Security, et al

Randy's Blog on Infosec and Other Stuff

«  Don't Miss the Real Point... | Be the first to take Audi... »

Intelligent Whitelisting - A Fundamentally Different Approach to Combating End-point Malware

Tue, 07 Jun 2011 08:44:37 GMT

Endpoint malware is getting more and more sophisticated and more and more vendors and content/file types are being targeted. The signature based model of classic antivirus (AV) and the teams and infrastructure behind it are increasingly stretched to keep up with the pace and sophistication of today’s financially motivated malware developers. 

On the other hand patch management is getting more complicated as the bad guys target more and more software vendors.  Moreover both patch management and AV are reactive – not proactive. 

A fundamentally different approach to combating end-point malware is application whitelisting.  Not only is application whitelisting proactive but in contrast to the negative security model used by AV and patch management, whitelisting uses a positive security model to stop malware. 

Traditional approaches to application whitelisting can prove to be maintenance nightmares, impact productivity and cause dissatisfaction among end-users. 

But these challenges can be overcome by an advanced implementation of whitelisting that incorporates more intelligence into trust decisions and that addresses the realities of PC environments. 

These thoughts are prompted by the fact that I just completed a whitepaper for Lumension entitled: “Using Defense-in-Depth to Combat Endpoint Malware: A Technical Paper”.  While researching for this paper I was impressed with the grasp of the issues that Lumension’s team has on endpoint security and the challenges associated with whitelisting.

Whitelisting is a challenge because it’s tougher than you might think to define what software should be allowed to run throughout your network.  Lumension’s Intelligent Whitelisting takes the concept of a static application whitelist and applies it to the real world of hundreds or thousands of unique, ever changing PCs with a practical approach that provides immediate whitelisting benefits to any population of PC without the upfront burden of analysis and testing necessary with traditional whitelisting.  They do this by

1.       Acknowledging the uniqueness of each PC by implementing an automatically customized local whitelist on each computer.

2.       Recognizing trusted agents of change so that patches, enhancements and new applications can be installed without any manual effort required to update whitelist rules.

3.       Allowing you to take a more practical, value driven approach by implementing whitelisting progressively rather than as a point-in-time, do-do-die cutover.

With endpoint malware more dangerous than ever, patch management and AV remain indispensable defenses but are insufficient by themselves due to their reactive nature and negative security model.  Application whitelisting provides the vital 3rd layer of proactive, positive security model defense.

Please request my whitepaper which expands on these issues in much more depth.  Click here to get Using Defense-in-Depth to Combat Endpoint Malware: A Technical Paper.

 

email this digg reddit dzone
comments (0)references (0)

Related:
Auditing Privileged Operations and Mailbox Access in Office 365 Exchange Online
5 Indicators of Endpoint Evil
Severing the Horizontal Kill Chain: The Role of Micro-Segmentation in Your Virtualization Infrastructure
Anatomy of a Hack Disrupted: How one of SIEM’s out-of-the-box rules caught an intrusion and beyond

Comments disabled

powered by Bloget™

Search


Categories
Recent Blogs
Archive


 

Additional Resources