Whitelisting Offers Protection from APTs

At the RSA Conference earlier this month there was a lot of talk about how it is inevitable that you will suffer a security breach so we need to rethink how we protect ourselves. One suggested solution is to adopt the concept of whitelisting. To learn more about that topic, I talked with Harry Sverdlove, CTO with the security firm Bit9, which sells security software that includes whitelisting technology.

Traditional security tools take a blacklist approach to security. “They have a list of signatures that describe known bad programs or known bad sites,” Sverdlove says. That means they’re only effective at stopping attacks if they have seen the same sort of attack previously.

But the nature of today’s threats make that a difficult task. In addition to “zero-day” attacks – those that exploit vulnerabilities for which no signatures have yet been written – we now face “advanced persistent threats” or APTs.

“APT really refers to a new type of attacker more so than an attack method,” he says. “It’s not an automated program or malware; there’s a person on the other end of the attack making command and control decisions and adjusting to the situation on the fly.” What’s more, the victims are targeted, not random, and the attacker will keep trying until he is successful – hence the “persistent” part of the term.

Most importantly, the attacks are essentially customized for each victim, making signature-based security tools ineffective, Sverdlove says. Whitelisting, on the other hand, takes the opposite approach: it allows only applications that are known to be safe to run.

“It’s based on a simple premise: that the list of software you want running on your computer is a smaller set than the list you don’t want running,” he says.

Whitelisting is hardly a new concept in security circles but it has come a long way. In its early days, the technology was based on a static list of applications. That was troublesome because the list continually changes as new versions of applications come out and users add new applications.

Today, however, the technology is more based on policy than a static list. Say you distribute software using Microsoft WSUS. You can write a policy that says any program coming from WSUS is allowed to run. Similarly, you can trust any software from a specific publisher or from some trusted source on your network.

When you initially install the product, tools like Bit9’s do an inventory of all the software on your network. You can then choose to approve them all or apply a policy to determine what’s allowed. Should a user attempt to run software that hasn’t been approved, customers can choose to either disallow it or present a dialogue box instructing the user how to get the software approved.

Going forward, Sverdlove says the next step is to apply the same trust-based approach to smart phones and tablets. His company is also looking at doing large-scale data analysis to look for patterns that are outside the norm, to create a trust rating system. That’s another idea that isn’t exactly new – but it’s worth pursuing.

Listen to our podcast to hear more about what Sverdlove had to say about APTs and how whitelisting can offer protection.  

Tags: , , ,