Here is an excellent blog entry by Swaroop Sayeram on the McAfee Security Insights Blog.


The  concept of application whitelisting (AWL) is very fundamental – You have a  finite list of trusted applications and only those are allowed to run.


Going down memory lane… This was productized by a few vendors post-Y2K, and  was an ideal fit in the fixed function device market – ATMs, medical devices,  manufacturing systems, point of sale devices, kiosks, etc.


However, as a security technology it has enjoyed a wider market adoption in  recent times. It is capturing the enterprise server and desktop market in a big  way. Traditional security technologies are not able to combat today’s breed of  threats like advanced  persistent threats (APTs) & botnets, and there is universal  acknowledgement that AWL can provide thorough security. But the usual inhibition  is – end user productivity should not be compromised by a stringent security  system. New “good” applications should be allowed even if they are not part of  the whitelist.


A CISO would gladly embrace AWL as the security standard if it:



  1. Provides highest-level of security
  2. Reduces IT’s administrative burden
  3. Does not lower end user productivity



There are several AWL vendors in the market today, and they cover requirement #1 in varying  degrees. The new entrants in this space provide partial whitelisting (just a  list of exes), but thorough whitelisting is only when the entire system stack is  whitelisted – i.e. drivers, scripts, libraries, exes and browser components.


Furthermore, only mature vendors cover requirements #2 & #3, providing  security with flexibility – and win the CISO’s signoff.


McAfee covers them by using its multi-faceted trust model. New “good”  applications are allowed even though they don’t feature in the whitelist,  because they satisfy the trust criterion.


But AWL technologies still need to evolve. No vendor has created an ideal  trust model, because there will always be “good” apps which are neither in the  whitelist nor will they satisfy the trust criteria – let’s call it the  “unknown-good”.


McAfee is in a unique position to evolve in that direction. Being a premier  security vendor, it can combine whitelisting, blacklisting and its Global Threat  Intelligence to identify and keep away both the known-bad and the unknown-bad,  yet allow the unknown-good. Once that happens, AWL technology will become a  security solution not just for enterprises but also in the consumer world. You  can then rest assured that a botnet army cannot recruit your grandma’s home  PC.

swaroopAWLblog0712.jpg