|
New, unknown software arrives on corporate desktops every day– whether by malicious intent, click-throughs rife with spyware, end users downloading unauthorized programs, or portable storage devices. Furthermore, proprietary corporate data is increasingly vulnerable to internal and external theft.
According to a recent webinar with Hurwitz Analyst Robin Bloor, in 2006, traditional virus/email worms grew by 47%, with 100,000 new ones created last year. Spyware increased 213% and Trojans increased by 142% and 1 out of every 264 emails contains a phishing or pharming scheme (a 28% growth in 2006).
Unfortunately, IT professionals have found that traditional endpoint security products have offered limited protection. For example, blacklist technology that compares executable files against a known bad list of bit patterns or behavior signatures is perpetually out of date. And this leaves systems exposed to new, unknown, and potentially malicious software. With behavioral-based host intrusion prevention systems, it is often difficult to tell the good from the bad, resulting in false alarms.
Due to these problems, some IT staff have tried to remove administrative privileges to avoid problems such as corrupted systems, malicious software, and non-compliance. Unfortunately, removing administrative rights from PCs introduces significant complexity to IT operations.
The solution should be flexible and enable IT to automatically decide which applications and devices are appropriate and approved to operate. This concept is known as whitelisting. Companies are using whitelisting to increase compliance and manageability while protecting their endpoints from:
|
Spyware
Viruses
Worms
Zero-day threats
Applications with vulnerabilities
Non-business and/or non-compliant applications
Unlicensed applications
New, unknown applications
Unapproved applications
Unapproved or unknown devices
|
A broad whitelisting approach covers all the applications the organization uses such that a typical user is never blocked while unauthorized software is always blocked. Thus, it’s not a matter of whether the file or device seems good or bad, but whether an organization decides it’s authorized to run. Working in conjunction with Active Directory and Group Policy Objects (GPOs), whitelisting allows IT staff to address critical requirements such as:
|
Automatically updating desktop policy, so software deployments, patches, and automatic updates don't interrupt users;
Letting users install approved, legitimate software and updates without IT involvement ;
Providing security and monitoring capabilities for users who still retain admin rights (for example, engineers, remote offices, or executives).
|
In the past, whitelisting has been overly restrictive and difficult to manage. However, with recent advances in technology, maintaining a whitelist is now easier than maintaining a blacklist. These advances include automated software approval, application identification, and exception handling processes.
An effective enterprise-wide whitelisting strategy benefits from determining who and what to trust for automatic software approval, such as:
|
Trusted Processes (software deployment, patching, and updating)
Trusted Locations (repositories, shares, web sites, and intranets)
Trusted Users (end users, administrators, and delegates)
Trusted Applications (applications, installers, vendors, drivers, and run-time)
Trusted Devices
|
Figure 1: Determining who and what to trust for automatic software approval
In doing so, configuration drift is reduced, even as applications are deployed, updated, or patched over time. Exceptions to corporate and security policies are minimized upfront without active IT involvement.
In addition, I have found that being able to simulate policy enforcement is very helpful. Before the IT staff implements a new software policy in their environment, they can test the results of the policy to determine what effect it will have on their users. This enables them to refine the policy to address forgotten applications and reduce other exceptions, thereby minimizing the impact of transitioning users to the new policy.
As well, today’s automated whitelisting technology is aided by online application intelligence databases so that IT staff can easily identify and accurately assess an executable application’s threat levels and trust factors. One such database is the Bit9 Knowledgebase, which, as of September 2007, comprises more than 4 billion files and is growing by roughly 50 million records a day. This database collects metadata such as product name, file hashes, publishers, packages, security scan results, and much more actionable information.
Meanwhile, let’s not forget that devices can also be an important part of a company’s endpoint security strategy. What should companies do to address both the internal threats posed by unauthorized copying of information to portable storage devices, and the external threats that arise from malicious software downloads? I recommend adopting a granular device whitelisting approach that restricts personal storage device usage to an authorized set of trusted devices and trusted users (for example, allowing only encrypted devices), which prevents the unauthorized transfer of data to a removable media device. Such an approach will:
|
Centrally audit and log every file copied to and from a portable storage device
Prevent unauthorized copying of sensitive information to a portable storage device
Prevent unauthorized software executions from a portable storage device
Prevent unauthorized users
Enforce encryption policies
|
The bottom line? By adopting a whitelist endpoint security strategy whereby only authorized applications and devices are allowed to operate, companies can maximize endpoint security, compliance, and manageability while minimizing risks and costs.
About the Author:
Dr. Brennan is the CTO and Co-founder of Bit9, Inc., an application and device control solutions provider. Previously, Dr. Brennan founded Okena (acquired by Cisco in 2003), where he devised new techniques to defend against emerging computing threats. Dr. Brennan received his Ph.D. and M.S. degrees in Electrical and Computer Engineering from the University of Wisconsin. He holds a B.S. degree in Electrical Engineering from Cornell University.
Go Back
|
