Bit9

Over the past few months we've been reading more and more about how application whitelisting solutions - like Bit9's - may end up becoming the de facto mechanism for securing corporate Windows PCs in the near future.

So let's assume for a moment that yes, application whitelisting is the wave of the future and yes, you will be basing your security strategy on only allowing software that you know and trust to run in your environment. The next obvious question is...

What can you do to prepare for running an environment where people can only use company-authorized software? In the next few postings I'll present some ways to assess your readiness for enterprise application whitelisting.

Without further ado, here's the first question you can ask yourself to determine if you are ready for whitelisting.

Question 1: Is your IT staff stretched too thin?

If you have got an IT staff that is too busy "fighting fires" on users' systems and cleaning up after messy software downloads or ugly malware incidents, you are probably aching to get more control over your desktops. After all - your IT staff's time is too valuable to be spent on every little problem that comes up. There are bigger fish to fry, like when you are going to deploy Windows Vista, or how to consolidate computing resources across the enterprise, or how to achieve PCI, SOX, and HIPAA compliance.

Yet many IT departments simply get behind the 8-ball with respect to their desktop infrastructure. As users' computers age, the software on them drifts so that they look very different from how they looked when they were first provisioned. Those inconsistencies cause problems in everything from security to auditability to software licensing costs.

But imagine for a minute what would happen if you could eliminate those inconsistencies. If you could ensure that a software you provisioned did not drift from your original copy of it - and only software you approved or authorized was allowed to run on it.

Wouldn't this make your job so much easier? Wouldn't it reduce the number of problems you have to deal with on a monthly and even daily basis? You bet it would! And customers who have implemented application whitelisting are realizing every day how much more productive they can be when they aren't spending all their times firefighting.

So if you think your IT staff hasn't got the time to address the initiatives it should be... you are probably ready for enterprise application whitelisting! 

When you buy a security product, do you want to know how well it did against malware that was out last year? Or do you want to know how well it protect you from attacks in the future? The answer is obvious.

Well apparently organizations like AV-Test.org think you don't care about malware that will come out tomorrow... or even what is out there today. It may shock you to learn how they have been conducting their testing. They basically pre-load a pile of malware on a PC and stick an antivirus solution against it. Effectiveness is measured by how much malware is found and stopped.

So basically - when malware comes onto the machine through an email... when a known vulnerability is patched... when a user visits a webpage that contains a drive-by... all these attacks mean nothing against the test.

Nor does any malware that is coming out today. Or tomorrow. Or even just a couple of days ago. Because the malware that is used for the testing is an old sample that the AV vendors have every opportunity to write specific signatures for. That doesn't represent the way your PCs when they are actually on the Internet. It's a joke!

Here's an article from The Register that is describing how finally, people are thinking about considering a different testing approach that incorporates additional aspects of desktop security like behavioral HIPS and patching and firewalls. It's about time.

Still, how can you trust the results of a test that can't even tell you something so simple as "how infected does a computer on the Internet get with a given protection scheme?"

If you ask me - this is what is wrong with the endpoint security industry today. Too many people patting themselves on the back for fighting malware, and not attention paid to real-world effectiveness.

What do you think? Please comment...

Much has been said on the topic of the convergence of IT Security and IT Operations. We all see the trend - or steady march now - towards an integrated business function where security is built into every process and aspect of how information technology is managed at a company.

The security industry welcomes this because, let's face it, it's a fight to get people to pay attention to security. System admins too often view security as an afterthought, and one that is rarely prioritized the way it ought to be.

But what few people in the security industry seem to realize is that IT security has become too complex for most administrators on the operational side. Malicious software has become so hard to detect - and malicious behavior is so hard to distinguish from legitimate behavior - that the amount of attention a typical admin must pay to overseeing security audit trails and policies is overwhelming.

Let's look more at the situation on the desktop. Think of how many layers of security now exist on a PC: antivirus, antispyware, personal firewall, HIPS, popup-blockers, URL filtering... the list goes on. Each of these tools has its own security policy, its own set of audits and reports, its own management interface. And as IT security organizations succeed in pushing these tools onto enterprise desktops, it is the IT operations group that has to deal with it all.

Even where agents and consoles are integrated or combined, each technology has its own unique philosophy - meaning that the policies require specialization to properly implement. And after all, it is the implementation of the policy that determines how well the underlying assets are protected. A nuclear power plant can have all the right precautionary procedures in place, but if the workers refuse to follow them... meltdown.

So what is the real effect on an IT organization and its security effectiveness? If security is too complex to manage, IT admins either set policies too loosely (so what's the point of the security layer) or they make too many configuration errors (which often eliminates security benefits). Plus, the specialization required to operate these tools means additional training, additional headcount, or similar impact on cost and operation. This trend is sadly only getting worse.

That's where whitelisting comes in. Whitelisting represents a complete reversal in thinking. The skillset required to identify a "good" or "authorized" piece of software is far more common in existing IT organizations. Customer like that - it's easy for them to implement, it sets a higher security baseline, and significantly reduces the threat surface they need to devote attention to.

There has been a lot of discussion lately about whitelisting as a security technology. Several experts appear to be questioning its effectiveness against emerging threats (a point I am happy to argue, by the way). They claim that whitelisting simply can not substitute for the many researchers who devote their lives to identifying malicious software.

But I put the question back to the industry: if the technology we create to identify malicious software is too complex for people to use - have we really done our jobs? Have we successfully crossed from the theoretical to the practical? Are we really protecting people? Personally, I don't think so. That's what whitelisting represents for me - and for many of our customers - the most practical way to converge desktop security and operations.

1. A dominant vendor controlling the whitelist would stifle competition in the marketplace – particularly from open-source projects and small vendors – by not including them in the whitelist.
2. There’s simply too much software out there to make a whitelist efficient.
3. Viruses that don’t run as executables could not be stopped by a whitelist

• Any type of exploit delivering any type of payload
• A product with a known vulnerability that is being exploited
• Older versions of applications that are not up to patch specifications
• The installation of rootkits, botnets, and other software that is virtually undetectable once it does get installed

Did you know that high-tech criminals are exchanging goods on auction sites, leasing time on botnets, and renting lists of security companies’ IP addresses. Too often, their goal is access to one, specific enterprise network – maybe yours – that they can mine for marketable data. Robin Bloor, partner in noted industry analyst firm Hurwitz & Associates recent participated in a webcast called “Confidential Data for Sale: 7 Ways High-Tech Criminals Compromise Your Computers.”

Today’s hackers are after your enterprise data, and the tools and services they employ to get at it are supported by a sophisticated and fast-growing criminal industry. Even more surprising, and worrying, is how ineffective today’s standard enterprise security practices are at stopping these sophisticated attacks. Consider the following:

• It takes many companies days or weeks to deploy a patch, yet a virus can morph into an undetectable state within a few hours.
• For $200 you can buy a shrink-wrapped hacker’s software development kit (with updates).
• There are more than 5 million PCs under the control of botnets.
• Most of these viruses – if not all – can be stopped if PCs blocked unauthorized software.