Malicious software is a disease, and the conventional-wisdom remedies of diligent patching, anti-virus deployment and user education haven’t proved potent enough to bring about a cure.
Enter application whitelisting, a different approach to the problem of securing Windows clients. Application whitelisting has been around for a while now, but has gained new currency over the past several months, with industry leaders such as Cisco Systems Chief Security Officer John Stewart pointing out the limitations and the expense of current anti-malware strategies.
Application whitelisting, which is also known as application control, contrasts with the blacklisting approach embodied by typical anti-virus products. Rather than track and quarantine harmful bits, whitelisting involves barring all but approved executables from running on a given machine.
Based on eWEEK Labs research and testing on the current crop of applica??Ãtion whitelisting products, we sug??Ãgest that administrators charged with keeping Windows-based PCs secure from malware further evaluate where whitelisting can fit into their security strategy, either to complement-or perhaps to replace-their existing anti-virus investments.
What’s Wrong with the Status Quo?
Prompt software patching and diligent user education efforts form the foundation of any successful security strategy. However, in the face of zero-day vulnerabilities and cleverly targeted social engineering schemes, up-to-date applications and savvy users aren’t enough to keep your desktops secure.
The most common complement to patching and education is an applica??Ãtion blacklisting approach implemented through anti-virus software installed on every desktop machine. Anti-virus as a security measure is so well ingrained in the desktop world that Windows instal??Ãlations throw up a warning message if anti-virus software is not installed, and the PCI DSS (Payment Card Indus??Ãtry Data Security Standard) specifically mandates the use of anti-virus software on machines through which credit card data passes.
However, anti-virus applications, which work either by blacklisting known bad software or by actively scan??Ãning systems for suspicious behavior, come with significant drawbacks and cannot block all attacks. For instance, there’s considerable system overhead associated with scanning, and the fre??Ãquent signature updates required to keep anti-virus applications in good working order can be difficult to main??Ãtain. These factors can prove particu??Ãlarly onerous on the often aged systems that run point-of-sale applications at PCI-regulated organizations.
Even for systems with enough resources to shoulder scanning over??Ãhead, as well as the connectivity and availability to receive frequent anti-virus signature updates, these security products are reactive in nature and lack potency regarding new or tightly tar??Ãgeted threats not yet included in the anti-virus vendors’ signature databases.
What About Lockdown?
Ideally, perhaps, business comput??íers would operate like stateless appli??íances, with administrators maintaining tight control over all system functions and permissions. However, the total lockdown model doesn’t mesh well with the realities of today’s Windows client environment.
For better or worse, the Windows software ecosystem is organized around the assumption that regular users also will be administering their machines, installing updates from various sources and pulling down plug-ins and exten??ísions to run on their browsers.
Users must have access to the applications they require to do their work, and considering the claims that Microsoft and others have made that as many as 80 percent of businesses allow their users to run with admin??íistrative privileges, locking down the client environment well enough to shut out malware can wreak col??ílateral damage on the ecosystem of beneficient applications and on the productivity of PC users.
Application whitelisting offers organizations an anti-malware option that can be more flexible than total lockdown yet more comprehen??ísive than the blacklisting approach embodied by anti-virus.
Rather than block known bad appli??ícations or react to suspicious behaviors, whitelisting products operate by allow??íing those applications and processes that have been specifically admitted by IT to run on a system. Whitelisting con??ítrols extend not only to installed appli??ícations, but also to executables that run from a user’s home directory or from removable media. In this simplest form, this can boil down to complete lockdown, but the sort of whitelisting implemented by most vendors allows for enough flexibility to keep systems usable as well as secure.
For most application whitelisting products, the configuration process begins with a scan of an organization’s golden image to create a database of identifying hashes for the executa??íbles contained in the image. From here, administrators can disallow particular applications that, while not harmful themselves, may be deemed unwanted by company policy. For instance, although Microsoft’s Win??ídows Messenger does not qualify as malware, an organization may not want to allow instant mes??ísaging applications on their managed systems.
At this point, administra??ítors also can add other appli??ícations to their whitelist policies and, in most cases, determine separate allowed application policies for dif??íferent sets of users based on group information in Active Directory. Certain applica??ítion whitelisting products, such as those from Bit9 and CA, also offer administrators guidance in deciding which applications to include in their whitelists. Both ven??ídors maintain databases of scanned applications, along with trust ratings based on the vendors’ analysis.
Of course, once released into the wild, desktop PCs very quickly diverge from the golden image. Even the most conservatively managed machines pick up large numbers of operating system and application updates, and more lib??íerally managed clients can rack up new applications at a rapid pace.
In order to maintain control in the face of these changes, application whitelisting products enable admin??íistrators to confer trusted status on specific change agents, including application updaters, specific soft??íware repositories and applications that carry approved digital signatures. In this way, organizations can enforce their application-vetting policies while allowing users to self-serve.
For cases in which users may find the need to access applications that fall outside of the whitelist policies defined by their IT organizations, most whitelisting products allow for a mid??ídle ground-typically called graylist??íing-in which unknown executables may be provisionally cleared for certain users, in certain circumstances or after vetting processes have occurred.
Application whitelisting vendor Core Trace allows administrators to identify trusted users who, upon attempting to install or run an unknown application, can be notified that they’re running an unvetted application before the execut??íable in question runs. If the trusted user proceeds, then their local policy will be updated to allow the application. Core Trace’s product, Bouncer 4.0, will then notify the IT staff, providing an oppor??ítunity to add the application to their master whitelist or to deny its use.
Bouncer 4.0, as well as other applica??ítion whitelisting products, can provi??ísion access to unknown executables to machines outside of the corporate network. For instance, an application may be allowed while a user is on the road or at home, but be blocked once that user returns to campus.
While application whitelisting is not new, interest in the technology appears to be on the upswing, with tra??íditional anti-virus vendors beginning to build aspects of whitelist??íing into their products. For instance, Symantec has built a modest form of whitelist??íing-compiling a list of known good system files to leave out of future scans in order to speed up their performance. Also, Kasper??ísky Lab is integrating Bit9’s application-vetting database into Kaspersky’s own prod??íuct. I expect to see other anti-virus vendors embrace whitelisting as a way of fill??íing the coverage gaps in their existing, blacklist-focused products. As for the ven??ídors that are already offer??íing application whitelisting products, I expect to see more consideration given to combining whitelisting with least-privilege controls.
By combining whitelisting tech??ínologies with least-privilege- and man??íaged-rights escalation schemes, these vendors could allow their customers to run with reduced privileges without surrendering opportunities for self-ser??ívice software installation scenarios.
eWEEK Labs Executive Editor Jason Brooks can be reached at firstname.lastname@example.org.