by Jim Buchanan

The Latest Security Tool for Your Arsenal: Whitelisting

Jul 07, 20116 mins
CIOData and Information SecurityData Breach

Attacks at RSA, Sony and others point to the need to get tough with what you allow on your network. Whitelisting requires more maintenance from IT, but it is the best way to fortify your network and protect your data.

Phishing, spear phishing, trojan horse and other attacks are growing in number and sophistication, seemingly by the day. There can be little disputing that notion after RSA, Sony, Lockheed and Citicorp were embarrassed by breaches this year.

And they’re just the tip of the iceberg. In a new Ponemon Institute survey, 90 percent of 581 enterprise security professionals in the U.S. and Europe had experienced at least one breach in the past year, with 56 percent having two or more.

The good news? Security budgets climbed from seven percent of IT spending to 14 percent between 2007 and 2010, according to an ABI Research finding.

That’s at the macro level. At the micro level, a security solution that was formerly declared not ready for prime time is now giving CIOs something new to think about — and spend money on.

That approach is called application whitelisting by some, application control by others. Whitelisting represents not just a new item for your security toolbox, but a different way of thinking about security altogether, according to Thorsten Behrens, security infrastructure architect at IT service provider Carousel Industries.

New Thinking on Security

Tools such as anti-spam and anti-virus software use blacklisting to protect against intrusions. You tell them what programs or users you don’t want to let in, and the tools keep them out.

But blacklisting means you have to know who the bad guys are, and the tools require frequent updates. Even then, there’s an exploitable gap between when a patch is issued and when it’s installed, not to mention zero-day attacks that go after holes for which no patch has been issued.

Whitelisting takes the opposite approach from blacklisting. It allows only pre-approved code to run, automatically refusing entry to any executable file that’s not in the whitelist database. Because it works at the executable level, it won’t respond to an unknown executable. That means it renders harmless all the viruses, trojan horses and spyware that rely on users to inadvertently trigger executables to do their dirty work.

Whitelisting Grows Up

Whitelisting isn’t a new concept. Variations have been used in LAN provisioning and by ISPs for email spam filtering. For enterprise IT, however, the need for more protection grows by the day. That’s because the volume of the world’s malicious code actually surpassed the volume of legitimate code a few years ago.

Still, the rate of IT adoption has been slower than expected, largely because of user fears that whitelisting will add constraints to their day-to-day work. A whilelist program may suddenly refuse to open a file from a different application, for instance, requiring the user to ask for approval, thus wasting time. Or it might affect numerous users if a vendor’s new software update wasn’t entered into the whitelist database quickly enough.

These may have been valid complaints with early products, but today’s vendors have made great strides in taking the pain out of whitelisting. They typically give you the ability to automatically whitelist updated files from trusted vendors, and to set PC baselines for whitelisting that are compliant with standards such as PCI. And they give you more granularity and flexibility in assigning access to user groups.

“Say a company that’s PCI-compliant has certain applications for processing payments,” Behrens says. “If they’re Web-based, they might just whitelist the browser, what they need for email, the payment processing application, and the PC’s OS.”

On the other hand, a group of trusted power users would get more broad-ranging accessibility, up to and including the ability to approve their own applications. “I’m a power user,” says Behrens, “I need to install things all the time, so I need to be able to self-approve an application in order to do my job.”

IT could therefore give him, a trusted user, the ability to place a new application on the whitelist, whether for himself or for his entire group. But his action would also be subject to approval at the management console.

Getting Buy-In

New products and features aside, whitelisting can still be a hard sell to users who instinctively balk at adding more security controls. Whitelisting may be good for you and your business, but is it good for them? That’s the first question you will need to answer, well in advance of any implementation. In fact, it’s one of several best practices you should consider in preparation for whitelisting:

  • Be proactive with users — Don’t expect them to applaud new technology because it’s new; instead, be clear in explaining what it is, how it works, and why you’re asking them to take it on. Let them take pride in helping protect your intellectual property and other critical data because, after all, company success translates directly to salaries and bonuses.
  • Evaluate and prepare your IT support infrastructure — The better IT is at updating user software, handling help desk calls and maintaining standards for software and hardware, the more likely a whitelisting implementation will go smoothly. Also, be ready for a temporary uptick in help desk calls — it’s inevitable with any new implementation.
  • Develop an implementation plan — If you want to do a sample implementation to start, select a group that deals with sensitive data: such as HIPAA for a healthcare company, or blueprints and intellectual property for a manufacturer. Tread gently by using the software’s audit mode rather than its enforcement mode to flag deviations in policy. With audit mode, deviations are reported to IT, while enforcement mode simply shuts out the application. Some companies run whitelisting in audit mode without ever resorting to enforcement.

You should use whitelisting to extend your existing security infrastructure, not to replace any of its components. More than ever before, companies need all the help they can get, and to an expert like Behrens that means a defense-in-depth security strategy.

Such a plan includes anti-virus and spam-detection on the front end, and functions such as intrusion detection, anomaly detection and log correlation on the back end. It means having a breach reaction plan so you don’t have to react under extreme stress to an attack. And it requires regular, comprehensive user training so employees can accept the fact that not being able to play Angry Birds is a small price to pay for a stable and successful work environment.