Application whitelisting: Is it the way to beat malware?

Anti-malware as we know it, is not working. Is application whitelisting the answer? An increasing number of experts think so. Find out why.
  • Date: May 18th, 2010
  • Author: Michael Kassner
  • It seems the time has come to rethink how we fight malware. Anti-malware applications based on signature blacklists and heuristics derived from previously-observed behavior aren’t good enough. So what is? There is a growing consensus among experts that application whitelisting needs to be part of the solution.

    IT managers are starting to think more about application whitelisting as well. That’s because independent testing indicates application whitelisting is maturing into a viable endpoint-security solution. The same managers also realize application whitelisting can simplify regulatory compliance and software license assurance.

    Regulatory compliance

    Compliance with industry and government standards is becoming the norm. That’s understandable, compliance demonstrates publically, the organization’s concern for data security. The following are two examples of how application whitelisting helps companies comply with standards:

    • Payment Card Industry Data Security Standard (PCI DSS): Whitelisting helps maintain PCI DSS compliance by assuring only authorized software and portable storage devices are allowed.
    • Sarbanes-Oxley (SOX): As with PCI DSS, conforming to the SOX standard requires control and accountability of software and data storage. Whitelisting by its nature regulates that, along with providing the required audit trail.

    Software license assurance

    Determining what is installed on workstations at SMBs can be a significant undertaking. Now consider large enterprises; it’s almost impossible without some kind of automated-tracking software. One such solution is to use whitelisting. Doing so assures you of the following:

    • Only management-approved software is allowed on workstations.
    • Licensing-compliance issues within the organization and with the Business Software Alliance are eliminated.

    One ancillary benefit of software-license assurance is the reduction of helpdesk overhead. Only whitelisted software needs to be supported.

    Endpoint security

    The goal of any anti-malware application is to prevent the installation of malicious code. As hard as they try, developers relying on blacklists are doomed to failure. Why? Blacklisting is reactionary, thus ineffective against zero-day malware. By only allowing designated software to run on workstations, malware can not gain a foothold.

    Whitelisting also provides the following security features:

    • Storage devices: Whitelisting has the ability to securely control portable storage devices. For example, application whitelisting can audit or prevent files from being copied to or from portable storage devices.
    • Unknown files: There are times when it’s imperative to identify an unknown file. Whitelisting applications have either a client or Web-based add-on to accomplish that.

    Final thoughts

    Well, that’s the high-level view. Over the next few weeks, I’m going to dissect two of the more prominent application-whitelisting offerings and look at the major anti-malware companies, as they are starting to integrate whitelisting.

    Read and post comments | Send to a friend

    About skicat56

    Snow Sports Industry veteran – Husband – Father – Network IT Ninja & Former Powncer. Old enough to know better but young enough to start a new career.
    This entry was posted in Security, Tips-n-Tricks and tagged , , , , , , , , , . Bookmark the permalink.

    Leave a Reply

    Fill in your details below or click an icon to log in: Logo

    You are commenting using your account. Log Out /  Change )

    Google photo

    You are commenting using your Google account. Log Out /  Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )

    Connecting to %s