such as tax returns.“We are using it to secure desktops that contain personally identifiable information (PII),” Rosenblatt says. “In order to secure those computers, you've got to do something stronger than stick anti-virus on them and pray.”
“We have looked at our environment and, frankly, we have too many computers to pay for everyone to have it,” Rosenblatt says. “But there are desktops which require the ability to have PII and we have determined that in order to accept the risk of having that kind of information on the desktop, we have to lock them down in a much stronger fashion than a normal desktop.”If other cost-constrained organizations have the funds to put whitelisting software on just one desktop, it should be the comptroller's, says Stephen Northcutt (right), president of the SANS Technology Institute. This is because, as the FBI recently warned, attackers are actively targeting corporate financial officers with the goal of infecting the user's PC with malware containing keyloggers that harvest corporate online banking credentials, which are used to transfer or wire funds from the company's account. As of this past November, cybercriminals have attempted to steal $100 million from small- and medium-sized businesses in scams of this nature, the FBI said in an advisory.
Also, whitelisting has myriad benefits, but such solutions will not stop all threats, experts caution. James Lyne (left), senior technologist at AV vendor Sophos, says that a pitfall of whitelisting is that trusted programs on the whitelist can sometimes be compromised.“Internet Explorer is a fine example of a trusted application you want to allow to run, but regrettably, much like most browsers, it can be compromised with exploits,” Lyne says. “Such exploits could allow Internet Explorer's process to conduct illegitimate actions on the system.”
While whitelisting makes it harder for malware to get on a system and remain there, exploits can still be used to steal data, Lyne says. For this reason, whitelisting should not be viewed or used as the all-in-one solution for desktop security, but instead be employed as part of a defense-in-depth strategy, experts say.Northcutt agrees, explaining that the three pieces necessary to have a “reasonably safe” desktop are AV, vulnerability management tools that ensure patches are up to date, and whitelisting. Today, these are generally separate offerings, but in the future, security companies might start packaging them, he predicts. “In a year or two, that's what you will see. That's what will make sense.”