Bit9

The stars are aligned for application whitelisting in the marketplace -- all the big players are talking about it now and analysts are predicting that it is the future.

The new Gartner analyst  research report - "Application Control Market Update," 4 August 2008, by Neil MacDonald and Michael A. Silver - is a great one. To Gartner, the terms "application control" and "application whitelisting" are synonymous.

Copied below are some top quotes from the Gartner Research Note.

• "Organizations are looking to application control solutions to augment signature-based antivirus protection and to exert more control over endpoints."
• "We continue to advise organizations adopting application control solutions that the key to successful tool selection and implementation is the capability to automate the exception management process and to automate list management. Bit9 has delivered significant innovation in this area by enabling organizations to query their "whitelist/blacklist in the cloud" knowledge base as a subscription service (see "Cool Vendors in Infrastructure Protection, 2007")."
• "Application "whitelisting" and "blacklisting" techniques are becoming increasingly useful to supplement shortcomings in antivirus systems. These techniques deliver more flexibility to reduce diversity, improve operations and manage PC configuration than merely locking down desktops."
• "When antivirus agents and patching aren't possible, consider application control and system hardening as alternative security controls for point-of-sale (POS) terminals, supervisory control and data acquisition (SCADA) systems, and other devices that fall under regulatory requirements."
• "Application control solutions address shortcomings in antivirus and other signature-based approaches and provide security and operational benefits."
• "In most cases, application control software (see Figure 1) doesn't replace traditional antivirus and personal firewall offerings. Instead, it acts as an additional layer of protection for endpoints to supplement the increasing ineffectiveness of signature-based antivirus solutions, which can't keep up with the explosion in malware variants and the increases in targeted attacks. Application control solutions are of interest to information security and operations managers, typically for reducing the chances for image corruption, system damage or data loss by end users, rogue applications or malware."

And this whole section:

"Application Control Is a Gentler Form of Lockdown

In addition to security protection, application control solutions provide operational benefits by preventing the arbitrary introduction and execution of unknown code ("lockdown") on endpoints, even for administrators. There are several security and operational reasons that organizations may want to use application control solutions:

• To ensure that unlicensed software isn't being used
• To manage known PC configurations so that enterprise software is easier to deploy and maintain
• To restrict users from running software that could be detrimental to enterprise systems or the network
• To prevent users from adding applications to the organization's application portfolio that will require increased support and cost

Many organizations mistakenly believe that they've accomplished lockdown by removing administrative access from users and designating them as standard users. However, this can cause a number of problems:

• Users who have a real business need to install applications to do their jobs won't have that right, which hampers creativity.
• Client software components that Web sites upgrade on a regular basis (such as Flash, Acrobat Reader and Web conferencing software) cannot be updated, potentially obstructing user access to important business content or causing lost productivity, as users look for workarounds. It's nearly impossible for organizations to have the latest clients packaged for software distribution so that they can be delivered to users as needed, and standard user access does not allow exceptions.
• Contrary to common perception, running users as standard users does not prevent them from installing and running unknown applications. Depending on the level of lockdown, standard users may be able to download and install well-behaved applications that don't require administrative privileges to install or run. Furthermore, without additional restrictions or tools, users are able to load and execute single executables from the network (including via the browser) or removable media. Organizations are also at risk from malware that targets user data and settings, rather than system files.

Application control solutions address these issues and provide organizations with more flexibility and granularity for all users regarding the applications that can and cannot be run. Users can be left running as administrators, allowing them to update client software as needed, including Web applications. Software that's detrimental can be automatically blacklisted, but resources (and/or subscription models) may be needed to keep the list current. Depending on the user, new software can be allowed or blocked by policy. In either case, it is always logged, so that the organization can monitor, at a granular level. what software users are looking to run. Even if users are running as standard users, application control products can plug the gap created by applications that don't require administrator privileges to install and run or single file executables."

As an aside, we are now registering our blog with Technorati.