There is no silver bullet, but that doesn’t mean we give up either. A combination of whitelisting, blacklisting and behavioral protection combined will provide the best protection. That’s why we no longer publish a magic quadrant for AV providers. Please see my research on endpoint protection platforms starting in 2007 – the research is referenced in this blog post:

http://blogs.gartner.com/neil_macdonald/2009/03/04/defense-in-depth-doesnt-mean-spend-in-depth/

When would that be? So you expect the user to keep that browser open (in the browsers memory remember) for an entire attack goal to be achieved? It doesn’t work that way in the real world, any exploit analyst could tell you that. They are using droppers. Every time.

You are fighting the inevitable, there is no other way to stop the malware madness. You can’t even compare a whitelisting to a typical AV solution, the difference in real world scenario is night and day protection wise.

You ask “Why shouldn’t/doesn’t the platform have implicit ability to ask “should I run this code or not?”

Yup. Completely agree. Microsoft is adding this to Windows 7 with a feature called “AppLocker” (think software restriction policies 2.0). Many mobile devices have this capability. The browser is another platform and it should also have this capability. Ditto for SOA, scripting, etc etc – *any* IT platform should have basic whitelisting enforcement capabilities built in, including emerging x86 virtualization platforms.

I didn’t mean to avoid the social, cultural and usability question that you raised in the thread.

I agree with you that there are some really tricky issues here with any kind of active filtering – white or blacklist. It is clear that there has routinely, it seems, been a one for one trade-off between risk and usability. We believe that whitelist presents an opportunity to change this for the better.

At the end of the day it is really about managing the signal-to-noise ratio. In the case of platform management – we need to pump up the signal and dampen the noise. The question is how.

Noise comes from many sources – but largely from ambiguous data validation – whether or not it is the attempt to filter “bad” or undesired code or the process of creating “allow lists” for trusted code. Once we have precisely detected what we want/don’t want – then we can employ policy to effect the decisions. Policy must be “quieter” with its decisions in order to meet the goal of better user experience.

The the extent the data sources used for positive and negative filtering is more accurate, we should be able to create better policies leading to enhanced user experience.

I would also add here that there is the question of whether “third-party” agents are (in the long-term) the best way to handle active filtering and policy. Shouldn’t more of the safety and user-experience method be built into the platform? It is in the physical world – why not in cyber?

I would offer that as we make the transition to drive new benefit from whitelists, we close large blindspots in our platform awareness. I also believe we should revist the question of “do we really to add yet another agent to the compute platform to get the full benefit of whitelisting?”

Why shouldn’t/doesn’t the platform have implicit ability to ask “should I run this code or not?” — I think it should.

Effectively implemented platform instrumentation coupled with known-provenance, high-value software measurements should improve all of the major feature metrics (security, compliance, better opex, lifecycle stability) all while reducing the load on users to make manual policy decisions, or worse yet – to be “locked down” because we’re “not sure” we are making good measurements and policy decisions.

IMHO, yet another reason to get the platform vendors and ISV’s onboard.

Wyatt.