Here is an excellent blog entry by Swaroop Sayeram on the McAfee Security Insights Blog.
The concept of application whitelisting (AWL) is very fundamental – You have a finite list of trusted applications and only those are allowed to run.
Going down memory lane… This was productized by a few vendors post-Y2K, and was an ideal fit in the fixed function device market – ATMs, medical devices, manufacturing systems, point of sale devices, kiosks, etc.
However, as a security technology it has enjoyed a wider market adoption in recent times. It is capturing the enterprise server and desktop market in a big way. Traditional security technologies are not able to combat today’s breed of threats like advanced persistent threats (APTs) & botnets, and there is universal acknowledgement that AWL can provide thorough security. But the usual inhibition is – end user productivity should not be compromised by a stringent security system. New “good” applications should be allowed even if they are not part of the whitelist.
A CISO would gladly embrace AWL as the security standard if it:
- Provides highest-level of security
- Reduces IT’s administrative burden
- Does not lower end user productivity
There are several AWL vendors in the market today, and they cover requirement #1 in varying degrees. The new entrants in this space provide partial whitelisting (just a list of exes), but thorough whitelisting is only when the entire system stack is whitelisted – i.e. drivers, scripts, libraries, exes and browser components.
Furthermore, only mature vendors cover requirements #2 & #3, providing security with flexibility – and win the CISO’s signoff.
McAfee covers them by using its multi-faceted trust model. New “good” applications are allowed even though they don’t feature in the whitelist, because they satisfy the trust criterion.
But AWL technologies still need to evolve. No vendor has created an ideal trust model, because there will always be “good” apps which are neither in the whitelist nor will they satisfy the trust criteria – let’s call it the “unknown-good”.
McAfee is in a unique position to evolve in that direction. Being a premier security vendor, it can combine whitelisting, blacklisting and its Global Threat Intelligence to identify and keep away both the known-bad and the unknown-bad, yet allow the unknown-good. Once that happens, AWL technology will become a security solution not just for enterprises but also in the consumer world. You can then rest assured that a botnet army cannot recruit your grandma’s home PC.