Whether or not you agree with the use of the term “Advanced Persistent Threat” (APT), we can agree that there is a very real threat from advanced intrusions which persist undetected in our systems.
By definition, these intrusions are advanced so our traditional (and increasingly ineffective) protection mechanisms such as firewalls and antivirus don’t catch these APTs.
Think of the APT as a “needle in the haystack” that we need to find. To make things worse, we aren’t sure what the needle looks like (no signatures). So how do we find them?
The answer may seem counterintuitive and is rooted in a whitelisting paradigm: Remove the hay that you know is good (“high assurance hay”). When you are done, the needles remain.You don’t have to know what needles (APTs) look like, you only need to know what high assurance hay looks like.
This simple analogy illustrates the foundational importance of “whitelisting” based approaches in information security across the entire stack — whether it is session flows on the network, applications that a system is allowed to execute or transactions on the back-end.
Of course, this example assumes you know what high assurance hay looks like. In the application control / whitelisting space that I research there are a number of providers that are stepping up to build high assurance databases of application executables including Bit9, CA, CoreTrace, Harris (acquired SignaCert), Lumension, McAfee, Symantec, Trend and others.
There is no silver bullet in information security, but applying a whitelisting-based mentality to all of our information security solutions should be foundational to keep the bad guys from gaining the upper hand – and to keep the needles out of our hay.
Category: Beyond Anti-Virus Information Security Next-generation Security Infrastructure Tags: Beyond Anti-Virus, Defense-in-Depth, Endpoint Protection Platform, Information Security, Security-Summit-NA, Whitelisting