Whether or not you agree with the use of the term “Advanced Persistent Threat” (APT), we can agree that there is a very real threat from advanced intrusions which persist undetected in our systems.
By definition, these intrusions are advanced so our traditional (and increasingly ineffective) protection mechanisms such as firewalls and antivirus don’t catch these APTs.
Think of the APT as a “needle in the haystack” that we need to find. To make things worse, we aren’t sure what the needle looks like (no signatures). So how do we find them?
The answer may seem counterintuitive and is rooted in a whitelisting paradigm: Remove the hay that you know is good (“high assurance hay”). When you are done, the needles remain.You don’t have to know what needles (APTs) look like, you only need to know what high assurance hay looks like.
This simple analogy illustrates the foundational importance of “whitelisting” based approaches in information security across the entire stack — whether it is session flows on the network, applications that a system is allowed to execute or transactions on the back-end.
Of course, this example assumes you know what high assurance hay looks like. In the application control / whitelisting space that I research there are a number of providers that are stepping up to build high assurance databases of application executables including Bit9, CA, CoreTrace, Harris (acquired SignaCert), Lumension, McAfee, Symantec, Trend and others.
There is no silver bullet in information security, but applying a whitelisting-based mentality to all of our information security solutions should be foundational to keep the bad guys from gaining the upper hand – and to keep the needles out of our hay.
Category: beyond-anti-virus information-security next-generation-security-infrastructure
Tags: beyond-anti-virus defense-in-depth endpoint-protection-platform information-security security-summit-na whitelisting
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.