Security experts say application whitelisting is the enterprise answer to deteriorating AntiVirus detection rates. Gartner’s referring to Application Whitelisting as “Application Control and Whitelisting” reveals the need to close remaining gaps with post-launch controls. However, application whitelisting requires a considerable level of effort. Even so, decision-makers can make practical choices today that mitigate their growing risks without overwhelming IT resources.

Application Whitelisting is a Pre-Launch Control, Allowing/Denying Application Launches

Application whitelisting determines what may launch, suppressing anything else, including malware missed by AntiVirus. This stops malicious code attacks without dependence on the hopeless race to update signature databases as rapidly as cyber criminals create and/or re-craft malware with different “fingerprints”.

Pre-Launch Application Controls Alone Miss Sophisticated Attack Vectors

All applications have inherent vulnerabilities. Malicious code attacks exploit these vulnerabilities, effectively hijacking an application. These hijacked applications are coerced into downloading and launching a malicious executable, which either installs persistent malware or conducts malicious operations itself. Pre-launch application controls typically block these launches.

However, more sophisticated attacks do not rely on launching an executable. Instead, they either coerce the hijacked application itself to do the work or they conduct memory code injections that essentially transform other whitelisted applications into something else. Pre-launch controls do not stop these attacks.

Whitelisted Applications Cannot be Trusted, Post-Launch Controls Are Needed

With commonly whitelisted applications such as Adobe Reader frequently getting exploited in many different ways, one can see why applications cannot be trusted after they launch. Application post-launch controls are needed to prevent them from harming computers. Such controls primarily block write operations to a relatively small list of common targets, which seldom changes. Hence, administration can be easy and a major protection gap in application whitelisting is closed. Look for controls that do not need to know in advance the DLLs used and the executables spawned by applications.

Executive View: Simplify Whitelisting by Dividing it into User-Space and System-Space

• System-Space: operating system, Windows registry, 3rd party software, etc.
• User-space: user’s documents, ‘Desktop’, and some software such as GotoMeeting

Over 95% of the effort to deploy a typical whitelisting product is spent enumerating and updating the system-space whitelist (i.e., what may launch). The user-space whitelist is trivial in comparison, typically less than a dozen applications and trusted publishers (i.e., allow launches of executables signed by specified software publishers). If only user-space had to be whitelisted, then deployments could be easier than enterprise email administration.

Combined Pre/Post-Launch Controls Slashes Level of Effort, Increases Protection

The net result of combined pre-launch and post-launch application controls can reduce the required level of effort to less than 10% of that of typical whitelisting products. User-space whitelisting requires less than 5%. Post-launch controls require less than 5% also. This combination actually yields a net improvement in protection assurance from even the most sophisticated, targeted malicious code attacks facing the enterprise today and tomorrow.

What if System-Space is Compromised Prior to Deployment?

If malicious code is already in system-space, then it is almost certainly rootkit malware. Third generation rootkits, are practically undetectable and are a preferred tool in targeted enterprise attacks. If attackers can penetrate system-space, then they are motivated to use third generation rootkits. Even system-space whitelisting with binary file hash checksum integrity checks are ineffective. There are promising possibilities in the future but none exist now. The executive bottom line: the operational cost of system-space whitelisting far outweighs its value in comparison to solutions that effectively combine pre-launch and post-launch controls. Prevention is critical!

Gartner has Identified Blue Ridge as an Emerging Vendor in Application Whitelisting and Control

Our advocacy of emphasizing usability in the application of cyber security is paying off. Customers can deploy and administer AppGuard Enterprise, with its pre-launch and post-launch controls, at a fraction of the effort of other application whitelisting products, yet with greater effective protection. Those that also need to monitor and enforce endpoint security postures on and off the enterprise can find all that integrated in our AppGuard Enterprise Plus centrally managed software. Both AppGuard Enterprise and AppGuard Enterprise Plus support domain and non-domain Windows computers. All of these capabilities are available as a Managed Endpoint Security Service.

Posted: Sunday, January 30th, 2011 - Endpoint Security
RSS 2.0 - Comment - Trackback