In my previous post, I discussed three lessons from the recent breaches of Google’s infrastructure as the result of attacks on unknown vulnerabilities in Internet Explorer where no patch was available.
I need to break one out explicitly that falls under the broader category of host-based intrusion prevention: Application Control/whitelisting. I am convinced that whitelisting at the endpoints would have stopped these attacks.
I’ve discussed whitelisting/application control solutions multiple times and I research the approach and solutions extensively. The principle is simple: if an application isn’t on the list (whitelist), then it isn’t allowed to execute. Period. So even if IE had an unknown vulnerability, was subject to a zero-day attack and malicious code was dropped on the machine, the code wouldn’t be allowed to execute because it wasn’t on the approved list. Application control solutions provide straightforward and powerful protection – if code isn’t supposed to be running on a system, don’t let it run.
In practice, it’s not quite that simple, but the principle is sound and I would argue should be foundational in our strategy to protect endpoints. The key to success is the maintenance of the whitelist over time as applications and user’s needs change. This is where the providers of these solutions differentiate and where organizations will succeed or fail in their application control deployments. For those clients evaluating solutions on the market, I discuss the application control market and best practices in detail in this research note or give me a call.
In the very slight chance that the injected code runs within the process space of the compromised application (and thus didn’t try to launch another application that would be blocked by the whitelisting solution), Windows XP SP2 and higher as well as other modern OSs include hardware support for Data Execution Prevention and, for additional protection, some application control solutions include supplemental buffer overflow protection
There is no silver bullet in information security, but if managed correctly (and ideally combined with users running as standard user), application whitelisting solutions at the endpoint provide exceptional protection from zero day and targeted attacks.
Category: beyond-anti-virus endpoint-protection-platform next-generation-security-infrastructure
Tags: best-practices beyond-anti-virus endpoint-protection-platform microsoft microsoft-security whitelisting windows
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.