On one hand, whitelisting stops all unauthorized applications from running, essentially blocking any malicious/unauthorized software from executing on all network endpoints–regardless of whether it was a previously known application/attack or a new, unknown one. But as Richard Stiennon observes, simple whitelisting can be too restrictive and potentially require too much administrative overhead to maintain. On the other hand, blacklisting stops known bad applications from exploiting a system, but lets programs execute on a system by default if they are not on the blacklist. This reactive approach means users can execute software, including malicious attachments, thereby leaving networks and data vulnerable until after a threat is identified. Blacklisting also forces a steady stream of patching requirements and fire-drill reactions that become a black hole of IT time and money (e.g., trouble shooting poorly functioning machines, reimaging and even purchasing new systems prematurely).
As the whitelisting versus blacklisting debate rages on, instead of focusing on the limitations or weak points of each technology, what we should really be discussing are the strengths that these two fraud detection super powers bring to the table — and when used together — can help organizations gain complete control over all applications across their enterprise. CoreTrace calls this Total Application Control (TAC). (Basically, we need to create the “Blue Ocean” strategy for endpoint security. If you are unfamiliar with the concept/book, check out: www.blueoceanstrategy.com.)
First, we need to clear some of the misconceptions that many still have, such as whitelisting being the same as “lockdown,” or that it doesn’t include cloud-based blacklists. The truth is, today’s leading application control solutions like CoreTrace Bouncer have evolved beyond straightforward whitelisting functionality. They’ve addressed the shortcomings around basic application whitelisting and blacklisting products by leveraging both technologies to provide the visibility organizations require to see all known good and bad applications in their environment. For a solution to achieve Total Application Control, it minimally needs to include three essential components:
- 1. Application Whitelisting: Whitelisting on all endpoints as the enforcement mechanism to ensure established policies are enforced and all unauthorized applications are prevented.
- 2. Change Management: The ability to seamlessly handle change (new authorized applications and upgrades) even in dynamic environments without impacting IT production or user productivity.
- 3. Cloud-based Whitelists… and Blacklists: Cloud-based reputation service to assign risk profiles to all applications, including identifying known-good applications and any known pieces of malware. “Cloud-based” is key phrase: use the information in a offline capacity, so as to not impact system performance with onerous scans.
So stop debating and start controlling your systems with a blend of the top defense mechanisms. Move past confusion and into enlightenment and receive all the control and performance benefits of whitelisting with the reporting and compliance benefits of offline blacklisting.
by Toney Jennings
No comments:
Post a Comment