In my previous post, I discussed three lessons from the recent breaches of Google’s infrastructure as the result of attacks on unknown vulnerabilities in Internet Explorer where no patch was available.
I need to break one out explicitly that falls under the broader category of host-based intrusion prevention: Application Control/whitelisting. I am convinced that whitelisting at the endpoints would have stopped these attacks.
I’ve discussed whitelisting/application control solutions multiple times and I research the approach and solutions extensively. The principle is simple: if an application isn’t on the list (whitelist), then it isn’t allowed to execute. Period. So even if IE had an unknown vulnerability, was subject to a zero-day attack and malicious code was dropped on the machine, the code wouldn’t be allowed to execute because it wasn’t on the approved list. Application control solutions provide straightforward and powerful protection – if code isn’t supposed to be running on a system, don’t let it run.
In practice, it’s not quite that simple, but the principle is sound and I would argue should be foundational in our strategy to protect endpoints. The key to success is the maintenance of the whitelist over time as applications and user’s needs change. This is where the providers of these solutions differentiate and where organizations will succeed or fail in their application control deployments. For those clients evaluating solutions on the market, I discuss the application control market and best practices in detail in this research note or give me a call.
In the very slight chance that the injected code runs within the process space of the compromised application (and thus didn’t try to launch another application that would be blocked by the whitelisting solution), Windows XP SP2 and higher as well as other modern OSs include hardware support for Data Execution Prevention and, for additional protection, some application control solutions include supplemental buffer overflow protection
There is no silver bullet in information security, but if managed correctly (and ideally combined with users running as standard user), application whitelisting solutions at the endpoint provide exceptional protection from zero day and targeted attacks.
Category: Beyond Anti-Virus Endpoint Protection Platform Next-generation Security Infrastructure Tags: Best Practices, Beyond Anti-Virus, Endpoint Protection Platform, Microsoft, Microsoft Security, Whitelisting, Windows