Whitelisting security has always taken a backseat to blacklisting approaches. After all, when there is far more good software running on computers and networks than bad software, it's just easier to block the bad than to approve all the good. But that was then, and this is now.
In 2009, the computer security defense world quietly marked a momentous threshold that should have us all looking anew at the value of whitelisting. Last year, the number of unique malicious programs and variants that were created outstripped all the legitimate software published in the world, straining the accuracy of anti-virus solutions like never before. It's a disturbing fact that suggests whitelisting is now more suitable as a primary security defense than traditional anti-virus scanners, which are really nothing more than blacklisting programs.
[ Read the individual reviews of Bit9 Parity Suite, CoreTrace Bouncer, Lumension Application Control, McAfee Application Control, and SignaCert Enterprise Trust Services. Compare the capabilities of Microsoft AppLocker, the whitelisting feature included in Windows 7 and Windows Server 2008 R2. ]
Now for some good news: Just as whitelisting may be finding a receptive audience, a number of whitelisting solutions are proving to be mature, capable, and manageable enough to provide significant protection while still giving trustworthy users room to breathe. Nor are today's whitelisting programs limited to locking down desktops to prevent malware executions -- they're also useful for software configuration and licensing compliance and regulatory auditing.
With these benefits in mind, InfoWorld tested six enterprise-grade whitelisting programs, otherwise known as application control programs. The reviewed products include Bit9 Parity, CoreTrace Bouncer, Lumension Application Control (formerly SecureWave Sanctuary), McAfee Application Control (formerly Solidcore S3 Control), and SignaCert Enterprise Trust Services. We also tested Microsoft AppLocker, the application whitelisting feature built into Windows 7 and Windows Server 2008 R2. In all cases, testing was done using the product's Windows clients, though one or two of the products also support Linux or Solaris or Mac OS X.
In a rare occurrence for a product comparison of this scope, all the products came out pretty well. The overall conclusion is that any of the reviewed products would help you reduce real and measurable security risk. A few are borderline excellent (scoring in the high 8s on InfoWorld's 10-point scale), and one, Bit9's Parity, is not only the clear frontrunner (with a score of 9.4) but a likely candidate for InfoWorld's Technology of the Year Award. Oh, to have such choices.
New world orderIn today's world, where most successful malware exploitations involve Trojan horse programs that the user was tricked into installing, whitelisting programs make more sense than ever. Whitelisting programs typically uniquely identify files using one or more cryptographic hashes (such as MD5, SHA-1, and so on) but can include any identifying file attribute they can query. It is common for the file name, path, publisher, size, and digital signature (if available) to be collected and reported.
Most whitelisting products also let you allow or deny programs based upon trusted users, trusted paths, and trusted publishers (in other words, digital certificates). A few even include millions to billions of predefined file hashes that they download directly from the vendor who made them. For example, three of the programs reviewed (Bit9 Parity, Lumension Application Control, and SignaCert Enterprise Trust Services) download every file hash directly from Microsoft, so administrators don't have to busy themselves with defining all the files they know are legitimate.
Users marked as trusted can normally install or run any program they like, within the bounds of their security privileges. All the reviewed products linked to Active Directory, and at least one can link to Novell's eDirectory services.
All the whitelisting products in this review allow you to use existing computers as baseline models. You simply scan the system to generate your own internal whitelist. Some of the vendors, as mentioned above, come with "gold standard" whitelists from the various software vendors. A few others add templates that set acceptable baselines as defined in a regulatory standard such as PCI or Sarbanes-Oxley. You can then run reports against the baselines to determine which computers are drifting from the defined baselines and what files are causing the drift. This can be done on individual machines or reported as a metric summarizing the entire environment. I love this sort of feature because it marries real security and regulatory requirements and allows you to report measured improvements to management over time.
A welcome improvement from whitelisting products over the last decade has been the ability to automatically whitelist updated files. In the past, every single updated file had to be manually approved because the updated file contained a different hash than its predecessor. This was an administrative nightmare, especially considering that today's regular updates for small programs can contain 80 or more files and major service packs can involve hundreds of files and multiple reboots.
Trust and protectToday, the best whitelisting products (including most in this review) allow administrators to define trusted updaters. For example, an administrator can add SMS, SCOM, WSUS, PatchLink, or Shavlik as a trusted updater, and anything they install will be automatically approved. This is a huge improvement.
Most whitelisting programs can be configured in either audit or enforcement mode. SignaCert is the only exception in this review; it has no built-in enforcement mode, but can monitor any file type. In audit mode, the whitelisting program only monitors and reports file executions. Enforcement mode blocks all monitored file types from executing or running, barring any specific exceptions. Most vendors recommend living with audit mode for a set period of time and running reports to find out what would have been denied had enforcement been enabled.
Once enforcement mode is enabled, any execution not explicitly allowed will be blocked. It goes without saying that desktop lockdowns aren't warmly welcomed by most end users. You're taking away their freedom. If you use any of these products in enforcement mode, make sure you've spent the necessary time to define the right policies to stop malware and unauthorized programs from executing while at the same time allowing end users to do their jobs. Expect an increase in the number of help desk calls. As users begin to understand that certain applications are not allowed, the help desk calls will decrease.
Most whitelisting programs are smart enough to identify file types based upon file header and don't rely on file extensions alone. All the products reviewed allow administrators to find any specific file, by name or hash, anywhere it exists on any of the monitored systems. Some products even allow hashes to be populated before the file even exists in the environment, looking ahead to block a specific hacker tool or malware program. Of course, because blocking often uses file names or hashes, identifying polymorphic malware programs can be a challenge. That's why it's already better, from a pure security standpoint, to block by default all that is not specifically allowed.
It's important to understand that whitelisting programs cannot stop every program or malware from executing. First, it's not uncommon for malware to use legitimate software to do its dirty business. For example, the MS Blaster worm used Windows' built-in Trivial File Transfer Program (tftp.exe) to copy itself from computer to computer. Macro viruses would be allowed to run inside of other approved programs just fine. Second, whitelisting programs often have difficulty blocking programs that run inside of virtual environments such as Java or .Net, although all of the products in this review claim to handle the individual hosted applications correctly.
Most whitelisting programs cannot stop buffer overflow malware programs, concentrating more on denying the payload executable that almost always results. Nevertheless, both CoreTrace and McAfee did an excellent job of blocking buffer overflows in my testing. CoreTrace Bouncer even stopped a buffer overflow program that was started before the whitelisting program was enabled.
Layer 8 considerationsAdministrators trying to implement a whitelisting program across a large organization should make sure to have senior management's buy-in. Once you start taking away users' "freedom," the complaints will start coming. I've yet to see an administrator turn on enforcement mode, even after weeks of application inventorying, without some mission-critical application that escaped detection being temporarily interrupted. IT shops using application control must be immediately responsive to customer needs and requests.
One of the biggest unexpected side effects of using a whitelisting program in enforcement mode is lower support costs. Companies that are able to lock down desktops have significantly fewer troubleshooting events and rebuilds. Although some users will complain about their inability to install anything they like, the lockdown also means that users won't install nearly as much malware, and that, along with the savings in support costs, usually translates well to senior management.
Most companies will want to define emergency and ad hoc approval processes so that requested software can be whitelisted and allowed to run as quickly as possible. No one wants to tell the CEO that he has to wait a week for his new golf game or stock trading program to get approved. Some environments enable enforcement mode only on problematic users with a history of abuse, while running auditing mode for everyone else. Every company should create baselines from images and programs their users are supposed to be running, and use the whitelisting solution's reporting feature to track deviations and drift.
This review ranks the whitelisting programs based upon overall functionality, including the file types and operating systems they cover, accuracy and effectiveness against policy violations, administration (how hard was it to configure and manage), reporting (including alerting), and overall value. As noted above, all of the reviewed products performed well. There are many good choices here, and the real challenge is in picking a product that has the best feature set for your environment. One product, Bit9’s Parity, rose to the top and should be included in anyone's consideration list.
Read the individual reviews:
Application whitelisting review: Bit9 Parity Suite Bit9 Parity 5.0 shines brightest among whitelisting competitors with strong protection and useful risk metrics
Application whitelisting review: CoreTrace Bouncer CoreTrace Bouncer 5 provides first-rate application control with a few unique features
Application whitelisting review: Lumension Application Control Lumension Application Control is a competitive product with a number of standout features and one significant omission
Application whitelisting review: McAfee Application Control McAfee's whitelisting protection for Windows, Linux, and Solaris is short on shortcomings
Application whitelisting review: SignaCert Enterprise Trust Services SignaCert is great for monitoring compliance with application and configuration policies, but it lacks built-in blocking
Application whitelisting in Windows 7 and Windows Server 2008 R2 Microsoft's AppLocker is limited compared to third-party options, but you can't argue with the price
This story, "InfoWorld Test Center review: Whitelisting security comes of age," was originally published at InfoWorld.com. Follow the latest developments in information security and endpoint security at InfoWorld.com.
This story, "InfoWorld review: Whitelisting security comes of age" was originally published by InfoWorld.