The Latest Security Tool for Your Arsenal: Whitelisting

Phishing, spear phishing, trojan horse and other attacks are growing in number and sophistication, seemingly by the day. There can be little disputing that notion after RSA, Sony, Lockheed and Citicorp were embarrassed by breaches this year.

And they're just the tip of the iceberg. In a new Ponemon Institute survey, 90 percent of 581 enterprise security professionals in the U.S. and Europe had experienced at least one breach in the past year, with 56 percent having two or more.

The good news? Security budgets climbed from seven percent of IT spending to 14 percent between 2007 and 2010, according to an ABI Research finding.

That's at the macro level. At the micro level, a security solution that was formerly declared not ready for prime time is now giving CIOs something new to think about -- and spend money on.

That approach is called application whitelisting by some, application control by others. Whitelisting represents not just a new item for your security toolbox, but a different way of thinking about security altogether, according to Thorsten Behrens, security infrastructure architect at IT service provider Carousel Industries.

New Thinking on Security

Tools such as anti-spam and anti-virus software use blacklisting to protect against intrusions. You tell them what programs or users you don't want to let in, and the tools keep them out.

But blacklisting means you have to know who the bad guys are, and the tools require frequent updates. Even then, there's an exploitable gap between when a patch is issued and when it's installed, not to mention zero-day attacks that go after holes for which no patch has been issued.

Whitelisting takes the opposite approach from blacklisting. It allows only pre-approved code to run, automatically refusing entry to any executable file that's not in the whitelist database. Because it works at the executable level, it won't respond to an unknown executable. That means it renders harmless all the viruses, trojan horses and spyware that rely on users to inadvertently trigger executables to do their dirty work.

Whitelisting Grows Up

Whitelisting isn't a new concept. Variations have been used in LAN provisioning and by ISPs for email spam filtering. For enterprise IT, however, the need for more protection grows by the day. That's because the volume of the world's malicious code actually surpassed the volume of legitimate code a few years ago.

Still, the rate of IT adoption has been slower than expected, largely because of user fears that whitelisting will add constraints to their day-to-day work. A whilelist program may suddenly refuse to open a file from a different application, for instance, requiring the user to ask for approval, thus wasting time. Or it might affect numerous users if a vendor's new software update wasn't entered into the whitelist database quickly enough.

These may have been valid complaints with early products, but today's vendors have made great strides in taking the pain out of whitelisting. They typically give you the ability to automatically whitelist updated files from trusted vendors, and to set PC baselines for whitelisting that are compliant with standards such as PCI. And they give you more granularity and flexibility in assigning access to user groups.

"Say a company that's PCI-compliant has certain applications for processing payments," Behrens says. "If they're Web-based, they might just whitelist the browser, what they need for email, the payment processing application, and the PC's OS."

On the other hand, a group of trusted power users would get more broad-ranging accessibility, up to and including the ability to approve their own applications. "I'm a power user," says Behrens, "I need to install things all the time, so I need to be able to self-approve an application in order to do my job."

IT could therefore give him, a trusted user, the ability to place a new application on the whitelist, whether for himself or for his entire group. But his action would also be subject to approval at the management console.

Getting Buy-In

New products and features aside, whitelisting can still be a hard sell to users who instinctively balk at adding more security controls. Whitelisting may be good for you and your business, but is it good for them? That's the first question you will need to answer, well in advance of any implementation. In fact, it's one of several best practices you should consider in preparation for whitelisting:

Be proactive with users -- Don't expect them to applaud new technology because it's new; instead, be clear in explaining what it is, how it works, and why you're asking them to take it on. Let them take pride in helping protect your intellectual property and other critical data because, after all, company success translates directly to salaries and bonuses.

Evaluate and prepare your IT support infrastructure -- The better IT is at updating user software, handling help desk calls and maintaining standards for software and hardware, the more likely a whitelisting implementation will go smoothly. Also, be ready for a temporary uptick in help desk calls -- it's inevitable with any new implementation.

Develop an implementation plan -- If you want to do a sample implementation to start, select a group that deals with sensitive data: such as HIPAA for a healthcare company, or blueprints and intellectual property for a manufacturer. Tread gently by using the software's audit mode rather than its enforcement mode to flag deviations in policy. With audit mode, deviations are reported to IT, while enforcement mode simply shuts out the application. Some companies run whitelisting in audit mode without ever resorting to enforcement.

You should use whitelisting to extend your existing security infrastructure, not to replace any of its components. More than ever before, companies need all the help they can get, and to an expert like Behrens that means a defense-in-depth security strategy.

Such a plan includes anti-virus and spam-detection on the front end, and functions such as intrusion detection, anomaly detection and log correlation on the back end. It means having a breach reaction plan so you don't have to react under extreme stress to an attack. And it requires regular, comprehensive user training so employees can accept the fact that not being able to play Angry Birds is a small price to pay for a stable and successful work environment.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about CiticorpetworkLANRSASony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jim Buchanan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place