Whitelisting Getting Ready for the Big Leagues

I've been bombarded with pitches and inquiries about whitelisting ever since I discussed the issue with Microsoft's Mark Russinovich.

Russinovich, you will remember, thinks that current approaches to security are unsustainable and that the way out, the paradigm shift that takes the advantage back to IT from malicious actors, is whitelisting. I was sympathetic, but saw too many impediments to adoption and noted that the path to adoption was far more visible for enterprises, or for managed networks in general, than for consumers.

After talking to some readers and some vendors, I'm a little more hopeful about it, at least for enterprises. Nevertheless, there are some difficult challenges for anyone implementing a whitelisting system. There aren't many companies writing software to allow enterprises to do this. eWEEK's Cameron Sturdevant recently reviewed Bit9's Parity 4.1 and thought highly of it. He also mentions CA's Host-Based Intrusion Prevention System and Lumension's Sanctuary Application Control. I spoke to CoreTrace about its Bouncer product and whitelisting in general.

My first impression when I think of how to implement whitelist systems is to take a known-clean system that IT just built from image and scan it. Whitelist everything from this system. That is your baseline. Image it and build new systems off of that.

I immediately see the problems in my notion, just as the vendors have. A large organization will have many such baselines in the form of different PC models. Even where the systems appear to be identical, two PCs from the same vendor may have small differences in chips and other devices, causing differences in the drivers used on the system, necessitating the creation of yet another baseline. It appears that vendors have chosen to take the alternative approach.

The alternative is to scan each and every system and identify all the programs on them. This could be done to existing in-the-field systems, but that's a bad idea for reasons I'll get to. More likely, IT will install the whitelisting agent and scan the system after all the other officially cool software has been installed.

According to our review, the Bit9 scan lets you go through everything it finds on the system. They have a huge database of checksums of the files they find so they will identify most everything and let you approve the rest manually. CoreTrace takes a different approach. They whitelist everything on the new PC. In both cases, what happens to new software on the system depends on policy, although the general idea is that new software will be blocked.

Next: Scanning an Existing System >>