Bit9

Welcome to my final posting in a series entitled "Are You Ready for Enterprise Application Whitelisting?" I hope these little snippets have been helpful and have assisted you in determining if your IT organization is mature enough to consider whitelisting - and if you would be able to take advantage of its benefits.

Today's post is one that I've seen many IT groups struggle with first-hand. It has to do with the complexity of modern security products and how much training they seem to require today. Lots of IT administrators simply are not equipped to effectively manage these overly-complicated security policies. Which leads us straight to the question:

Question 5: Is the security expertise required by endpoint protection suites too much?

Think about that one for a minute and ask yourself a few questions:

• Do you run an advanced desktop security suite that includes antivirus, personal firewall, HIPS, and other components?
• If not - why? What's holding you back?
• If so - are you really using all the components?
• If you aren't using everything - why did you buy such a comprehensive piece of software and not use it to full effectiveness?
  

The answer is almost always that most IT organizations simply are not ready or don't contain the skillsets to run and operate an advanced security tool that forces you to define cross-product policies that account for malicious behavior patterns and multi-layered protection schemes.

IT organizations have always been great at deploying AV because all they had to do was make sure that the AV packages was installed and up-to-date. They didn't have to decide what was secure and what wasn't.

But operating a HIPS solution or even a personal firewall today requires the operations team to be making decisions about the security policy that will have dramatic impacts on the ability for the organization to actually protect its systems and its data.

Usually what happens is the IT group gets one of these advanced desktop security products and then doesn't deploy it. So they've increased costs and decreased security, all at the same time.

If you are one of these people then you are absolutely ready to look at application whitelisting. Becuase with whitelisting, there are no complex security policies to understand. Simply choose the applications that your business should be running. Nothing else gets in.

If an application is found to contain a vulnerability - ban it. If an application fails to pass some basic security screens, stop it from being able to run. If you don't know what an application is, you never have to be concerned abnout judging its behavior because it simply will not be able to execute.

An application that can't execute can't do any damage.

I hope you've enjoyed these postings on application whitelisting and I really hope that you've learned something from it. We've learned a tremendous amount from our customers and what's enabled them to make the transition to a whitelisting environment. Now it's your turn to ask yourself one more time: are you ready for enterprise application whitelisting?

Over the past few months we've been reading more and more about how application whitelisting solutions - like Bit9's - may end up becoming the de facto mechanism for securing corporate Windows PCs in the near future.

So let's assume for a moment that yes, application whitelisting is the wave of the future and yes, you will be basing your security strategy on only allowing software that you know and trust to run in your environment. The next obvious question is...

What can you do to prepare for running an environment where people can only use company-authorized software? In the next few postings I'll present some ways to assess your readiness for enterprise application whitelisting.

Without further ado, here's the first question you can ask yourself to determine if you are ready for whitelisting.

Question 1: Is your IT staff stretched too thin?

If you have got an IT staff that is too busy "fighting fires" on users' systems and cleaning up after messy software downloads or ugly malware incidents, you are probably aching to get more control over your desktops. After all - your IT staff's time is too valuable to be spent on every little problem that comes up. There are bigger fish to fry, like when you are going to deploy Windows Vista, or how to consolidate computing resources across the enterprise, or how to achieve PCI, SOX, and HIPAA compliance.

Yet many IT departments simply get behind the 8-ball with respect to their desktop infrastructure. As users' computers age, the software on them drifts so that they look very different from how they looked when they were first provisioned. Those inconsistencies cause problems in everything from security to auditability to software licensing costs.

But imagine for a minute what would happen if you could eliminate those inconsistencies. If you could ensure that a software you provisioned did not drift from your original copy of it - and only software you approved or authorized was allowed to run on it.

Wouldn't this make your job so much easier? Wouldn't it reduce the number of problems you have to deal with on a monthly and even daily basis? You bet it would! And customers who have implemented application whitelisting are realizing every day how much more productive they can be when they aren't spending all their times firefighting.

So if you think your IT staff hasn't got the time to address the initiatives it should be... you are probably ready for enterprise application whitelisting! 

We've just released our top 10 list of the most vulnerable applications for 2007. This is the second year we've put the list together, and it is focused on those applications that users tend to download. These apps are often very difficult for IT to see, let alone patch, and therefore represent unexpected and unquantified vulnerabilities in an enterprise IT environment.

To make it onto the list, the following criteria must be met. Each application:

1. Must run on Microsoft Windows
2. Must be well-known in the consumer space and frequently downloaded by individuals.
3. Must not be classified as malicious by enterprise IT organizations or security vendors
4. Must contain at least one critical vulnerability:
• first reported in June 2006 or after,
• registered in the U.S. National Institute of Standards and Technology’s (NIST) official vulnerability database at http://nvd.nist.gov, and
• with a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS).
5. Relies on the end user, rather than a central administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists.

It is important to note that in most cases, the vendor or publisher of the applications on this list has already produced a patch for the particular vulnerability or vulnerabilities reported here. But at a company, there is usually no way that IT can ensure that the patch has been properly applied - that's requirement #5 on the list of criteria above.

Last year when we released this list, a lot of people commented on how we left off so much Microsoft software - some even going so far as to say that Microsoft sponsored this research! So let me be clear - this is entirely produced and financed by Bit9. The reason most Microsoft software doesn't make the list is because by now most companies have a pretty good process in place for identifying, patching, and fixing vulnerable Microsoft software. The same can not be said for apps like Firefox, iTunes, and other packages.

You can download the full list of vulnerable applications here which includes the specific versions, the vendors' solutions, the nature of the vulnerabilities, and references to the CVE numbers for the identified vulnerabilities. Also, you can learn what to do to help protect your company from vulnerable applications like these.

So without further ado, here are the apps on the list. Do you have a comment about it? Please submit!

1. Yahoo! Messenger 8.1.0.239 and earlier
2. Apple QuickTime 7.2
3. Mozilla Firefox 2.0.0.6
   
4. Microsoft Windows Live (MSN) Messenger 7.0, 8.0
5. EMC VMware Player (and other products) 2.0, 1.0.4
6. Apple iTunes 7.3.2
7. Intuit QuickBooks Online Edition 9 and earlier
8. Sun Java Runtime 1.6.0_X
9. Yahoo! Widgets 4.0.5 and previous
10. Ask.com Toolbar 4.0.2.53 and previous
    

When you buy a security product, do you want to know how well it did against malware that was out last year? Or do you want to know how well it protect you from attacks in the future? The answer is obvious.

Well apparently organizations like AV-Test.org think you don't care about malware that will come out tomorrow... or even what is out there today. It may shock you to learn how they have been conducting their testing. They basically pre-load a pile of malware on a PC and stick an antivirus solution against it. Effectiveness is measured by how much malware is found and stopped.

So basically - when malware comes onto the machine through an email... when a known vulnerability is patched... when a user visits a webpage that contains a drive-by... all these attacks mean nothing against the test.

Nor does any malware that is coming out today. Or tomorrow. Or even just a couple of days ago. Because the malware that is used for the testing is an old sample that the AV vendors have every opportunity to write specific signatures for. That doesn't represent the way your PCs when they are actually on the Internet. It's a joke!

Here's an article from The Register that is describing how finally, people are thinking about considering a different testing approach that incorporates additional aspects of desktop security like behavioral HIPS and patching and firewalls. It's about time.

Still, how can you trust the results of a test that can't even tell you something so simple as "how infected does a computer on the Internet get with a given protection scheme?"

If you ask me - this is what is wrong with the endpoint security industry today. Too many people patting themselves on the back for fighting malware, and not attention paid to real-world effectiveness.

What do you think? Please comment...

• Data breaches have affected in excess of 230 million accounts (those are just the ones they can estimate)
• So far in 2007, about 75% more people have been affected by a data leakage event than in 2006 (the year is not over)
• The number of recorded breaches has been going up exponentially for the past few years - until this year, when the number appears to dip a little. Of course the year is not over, but the average number of stolen accounts per incident is dramateically higher.
• The top 3 types of data stolen are: Credit Cards (104M), Social Security Numbers (68 M), and email addresses (30M)