Posted by Kate Munro on Mon, Mar 15, 2010
Recently the PCI Security Standards Council released an FAQ that mentions how Application Whitelisting can be used as a control for Antivirus.
"The Council is looking for equivalent controls that address malware and all types of threats referenced in Requirement 5, which are often found in traditional Anti-virus solutions. If another type of solution (application whitelisting, for example) addresses the identical threats with a different methodology than a signature-based approach, it may still be acceptable to meet the requirement."
The PCI DSS 1.2 standard mandates the use of Antivirus technology, which at the time the standard was published was cutting-edge technology.
A lot has changed since then.
The Operation Aurora zero-day attacks and the Zeus botnet revealed that existing security platforms that use Antivirus and HIPS (host intrusion prevention) are not able to stop these attacks. There were no signatures or behavioral patterns available to stop these attacks. And the patch from Microsoft came days later. Germany went as far as to recommend that its citizens not use Microsoft Internet Explorer until the vulnerability was fixed because they were keenly aware that existing security defenses were not able to stop it. It has become clear that Anti-virus and HIPS are no longer cutting-edge technology.
Now the PCI Standards Council plans to add a new technology - Application Whitelisting-that can offer security in lieu of Antivirus. In fact many retailers are already using Application Whitelisting in lieu of Antivirus. There are many cases where Antivirus, with its constant need for updates and inability to keep up with the latest threat, is not the right technology.
We applaud the inclusion of Application Whitelisting in the PCI requirements. We are seeing similar inclusion of Application Whitelisting (and Application Control) requirements in the Government through NIST and CAG (Consensus Audit Guidelines).We also believe that this is an area where the Council can talk about security requirements in general and the end goal. This end goal - protecting the endpoints - is the key for our customers. For example, the discussion could be based on a requirement that: Mandates use of endpoint technologies that protect against known and unknown malware attacks - including Advanced Persistent Threats.
Application Whitelisting, as we have seen from the recent analyst research from Gartner, does just this.
Posted by Kate Munro on Tue, Feb 02, 2010
Why is it that existing security software didn't stop Operation Aurora cyber attacks from using the Microsoft IE zero-day vulnerability to hack into multiple high-profile technology providers? Is it that this level of malware sophistication has never been seen before?
Dennis Blair, the US Cyber Chief, testified today before Congress and called these attacks "Cyber Pearl Harbor." Read the story in the New York Times by Mark Mazetti here.
Malicious cyber activity is occurring on an unprecedented scale with extraordinary sophistication," he said.
As zero-day attacks proliferate, antivirus vendors have begun blocking websites and offering intrusion prevention features aimed at trying to stop malware before it happens and even before it is identified. The problem is development and promotion of new security features often come as a result of cyber attacks like Operation Aurora and the Hydraq Trojan. Organizations and AV vendors appreciate the need for proactive IT security solutions, but if action is taken post-breach, the damage is already done.
Comprehensive layered defenses against cyber threats have been announced as the "new" methodology for preventing zero-day and targeted attacks, but proactive prevention is not new. Application Whitelisting, offered by Bit9 has been around since 2002. And many more companies are beginning to offer it.
Gartner analyst Neil MacDonald just wrote in his blog that: "whitelisting at the endpoints would have stopped these attacks."
Application Whitelisting delivers malware prevention rather than reaction by establishing a list of known and approved applications, devices and files and halting execution of everything else. We've tailored whitelisting for organizations across all industry verticals - from government and finance to retail and healthcare. So when AV reacts to new attacks with new solutions, keep in mind that it is reaction, not prevention, that distinguishes their approach.