Welcome to 2016, where security technologies from the early 90s still reign supreme in some enterprises and corporate data breaches are happening faster than breaking your New Year’s resolution.
I’m looking at you. Put down the pastry.
Now that we’ve had that little heart-to-heart chat, let’s discuss something that acts as a nutrition coach for your endpoints. Trust-based security, a security technology usually grouped under the umbrella term “application whitelisting” will help you slim down those endpoints into the lean, mean, malware-blocking machines you always dreamed of.
Application whitelisting is a very potent tool set that can defend against unknown malware threats, but it has only been during the past few years that it has really started to take off. One of the main reasons for the delay in adoption is that traditional whitelisting solutions are hard to configure and maintain. That is no longer the case.
Yes, there is initial time investment required because every environment is different, however, you can always hit that big red button that locks down everyone at any time if you find a security threat before you finish tuning.
To give you an idea of how mainstream whitelisting has become, NIST (National Institute of Standards and Technology) [PDF] and SANS [PDF] have whitepapers on how to use whitelisting and how important it is to your company’s security posture.
So why do I like whitelisting? Well, call me old fashioned, but I prefer to know who I am letting into my house.
For example, almost every technology company has a badging system for their offices. This system works by checking the scanned badge against a predefined list of allowed personnel and only unlocking the door for pre-approved people. This essentially is how whitelisting works. It makes sense. It is a tried and proven technique for physical security for decades.
Admittedly, there are some workarounds though, like tailgating, which is the act of following an approved person through the door without badging in. Sounds an awful lot like an exploit kit doesn’t it? Even with this limitation, I still prefer a whitelisting solution to the blacklisting methods used by traditional antivirus solutions because I can create rules to lockdown known vulnerable applications.
Can you imagine trying to secure a building by only denying entry to those people you know shouldn’t get in? That is, at a high level, what AV does. It has a list (signatures) of known bad software that it checks every file/application against. If nothing flags, it can run on that system. Does anyone else see the absurdity in trying to make this method effective long term?
New year, new you, new threats…outdated security controls. One of these isn’t like the others. Let’s change that in 2016
Until next time, remember my motto: “Flag it, Tag it, and Bag it.”