Bit9

Welcome to my final posting in a series entitled "Are You Ready for Enterprise Application Whitelisting?" I hope these little snippets have been helpful and have assisted you in determining if your IT organization is mature enough to consider whitelisting - and if you would be able to take advantage of its benefits.

Today's post is one that I've seen many IT groups struggle with first-hand. It has to do with the complexity of modern security products and how much training they seem to require today. Lots of IT administrators simply are not equipped to effectively manage these overly-complicated security policies. Which leads us straight to the question:

Question 5: Is the security expertise required by endpoint protection suites too much?

Think about that one for a minute and ask yourself a few questions:

• Do you run an advanced desktop security suite that includes antivirus, personal firewall, HIPS, and other components?
• If not - why? What's holding you back?
• If so - are you really using all the components?
• If you aren't using everything - why did you buy such a comprehensive piece of software and not use it to full effectiveness?
  

The answer is almost always that most IT organizations simply are not ready or don't contain the skillsets to run and operate an advanced security tool that forces you to define cross-product policies that account for malicious behavior patterns and multi-layered protection schemes.

IT organizations have always been great at deploying AV because all they had to do was make sure that the AV packages was installed and up-to-date. They didn't have to decide what was secure and what wasn't.

But operating a HIPS solution or even a personal firewall today requires the operations team to be making decisions about the security policy that will have dramatic impacts on the ability for the organization to actually protect its systems and its data.

Usually what happens is the IT group gets one of these advanced desktop security products and then doesn't deploy it. So they've increased costs and decreased security, all at the same time.

If you are one of these people then you are absolutely ready to look at application whitelisting. Becuase with whitelisting, there are no complex security policies to understand. Simply choose the applications that your business should be running. Nothing else gets in.

If an application is found to contain a vulnerability - ban it. If an application fails to pass some basic security screens, stop it from being able to run. If you don't know what an application is, you never have to be concerned abnout judging its behavior because it simply will not be able to execute.

An application that can't execute can't do any damage.

I hope you've enjoyed these postings on application whitelisting and I really hope that you've learned something from it. We've learned a tremendous amount from our customers and what's enabled them to make the transition to a whitelisting environment. Now it's your turn to ask yourself one more time: are you ready for enterprise application whitelisting?

I'm writing my third posting in a series called "Are You Ready for Enterprise Application Whitelisting?" The purpose of these posts as I've mentioned previously is to help IT people understand if their processes and organization are advanced and mature enough to be ready for implementing whitelisting - and basically only letting software run on corporate PCs that has been pre-authorized.

My previous posts covered a couple questions, including "Is your IT staff stretched too thin?" and "Do you need better auditing, reporting, and compliance?" Both of these questions are related to the needs of the organization and the services IT provides. But our next checkpoint asks about the maturity of the systems that IT uses to manage PCs. So here it is:

Question 3: Are adequate software delivery (SMS, WSUS) systems in place?

So why do we ask this question? Well the reason is because if you have implemented good, strong processes for delivering software easily and efficiently to desktops, you are pretty much at the point where the next logical step for control would be to whitelist the software on those PCs.

Think about it this way. Most company's IT processes have matured over the years along a relatively consistent pattern:

1. Provisioning / Imaging: Make it easy to get a standard image of the operating system and core applications when a new PC is issued to an employee, without taking a lot of time.
   
2. Deployment / Delivery: Get new applications or updates to applications out to all the users without having an army of IT people carry CDs to each workstation one by one.
3. Patch Management: Every time a new vulnerability or exploit is announced, vendors rush to deliver patches. A smooth patch management process means you don't have to scramble to protect your PCs.

So once you have these three components, you have effectively achieved total control over pushing software out to your PCs. So what's next for you? What are you looking to achieve after control over "pushed software?"

The answer is control over "pulled software." Users will receive their provisioned PCs and use the apps that are pushed to them... but then they will get on the Internet and start downloading their own apps. And as powerful as your software deployment processes are, most organizations can not reach 100% coverage of the apps that their users need. So you have to rely on users being able to download apps for themselves so you don't have to send IT people to every user whenever they need something.

And now you've opened Pandora's box. Because you can't control what your users will install...

... unless you whitelist.

Because when you whitelist, you authorize your users to download certain apps, but they can't get whatever they want. This gives you control. 

This is my second posting in a series that is meant to help you determine if you are ready for enterprise application whitelisting. For the uninitiated, application whitelisting is a method of operating a PC environment that only lets authorized software run. That means unless you (as the IT department of a company or an organization) allow an application to run, it is prohibited from executing on a computer.

These days solution providers like Bit9 (the leader in Enterprise Application Whitelisting) are paving the way for companies to implement a whitelisting strategy that is easy and effective - and one that can really have an impact in how you secure your desktops and data.

But many companies are asking themselves: am I ready for application whitelisting? To help answer this, my previous post asked the question "Is your IT staff stretched too thin?"

Here is the second question you can ask yourself to determine if you are ready for enterprise application whitelisting.

Question 2: Do you need better auditing, reporting & compliance?

There has been a veritable explosion in requirements placed on companies to inventory and audit their software environments. Driving these demands are a number of different activities ranging from regulations to industry guidelines to software vendors. But one thing is for sure - companies can no longer afford to not know what is happening on their corporate desktops and laptops.

Let's look at a few specific examples of where compliance is being pushed into IT:

• PCI Compliance: organizations that accept payment cards including credit cards and debit cards (primarily retail, finance, healthcare, and many more) are subject to these industry requirements to ensure the integrity of any computing system that handles payment card information (credit card numbers, accounts, etc.)
• Sarbanes-Oxley: Public comapnies in the United States must ensure that their financial systems have not been tampered with and the integrity of the financial reporting data remains in tact.
• HIPAA: Hospitals, physicians, health insurance companies, and other health-related industries are required by law to protect the privacy of patients' information and history, ensuring that only authorized individuals and systems can access access any specific information.
• Federal Desktop Core Configuration (FDCC): Federal agencies in the United States are now required by the OMB (Office of Management & Budget) to harden their Windows desktops to a very specific and detailed Windows configuration.
• Software Vendor Licensing: Large software companies have been stepping up the fight against piracy by conducting large-scale audits of their customers to identify any gap between how many copies of a software product are in use and how many the company had paid for. This often results in an unexpected, but sizeable "true-up."
• Computer Forensics: With so much data being produced and transmitted throughout organizations, many are finding it in their interest to create a forensics capability. You can hope you don't need it, but in the case of lawsuits, disgruntled employees, and other unpleasant events, it can be very useful to understand who did what and when.
• Consolidation: As companies merge and acquire, IT departments end up being responsible for multiple redundant systems. Many of them become forgotten - although the company still pays a heavy maintenance stream. So knowing what is actually in use can reap significant savings in software costs.

What's happening at many companies is that they are finding themselves under the demands of several of these drivers at once. Take as an example a large, public retailer - they will have to adhere to rules and guidelines put forth by the PCI Council, SOX, and their software vendors... maybe others as well.

Precisely because of these overlapping requirements, companies are proceeding along two simultaneous paths:

1. Simplify the data trail with a single, multi-purpose audit stream.
   
2. Enforce more, audit less by putting better controls around the desktop that limit policy violations and vastly reduce the data processing involved in demonstrating compliance.
   

Application whitelisting is a critical activity for both of these because having a rich inventory of the applications in use, and being able to prevent unauthorized software from being used can greatly reduce the cost of getting to compliance and systematically proving it on a regular basis.

So if you are under pressure to audit and report on the software in your environment and to prove that your computers are in compliance, you have met criteria #2 for being ready for Enterprise Application Whitelisting.

Over the past few months we've been reading more and more about how application whitelisting solutions - like Bit9's - may end up becoming the de facto mechanism for securing corporate Windows PCs in the near future.

So let's assume for a moment that yes, application whitelisting is the wave of the future and yes, you will be basing your security strategy on only allowing software that you know and trust to run in your environment. The next obvious question is...

What can you do to prepare for running an environment where people can only use company-authorized software? In the next few postings I'll present some ways to assess your readiness for enterprise application whitelisting.

Without further ado, here's the first question you can ask yourself to determine if you are ready for whitelisting.

Question 1: Is your IT staff stretched too thin?

If you have got an IT staff that is too busy "fighting fires" on users' systems and cleaning up after messy software downloads or ugly malware incidents, you are probably aching to get more control over your desktops. After all - your IT staff's time is too valuable to be spent on every little problem that comes up. There are bigger fish to fry, like when you are going to deploy Windows Vista, or how to consolidate computing resources across the enterprise, or how to achieve PCI, SOX, and HIPAA compliance.

Yet many IT departments simply get behind the 8-ball with respect to their desktop infrastructure. As users' computers age, the software on them drifts so that they look very different from how they looked when they were first provisioned. Those inconsistencies cause problems in everything from security to auditability to software licensing costs.

But imagine for a minute what would happen if you could eliminate those inconsistencies. If you could ensure that a software you provisioned did not drift from your original copy of it - and only software you approved or authorized was allowed to run on it.

Wouldn't this make your job so much easier? Wouldn't it reduce the number of problems you have to deal with on a monthly and even daily basis? You bet it would! And customers who have implemented application whitelisting are realizing every day how much more productive they can be when they aren't spending all their times firefighting.

So if you think your IT staff hasn't got the time to address the initiatives it should be... you are probably ready for enterprise application whitelisting! 

1. A dominant vendor controlling the whitelist would stifle competition in the marketplace – particularly from open-source projects and small vendors – by not including them in the whitelist.
2. There’s simply too much software out there to make a whitelist efficient.
3. Viruses that don’t run as executables could not be stopped by a whitelist

• Any type of exploit delivering any type of payload
• A product with a known vulnerability that is being exploited
• Older versions of applications that are not up to patch specifications
• The installation of rootkits, botnets, and other software that is virtually undetectable once it does get installed

A new podcast from Enterprise Systems Journal looks at how whitelisting works and examines its benefits with Brian Gladstein, Bit9’s Director of Product Marketing. Whitelisting is an approach used to secure enterprise computing systems by specifying which applications and devices are allowed to operate. All the rest -- unknown and unapproved applications and devices -- are blocked. Unlike blacklisting, third-parties don’t dictate which software or processes are inappropriate. With whitelisting, no third-party policy updates are required. Untrusted software simply can’t install or run, even zero-day or zero-minute software. A broad whitelisting approach covers the applications the organization uses such that a typical user is not blocked while unauthorized software is always blocked. Thus, it’s not a matter of whether the file or device seems good or bad, but whether an organization decides it’s authorized to run. Companies are using whitelisting to increase compliance and manageability, while protecting their endpoints from spyware, viruses, worms, zero-day threats, botnets, rootkits, vulnerable applications, non-business and/or non-compliant applications, and unlicensed, unknown, or unauthorized applications or devices. To learn more about how whitelists can protect your enterprise, listen to the podcast at: http://www.bit9.com/resources/index.php#podcasts.