Network Security, Security Strategy, Plan, Budget

Bank on it: An end to anti-virus


A bank replaced its anti-virus when it found it could more effectively guard its systems with anti-malware, reports Greg Masters.

Has the anti-virus market become obsolete? It seems that some network administrators are opting out in favor of newer, more flexible options.

Brent Rickels, senior vice president of First National Bank, headquartered in Valley Mills, Texas, recalls that when the license renewal for his company's previous anti-virus tool was getting close, it just seemed that the anti-virus programs were getting bigger and more bloated and taking more system resources.

“The number of viruses was increasing,” he says. “I just began worrying about what might sneak in on us. I thought, ‘isn't there something better out there by now?' Anti-virus technology moves very quickly, so why hasn't it moved quick enough to obsolete this tech and come up with something better.”

Rickels thought he could more effectively guard his company's systems with anti-malware software that whitelists administratively approved programs with run permissions, but restricts any unknown and unauthorized executables from springing to life.

He did a lot of looking around at anti-virus vendors to see if they'd added anything new, but decided that they really hadn't. He then started looking at other new technologies, such as those that did sandboxing technology.

When he came across the Lumension Sanctuary software solution from Lumension Security, he liked the idea of whitelisting better because it was easier to administer. The Sanctuary suite combines application and device control capabilities.

“It gave us more protection, as sandboxing just protects you from what you're doing at the moment, it doesn't always give you email security. The price was very reasonable. It cost less than our previous tool.”

In fact, according to Rickels, Lumension Sanctuary cost 30 percent less than Symantec anti-virus and, he adds, Sanctuary is far more effective. Plus, it was easier to go forward with because once installed on the server and on each individual client, the clients pull daily updates from the server automatically.

Brent RickelsAs Rickels (left) is a one-person IT staff at the bank, this makes management of the company's 40 PCs and 12 servers a lot easier.

“I wear a lot of hats. I want the easiest-to-manage system I can have,” he says.

$2.5B endpoint security market

Don Leatham, director of solutions and strategy at Lumension Security, says whitelisting is a complementary technology to traditional anti-virus, which uses a different, operational approach to ensuring endpoint integrity and defending against malware.

“The various estimates for the B2B anti-virus/anti-malware market average around $2.5 billion,” he says. “Currently, according to several analysts' market definition, whitelisting falls under the endpoint security market, but as the technology continues to gain traction, whitelisting will have a prominent share of that market, either as a standalone or part of broader endpoint protection suites and operational vulnerability management platforms. We are in the early phase of the adoption curve and there is significant upside potential.”

The threat landscape has significantly changed where traditional technologies alone cannot thwart the new generation of malware and other threats that are designed to evade traditional perimeters, says Leatham, adding that simply installing AV or firewall no longer helps businesses effectively defend themselves.

“There are too many ways around the network perimeter, and today's cybercriminals are using clandestine code that cannot be detected by AV software, which can offer protection from known threats. Supplementing traditional AV with proactive security through whitelisting allows you to define the ‘known good' and control what can execute within the computing environment.”

Lumension Security's Endpoint Protection delivers protection against malware threats by employing a completely different approach that is false-positive free -- without depending on signature updates, he says. The result is a solution that focuses on what is “good” and should be legitimately allowed to run on the endpoint, rather than what is “bad” and needs to be blocked.

“This approach eliminates the shortcomings of anti-virus, such as the inability to defend against the unknown and false positives, while adding additional benefits, such as increased endpoint integrity, stability and end-user productivity.”

What differentiates their offering is that Lumension's approach to whitelisting has been to integrate the technology into operational vulnerability management and the change control process, rather than bolt it onto an existing anti-virus engine or treat it as a standalone product, adds Leatham. Whitelisting focuses on what applications are trusted and are allowed to run.

“It is this operational characteristic that makes it a perfect candidate to integrate into vulnerability and change management platforms, since these are the systems that understand what applications, patches, etc. are being deployed and used in the environment.”

Additionally, Leatham says an integral value that whitelisting technology delivers is the ability to shed light on the applications and executables that are in the environment, and what the potential implications may be for allowing them to run.

“This risk metadata can help guide administrators to make informed decisions and drive additional vulnerability and configuration actions.”

Examples of this would include alerting about vulnerabilities that are being introduced when trusting a particular application, and what configurations and patches should be subsequently applied.


The implementation of the software went very smoothly, First National Bank's Rickels says. He was able to install it himself, though an engineer from Lumension did come down to talk him through the process.

After getting it installed and living with it for while, Rickels decided to move it to a different server, which meant a re-install, which didn't offer any problems, he says.

“We started off running it on the database with Microsoft SQL Server Desktop Engine (MSDE), but you have a limit and I wanted more flexibility. We put it on a SQL server with more capabilities. It was pretty easy to do.”

Managing it is very easy, he says, adding that initially, it did take some time to get familiar with. “It's like a lot of tools – the more time you put into it, the more you can get out of it. There are a lot of capabilities.”

He points out that he doesn't need to spend a lot of time everyday looking at the logs. A couple of times a week is all it takes as the software will log everything that tries to run, whether it's allowed or not.

“So you can see if you have a problem on the network, or if someone is trying to put something on for which they've forgotten to get authorization.”

The logs show what the program was (whether it was EXC or DLL), who tried to run it, when they tried to run it, and on what machine.

“You're looking at straight logs, and it shows you what tried to run and what didn't, so you know it was an unauthorized program. It'll show you the details of the program – what file directory it's installed in, when it was installed, and the version of the program. Plus, you can see, for example, a new update for Adobe Reader that someone tried to install, or a game one of the tellers decided would be neat to have on their bank PC.”

After getting a whitelist built, learning about the program, seeing how it functioned, and learning about the controls gained, Rickels says he went back in and divided programs into program groups.

“So we began to categorize things, some just for convenience – these are Adobe programs, these are Microsoft programs – some that are specific banking programs to communicate with the Federal Reserve Bank. And then the programs for auditors went into a separate group, as well.”

And then the administrator can get permissions for those groups to different people. “So people who have no need or authority to be running certain programs are denied access to those programs,” Rickels explains.


The bank, which has four branches within a 20-mile radius, just added Lumension Security's device control portion of the program. This allows Rickels to control endpoints. Any USB device, smart phone or iPhone can be authorized or unauthorized. Any file transfers to those devices are either authorized or not.

“So, if anyone is taking information out of the bank, we can see what that data is. There are only a few people authorized to take data out, and only certain things.”

Most people just want to hook up their MP3 players and play it through their speakers, he says. “Well, that's fine, but we have to make sure it doesn't have data transfer capabilities, because we don't mind them putting their songs on the PC, but we don't want them transferring data, or a virus, or something accidentally. So we block that.”

The tool blocks any program that's not authorized. If it's not on the whitelist, the software prevents the program from running. If somebody emails a virus or piece of malware, and an end-user accidentally tries to start it, the software blocks it because it is not authorized.

Updates are handled manually. When Microsoft sends its Patch Tuesday updates, for example, Rickels scans those into the database.

“It makes life easier,” he says. “You don't have to worry about somebody doing something stupid. Nothing gets on the bank network that's not supposed to be there. It's a nice control, particularly when you have people's personal information on here. You want to make sure it doesn't get out or get corrupted or have things happen to it. The program gives us a lot more control than just an anti-virus program, while also protecting us from viruses and worms and malware. It's been a nice addition to our security tools.”


AV Alternative: Endpoint protection

The options for anti-virus protection are growing. The big players face competition from smaller guys who are offering solutions that approach the problem in differing ways.

“Symantec may have an old-school approach to anti-malware, meaning, put all the signatures on the endpoint and update it as necessary. With the rate of new malware emerging -- Symantec reported more than 1,900 daily new malware instances for 2007 -- soon the updating signature approach will no longer be fast enough or scalable enough. It is without question the time to look for alternative approaches,” says Chenxi Wang, principal analyst, security and risk management, Forrester Research.

While many vendors continue to evolve their anti-virus products, pushing out updates to try and keep up with unending assaults, the folks at Sanctuary have taken another approach.

“Since anti-virus relies on a signature match to identify malware, it offers no protection against targeted attackers using new or ‘boutique' malware to infect individuals and organizations,” says Don Leatham, director of solutions and strategy at Lumension Security. “The anti-virus model was founded, and still operates, on the notion that everything on an endpoint should be allowed to run unless there is a known reason to disallow it. It's a pretty simple idea and it worked fairly well a decade ago when evolution and totality of malware was slow and manageable. In today's world, the number of unique malicious applications is growing geometrically and is by some accounts over six million known variants. Keep in mind that this is just the ‘known' bad stuff out there.”

Lumension Security is the first to combine two important whitelisting security technologies into a single console and agent, namely endpoint protection and data protection, adds Leatham.

Lumension Security's approach to data protection mirrors endpoint protection, in that it allows devices to be accessed only in ‘known good' situations, as defined by policy. Lumension Security's Data Protection policy structure allows for very granular policy definitions that ensure that USB drives, CD/DVD drives, etc. are only available for use in approved, known-good data transfer scenarios.

Whitelist protection via both endpoint protection and data protection, all within a single implementation, is a powerful security tool that offers great value to customers, he says.  – GM

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.