Bit9

Welcome to my final posting in a series entitled "Are You Ready for Enterprise Application Whitelisting?" I hope these little snippets have been helpful and have assisted you in determining if your IT organization is mature enough to consider whitelisting - and if you would be able to take advantage of its benefits.

Today's post is one that I've seen many IT groups struggle with first-hand. It has to do with the complexity of modern security products and how much training they seem to require today. Lots of IT administrators simply are not equipped to effectively manage these overly-complicated security policies. Which leads us straight to the question:

Question 5: Is the security expertise required by endpoint protection suites too much?

Think about that one for a minute and ask yourself a few questions:

• Do you run an advanced desktop security suite that includes antivirus, personal firewall, HIPS, and other components?
• If not - why? What's holding you back?
• If so - are you really using all the components?
• If you aren't using everything - why did you buy such a comprehensive piece of software and not use it to full effectiveness?
  

The answer is almost always that most IT organizations simply are not ready or don't contain the skillsets to run and operate an advanced security tool that forces you to define cross-product policies that account for malicious behavior patterns and multi-layered protection schemes.

IT organizations have always been great at deploying AV because all they had to do was make sure that the AV packages was installed and up-to-date. They didn't have to decide what was secure and what wasn't.

But operating a HIPS solution or even a personal firewall today requires the operations team to be making decisions about the security policy that will have dramatic impacts on the ability for the organization to actually protect its systems and its data.

Usually what happens is the IT group gets one of these advanced desktop security products and then doesn't deploy it. So they've increased costs and decreased security, all at the same time.

If you are one of these people then you are absolutely ready to look at application whitelisting. Becuase with whitelisting, there are no complex security policies to understand. Simply choose the applications that your business should be running. Nothing else gets in.

If an application is found to contain a vulnerability - ban it. If an application fails to pass some basic security screens, stop it from being able to run. If you don't know what an application is, you never have to be concerned abnout judging its behavior because it simply will not be able to execute.

An application that can't execute can't do any damage.

I hope you've enjoyed these postings on application whitelisting and I really hope that you've learned something from it. We've learned a tremendous amount from our customers and what's enabled them to make the transition to a whitelisting environment. Now it's your turn to ask yourself one more time: are you ready for enterprise application whitelisting?

This is my second posting in a series that is meant to help you determine if you are ready for enterprise application whitelisting. For the uninitiated, application whitelisting is a method of operating a PC environment that only lets authorized software run. That means unless you (as the IT department of a company or an organization) allow an application to run, it is prohibited from executing on a computer.

These days solution providers like Bit9 (the leader in Enterprise Application Whitelisting) are paving the way for companies to implement a whitelisting strategy that is easy and effective - and one that can really have an impact in how you secure your desktops and data.

But many companies are asking themselves: am I ready for application whitelisting? To help answer this, my previous post asked the question "Is your IT staff stretched too thin?"

Here is the second question you can ask yourself to determine if you are ready for enterprise application whitelisting.

Question 2: Do you need better auditing, reporting & compliance?

There has been a veritable explosion in requirements placed on companies to inventory and audit their software environments. Driving these demands are a number of different activities ranging from regulations to industry guidelines to software vendors. But one thing is for sure - companies can no longer afford to not know what is happening on their corporate desktops and laptops.

Let's look at a few specific examples of where compliance is being pushed into IT:

• PCI Compliance: organizations that accept payment cards including credit cards and debit cards (primarily retail, finance, healthcare, and many more) are subject to these industry requirements to ensure the integrity of any computing system that handles payment card information (credit card numbers, accounts, etc.)
• Sarbanes-Oxley: Public comapnies in the United States must ensure that their financial systems have not been tampered with and the integrity of the financial reporting data remains in tact.
• HIPAA: Hospitals, physicians, health insurance companies, and other health-related industries are required by law to protect the privacy of patients' information and history, ensuring that only authorized individuals and systems can access access any specific information.
• Federal Desktop Core Configuration (FDCC): Federal agencies in the United States are now required by the OMB (Office of Management & Budget) to harden their Windows desktops to a very specific and detailed Windows configuration.
• Software Vendor Licensing: Large software companies have been stepping up the fight against piracy by conducting large-scale audits of their customers to identify any gap between how many copies of a software product are in use and how many the company had paid for. This often results in an unexpected, but sizeable "true-up."
• Computer Forensics: With so much data being produced and transmitted throughout organizations, many are finding it in their interest to create a forensics capability. You can hope you don't need it, but in the case of lawsuits, disgruntled employees, and other unpleasant events, it can be very useful to understand who did what and when.
• Consolidation: As companies merge and acquire, IT departments end up being responsible for multiple redundant systems. Many of them become forgotten - although the company still pays a heavy maintenance stream. So knowing what is actually in use can reap significant savings in software costs.

What's happening at many companies is that they are finding themselves under the demands of several of these drivers at once. Take as an example a large, public retailer - they will have to adhere to rules and guidelines put forth by the PCI Council, SOX, and their software vendors... maybe others as well.

Precisely because of these overlapping requirements, companies are proceeding along two simultaneous paths:

1. Simplify the data trail with a single, multi-purpose audit stream.
   
2. Enforce more, audit less by putting better controls around the desktop that limit policy violations and vastly reduce the data processing involved in demonstrating compliance.
   

Application whitelisting is a critical activity for both of these because having a rich inventory of the applications in use, and being able to prevent unauthorized software from being used can greatly reduce the cost of getting to compliance and systematically proving it on a regular basis.

So if you are under pressure to audit and report on the software in your environment and to prove that your computers are in compliance, you have met criteria #2 for being ready for Enterprise Application Whitelisting.

Much has been said on the topic of the convergence of IT Security and IT Operations. We all see the trend - or steady march now - towards an integrated business function where security is built into every process and aspect of how information technology is managed at a company.

The security industry welcomes this because, let's face it, it's a fight to get people to pay attention to security. System admins too often view security as an afterthought, and one that is rarely prioritized the way it ought to be.

But what few people in the security industry seem to realize is that IT security has become too complex for most administrators on the operational side. Malicious software has become so hard to detect - and malicious behavior is so hard to distinguish from legitimate behavior - that the amount of attention a typical admin must pay to overseeing security audit trails and policies is overwhelming.

Let's look more at the situation on the desktop. Think of how many layers of security now exist on a PC: antivirus, antispyware, personal firewall, HIPS, popup-blockers, URL filtering... the list goes on. Each of these tools has its own security policy, its own set of audits and reports, its own management interface. And as IT security organizations succeed in pushing these tools onto enterprise desktops, it is the IT operations group that has to deal with it all.

Even where agents and consoles are integrated or combined, each technology has its own unique philosophy - meaning that the policies require specialization to properly implement. And after all, it is the implementation of the policy that determines how well the underlying assets are protected. A nuclear power plant can have all the right precautionary procedures in place, but if the workers refuse to follow them... meltdown.

So what is the real effect on an IT organization and its security effectiveness? If security is too complex to manage, IT admins either set policies too loosely (so what's the point of the security layer) or they make too many configuration errors (which often eliminates security benefits). Plus, the specialization required to operate these tools means additional training, additional headcount, or similar impact on cost and operation. This trend is sadly only getting worse.

That's where whitelisting comes in. Whitelisting represents a complete reversal in thinking. The skillset required to identify a "good" or "authorized" piece of software is far more common in existing IT organizations. Customer like that - it's easy for them to implement, it sets a higher security baseline, and significantly reduces the threat surface they need to devote attention to.

There has been a lot of discussion lately about whitelisting as a security technology. Several experts appear to be questioning its effectiveness against emerging threats (a point I am happy to argue, by the way). They claim that whitelisting simply can not substitute for the many researchers who devote their lives to identifying malicious software.

But I put the question back to the industry: if the technology we create to identify malicious software is too complex for people to use - have we really done our jobs? Have we successfully crossed from the theoretical to the practical? Are we really protecting people? Personally, I don't think so. That's what whitelisting represents for me - and for many of our customers - the most practical way to converge desktop security and operations.

• Data breaches have affected in excess of 230 million accounts (those are just the ones they can estimate)
• So far in 2007, about 75% more people have been affected by a data leakage event than in 2006 (the year is not over)
• The number of recorded breaches has been going up exponentially for the past few years - until this year, when the number appears to dip a little. Of course the year is not over, but the average number of stolen accounts per incident is dramateically higher.
• The top 3 types of data stolen are: Credit Cards (104M), Social Security Numbers (68 M), and email addresses (30M)

1. A dominant vendor controlling the whitelist would stifle competition in the marketplace – particularly from open-source projects and small vendors – by not including them in the whitelist.
2. There’s simply too much software out there to make a whitelist efficient.
3. Viruses that don’t run as executables could not be stopped by a whitelist

• Any type of exploit delivering any type of payload
• A product with a known vulnerability that is being exploited
• Older versions of applications that are not up to patch specifications
• The installation of rootkits, botnets, and other software that is virtually undetectable once it does get installed

Did you know that high-tech criminals are exchanging goods on auction sites, leasing time on botnets, and renting lists of security companies’ IP addresses. Too often, their goal is access to one, specific enterprise network – maybe yours – that they can mine for marketable data. Robin Bloor, partner in noted industry analyst firm Hurwitz & Associates recent participated in a webcast called “Confidential Data for Sale: 7 Ways High-Tech Criminals Compromise Your Computers.”

Today’s hackers are after your enterprise data, and the tools and services they employ to get at it are supported by a sophisticated and fast-growing criminal industry. Even more surprising, and worrying, is how ineffective today’s standard enterprise security practices are at stopping these sophisticated attacks. Consider the following:

• It takes many companies days or weeks to deploy a patch, yet a virus can morph into an undetectable state within a few hours.
• For $200 you can buy a shrink-wrapped hacker’s software development kit (with updates).
• There are more than 5 million PCs under the control of botnets.
• Most of these viruses – if not all – can be stopped if PCs blocked unauthorized software.