When McAfee bought Solidcore for its whitelisting technology this year, it was a clear sign that whitelisting is gaining acceptance — though not all users are happy about the trend.
The premise of whitelisting is to lock down applications on computers and allow only authorized ones to run. In general, whitelisting has a reputation for being difficult to manage because it requires keeping the whitelisted applications fully up to date on any machine using it. On the positive side, whitelisting can stop malware from executing, prevent unwanted programs, and assist in compliance reporting.
With the number of malware specimens rising exponentially, traditional blacklisting methods that rely on signature-based defenses against known threats are widely regarded as inadequate on their own. Various newer types of malware defenses, such as cloud-based reputation analysis, took off in 2009 in a major way. But is whitelisting going to really be worth the effort?
McAfee's whitelisting product, Application Control, scores good reviews, as do other products such as Bit9 Parity and CoreTrace Bouncer, indicating product maturity. But the real obstacle to whitelisting continues to be corporate employees who rebel against it.
CoVantage Credit Union of Antigo, Wisc., found its employees strongly objected when the IT department tried locking down their computers using whitelisting technology from Faronics. "The feedback was this was not acceptable," says Aaron Hurt, information security officer for the credit union. "We probably locked down too hard, too fast."
While whitelisting does protect against malware and guard against running unauthorized applications such as peer-to-peer programs, it also got in the way of immediate use of applications that employees legitimately needed, Hurt notes. Employees didn't like having to contact the IT department when these kinds of new applications came along.
But Hurt says he has seen whitelisting improve over time. Faronics released a better management console during the past year, and he's convinced whitelisting is a good way to combat malware. "I do believe whitelisting has gained a lot of momentum and it's something we'll return to," Hurt says.
But for now, employee desktops at the credit union are restricted from P2P programs, games, admin tools or using USB devices through the Sophos antimalware and host-based intrusion-prevention system Endpoint Protection, which can blacklist some applications.
Technology services provider Unisys also shares the sentiment that whitelisting can be problematic. According to Rene Head, global theater engagement manager for managed security services at Unisys, the downside is it may end up slowing business efficiency and stifle innovation. But on the plus side, he notes, whitelisting can cut down on help desk calls.
And most importantly, whitelisting can be most useful when it's used on computers such as application servers or in perimeter guards that aren't especially subject to employee whim.
Whitelisting can be a good way to combat new malware not yet defined for a blacklist, but "whitelisting alone is not the answer," Head says.
Kish Yerrapragada, McAfee director of product management for systems security, and formerly with Solidcore, acknowledges he's heard stories that whitelisting can seem difficult to manage over time.
Whitelisting is "dynamic, and it's a change-control problem," says Yerrapragada, who says McAfee counts about 300 customers in industry and government using its application-control software today.
To address the question of authorized and unauthorized applications, McAfee Application Control can link with management systems such as IBM Tivoli or SMS to authorize applications. He says whitelisting works particularly well as a defense for application and DNS servers and point-of-sale devices, or in highly-controlled corporate environments.
In the future, McAfee is expected to not only detail whitelisting as an added protection in its endpoint security products and other defenses, but also to show that it can be a useful in protecting virtualized applications in particular.
When it comes to virtualization and security, "application control is the best way to put your foot forward," Yerrapragada says. Traditional approaches for on-demand scanning put a lot of pressure on the hypervisor, he says. "We see the whitelisting-technology approach as a turning point."