Fans of classic Hollywood westerns never have trouble distinguishing the ethics of the main characters: The good guys wear white hats; the bad guys wear black. In the world of network security, it’s a good deal more difficult to spot the villains.
For years, network security has grown from the proposition that it is possible to identify and “blacklist” bad traffic at the perimeter. Tools such as firewalls, antivirus software and intrusion detection systems are designed to protect against known threats. The problem with this approach is that bad guys aren’t always so easy to identify.
Threats often can’t be identified until after the fact, leaving exploitable gaps between the time security patches are issued and when they’re installed. Less than 20 percent of malware is identified within the first day of its existence and the detection rate rises to just 62 percent after 30 days, according to a study by cyber security firm Cyveillance.
In addition, the growing use of web applications is exposing organizations to new levels of risk. As end-users download more and more third-party applications to enhance productivity, they are frequently providing cyber outlaws with another avenue of attack. Rather than using pure network-level assaults, hackers can now circumvent traditional perimeter security measures to quietly target obscure flaws in specific applications.
A relatively new approach called application whitelisting (or application control) offers a different way of thinking about security. It is essentially the opposite of blacklisting, allowing only preapproved code to run and automatically preventing the installation and execution of any unwanted or untrusted applications.
Whitelisting solutions have been around awhile, but early solutions simply limited the execution of code to a verified list of accepted applications. While that was a solid approach at the time, it no longer meets the needs of today’s dynamic organization in which users are constantly seeking new tools to improve productivity. This includes a wide variety of web applications, open-source tools, commercial programs and cloud-based applications. In a simple whitelisting model, the IT organization would be overwhelmed by the need to regularly inspect all these applications and make updates to the “approved” list.
The latest solutions offer a far more flexible approach. Rather than constantly managing a centralized whitelist before changes are allowed, users of intelligent whitelists define a set of automated trust rules that are fine-tuned to their risk appetite and control tolerance. This eliminates the need for constant intervention by IT by automating the verification of good software using common indicators such as the reputation of the software publisher or the reputation of the tool implementing an update or a new piece of software.
Whitelists also allow IT to provision different levels of trust to different end-users. Trusted power users can be given full rein to place a new application on the whitelist, either for personal use or for a large group of users.
“As IT consumerization, social media and adaptive persistent adversaries continue to transcend and undermine conventional security, it is increasingly necessary to adapt our security and policy enforcement,” said Josh Corman, Research Director, Enterprise Security Practice at The 451 Group. “In the right use cases, application control can reduce the chances of running malicious, unwanted, and even vulnerable elective applications.”
There are a number of different whitelisting methodologies, but they are generally based on some common means of identifying application components and tying them to whitelisting policies. The SANS Institute, the global leader in Internet security research and training, says these defining characteristics include:
The exploitation of application flaws represents a fundamental shift in the security threat landscape. According to Gartner, three-quarters of today’s security attacks are focused at the application layer. When paired with traditional security solutions, application whitelisting can help make this new frontier safe for law-abiding users.
