Gartner Blog Network

Another Lesson from the IE Zero Day Attacks on Google: The Power of Whitelisting

by Neil MacDonald  |  January 21, 2010  |  13 Comments

In my previous post, I discussed three lessons from the recent breaches of Google’s infrastructure as the result of attacks on unknown vulnerabilities in Internet Explorer where no patch was available.

I need to break one out explicitly that falls under the broader category of host-based intrusion prevention: Application Control/whitelisting. I am convinced that whitelisting at the endpoints would have stopped these attacks.

I’ve discussed whitelisting/application control solutions multiple times and I research the approach and solutions extensively. The principle is simple: if an application isn’t on the list (whitelist), then it isn’t allowed to execute. Period. So even if IE had an unknown vulnerability, was subject to a zero-day attack and malicious code was dropped on the machine, the code wouldn’t be allowed to execute because it wasn’t on the approved list. Application control solutions provide straightforward and powerful protection – if code isn’t supposed to be running on a system, don’t let it run.

In practice, it’s not quite that simple, but the principle is sound and I would argue should be foundational in our strategy to protect endpoints. The key to success is the maintenance of the whitelist over time as applications and user’s needs change. This is where the providers of these solutions differentiate and where organizations will succeed or fail in their application control deployments. For those clients evaluating solutions on the market, I discuss the application control market and best practices in detail in this research note or give me a call.

In the very slight chance that the injected code runs within the process space of the compromised application (and thus didn’t try to launch another application that would be blocked by the whitelisting solution), Windows XP SP2 and higher as well as other modern OSs include hardware support for Data Execution Prevention and, for additional protection, some application control solutions include supplemental buffer overflow protection

There is no silver bullet in information security, but if managed correctly (and ideally combined with users running as standard user), application whitelisting solutions at the endpoint provide exceptional protection from zero day and targeted attacks.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: beyond-anti-virus  endpoint-protection-platform  next-generation-security-infrastructure  

Tags: best-practices  beyond-anti-virus  endpoint-protection-platform  microsoft  microsoft-security  whitelisting  windows  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on Another Lesson from the IE Zero Day Attacks on Google: The Power of Whitelisting

  1. Paul Paget says:

    You’re right. Can you believe it? The large endpoint security players don’t even offer app whitelisting security as a bundle! They get away with 80% to 90% protection at best. Do think an ISP would be in business with this type of performance? Or auto manufacturers would get away with cars that started 80% of the time? A good attacker can still walk into any company they choose via the endpoint computers. As you accurately point out, application whitelisting solves the problem because it stops targeted and zero day attacks at the endpoint, or in a worse case scenario from spreading to other endpoints. If an attacker or a virus cannot spread it is rendered impotent. The trick for the app whitelisting players is to make their solutions a no brainer to install, work with existing endpoint management AV systems, low to no cost to buy and administer. Some day the customers paying big bucks for the 80% solution will say to the endpoint behemoths, we’re mad as hell and we are not going to take it anymore!

  2. […] This post was mentioned on Twitter by savantpro, Raj Rajamani. Raj Rajamani said: Another Lesson from the IE Zero Day Attacks on Google: The Power of Whitelisting: In my previous post, I discussed… […]

  3. Mehul Doshi says:

    Paul, I would disagree, Whitelisting and blacklisting options in Endpoint tools have being available for quite some time. Since 2003, Symantec and Sygate products now merged as Symantec Endpoint Protection have being providing Application control as one of the product which we have exposure.

  4. Billy Noll says:

    I agree with Neil and Paul. In my search for whitelisting solutions that implement true whitelisting without predominantly depending on signature based technologies I find that Cisco Security Agent does so and for some reason seems to be a best kept secret. (Contrast if my business were heavily based on signatures and all of a sudden I don’t need signatures OR on the other hand if my technology were so effective as to render attacks virtually powerless without using a constand barrage of after the fact signatures …)

    I researched Symantec and other solutions in depth and as of late 2009 did not find anyone else other than Cisco that is not still dependent primarily on signatures ( e.g. Symantec doing about a million signatures and associated fixes a year and growing.) If anyone might encounter more recent or illuminating info that would indicate otherwise please share. Thank you Paul and other commenters.

  5. John Crissup says:

    Cisco Security Agent (CSA) is, indeed, a nice product. However, after 5 years of running CSA, I’m moving away from it in favor of Bit9’s white listing solution instead. CSA can be difficult to administer in a large diverse environment. With 7,000 seats deployed, I had several occassions where my policy would no longer regenerate due to too many elements. I would then have to go back and start combining rules, making them more generic, to reduce the number of exceptions I had made. We also spent a lot of admin time working on the policy exceptions to get various applications to run properly. Make an exception, ask the user to try again and then look to see where it got blocked the next time. Lather, rinse, repeat.

    As we look forward to an expanded userbase that is four times larger with far more applications, I decided that CSA was just too cumbersome to try and maintain in an environment that diverse. In addition, Cisco’s size and corporate complexity and have caused CSA to get buried deep in the bowels of Cisco and is no longer as numble as I believe is necessary.

    I decided to step back and reexamine the big picture and after a year of testing, I believe Bit9 is the way forward for us. The secret to effective whitelisting is in the management and Bit9 offers many static and dynamic methods of whitelisting an application. Their small size allows them to be nimble and they’re very willing to listen to my needs and implement new features where possible.

  6. Neil MacDonald says:

    Mehul – there’s a couple of issues
    1) Symantec has three application control offerings which aren’t rationalized – one in SEP, one in CSP and one with Altiris which work differently and are managed with different consoles
    2) the key to successful application control deployments is not the enforcement of the list (which is a commodity function), rather it is the management of the list over time as user’s needs and applications change – see this research:

    Windows can enforce application whitelisting with application control GPOs (software restriction policies), so commercial solutions must focus their value on #2 above


  7. Neil MacDonald says:

    John – thanks for the feedback. Bit9 is one of more than a 15 or so vendors I track in this space.

    CSA and Bit9 are a bit different in that Bit9 focuses on whether or not a given application can run or not and CSA focuses more on setting rules on application’s behavior once they execute. Both are whitelisting – with CSA getting more granular with control once applications are executing. Both have their pros/cons and appropriate use cases.


  8. Neil MacDonald says:

    Billy – agree and disagree. Symantec, McAfee, Kaspersky, Proventia etc all have basic application control capabilities (granted they don’t talk about it as much as they wouldn’t want to jeapordize the core blacklisting signature business) but as I pointed out to Mehul, enforcement of a static list is a commodity and not enough so I agree with you there. The solution has to be manageable and handle change – that’s what I discuss in detail here:

  9. […] Blog… Another Lesson from the IE Zero Day Attacks on Google: The Power of Whitelisting Neil McDonald discusses lessons learned from the recent breaches of Google’s infrastructure as […]

  10. […] been advising Gartner clients to do this since 2006 and I provided this advice and more here and here after the IE/Google/China attacks. You don’t have to wait on a Windows 7 upgrade to do this, but […]

  11. […] attacks like those launched against Google.  Gartner analyst Neil McDonald and other experts have stated that application whitelisting would have stopped the attacks on Google. Application whitelisting […]

  12. […] absent is a solid application control/whitelisting capability. Point solutions from Bit9, CoreTrace, Lumension and others are filling a real gap in […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.