For the sake of argument, let’s say an anti-malware strategy combining cloud-based malware identification and information sharing capabilities could eliminate the bulk of malware. Even in a perfect world with perfect collaboration, such an approach will fall short of protecting enterprise systems against more sophisticated cyber attacks if it relies heavily on reactive blacklisting technology.
In the article, “IT security industry collaboration could eliminate 90% of malware,” Eugene Kaspersky, co-founder and chief executive of Kaspersky Lab, recently told attendees at Infosecurity Europe 2011 that identifying malware faster would reduce the number of initial infections to the point that it would break the business model of most cyber criminals.
First, even in the best possible scenario where all the crowd-sourcing came together perfectly, you’re stopping 90% of nuisance, known malware. This kind of reactive approach is no solution for protecting our systems from the truly advanced, sophisticated targeted threats that are becoming the norm today.
Second, Mr. Kaspersky mentions whitelisting, but he uses the term inaccurately–in the same way most incumbent blacklisting providers do. True application whitelisting solutions enforce a whitelist of approved applications, thereby preventing the execution of all other applications (including zero day malware, etc.). Incumbant blacklisting providers like Mr. Kaspersky, in an attempt to protect their revenue streams and compete against other blacklisting solutions, have bastardized the term whitelisting as a way to make blacklist scans more efficient. They are mangling the term to describe a process wherein the performance impact of blacklist scans are reduced because “whitelisted” (“known good”) files do not need to be included in blacklist scans. This does not make endpoints more secure, it makes blacklisting more efficient.
Instead of relying on reactive approaches to stop the vast majority of nuisance malware, application whitelisting solutions proactively prevent all unapproved code from running on a system–including new or unknown malware that remains under the radar of reactive, information sharing approaches.
By: JT Keating
In the article, “IT security industry collaboration could eliminate 90% of malware,” Eugene Kaspersky, co-founder and chief executive of Kaspersky Lab, recently told attendees at Infosecurity Europe 2011 that identifying malware faster would reduce the number of initial infections to the point that it would break the business model of most cyber criminals.
“The number of initial infections will be so low that it will cost cybercriminals more to develop the malware than they are able to recoup.”In all due respect to Mr. Kaspersky, there are two things that we take exception to in this article.
First, even in the best possible scenario where all the crowd-sourcing came together perfectly, you’re stopping 90% of nuisance, known malware. This kind of reactive approach is no solution for protecting our systems from the truly advanced, sophisticated targeted threats that are becoming the norm today.
Second, Mr. Kaspersky mentions whitelisting, but he uses the term inaccurately–in the same way most incumbent blacklisting providers do. True application whitelisting solutions enforce a whitelist of approved applications, thereby preventing the execution of all other applications (including zero day malware, etc.). Incumbant blacklisting providers like Mr. Kaspersky, in an attempt to protect their revenue streams and compete against other blacklisting solutions, have bastardized the term whitelisting as a way to make blacklist scans more efficient. They are mangling the term to describe a process wherein the performance impact of blacklist scans are reduced because “whitelisted” (“known good”) files do not need to be included in blacklist scans. This does not make endpoints more secure, it makes blacklisting more efficient.
Instead of relying on reactive approaches to stop the vast majority of nuisance malware, application whitelisting solutions proactively prevent all unapproved code from running on a system–including new or unknown malware that remains under the radar of reactive, information sharing approaches.
By: JT Keating
No comments:
Post a Comment