I introduced the idea of whitelisting as an alternative to traditional definition-based antivirus software in my previous post. Whitelisting is not a new development; it has been around for a while now. In the past, though, IT departments have favored easier-to-use antivirus applications.
However, whitelisting applications have improved to a stage where they could be a viable choice to protect against the proliferation of malware. While mulling over your options, consider these questions I posed to CoreTrace senior technical product manager Wes Miller. Formerly a program manager with Microsoft, Miller now builds the application whitelisting software at CoreTrace. I hope his detailed response will answer any questions that were brought up in my first whitelisting post.
Feel free to post additional questions here, and I will get them to Miller.
What are the advantages of application whitelisting and how does it differ from traditional blacklisting?
Miller: The idea of being able to "blacklist" or not allow a selected application to run on a system is quickly running its course and is now considered by many to be an outdated security approach. Even traditional blacklisting antivirus providers such as McAfee and Symantec are now looking at alternative methods. With the sophistication and ever-changing threat of malware and attacks out there today, it is nearly impossible for the blacklisting method to keep pace.
Instead, many are turning to an application whitelisting approach, which flips the blacklisting theory upside down. Whitelisting only allows applications that are on the whitelist to run. Today's high-security and easy-change application whitelisting solutions simultaneously stop the most sophisticated malware attacks (e.g., rootkits, memory exploits) while allowing users to safely install new applications and have them automatically added to the whitelist without requiring IT involvement.
What are some of the challenges leading to implementation and how can IT managers benefit from this technology?
Miller: Early application whitelisting technologies were dismissed as a viable antivirus method because they often created lockdown and the technology was unable to handle change in an efficient manner. What's more, extra work from already overwhelmed IT staff was required.
Today, there are application whitelisting solutions on the market that can easily automate "trusted change" and reduce maintenance time. With this approach, individual users are able to install and upgrade applications from trusted sources, without involving IT staff. Also, with the threat of malware and unauthorized configuration changes eliminated, there are fewer help desk calls and remediation efforts.
With the amount of emergency patches being issued these days, how can application whitelisting help?
Miller: Reactive security patching is a time-intensive task that is a huge drain on IT resources. With the number of patches on the rise, organizations could benefit greatly from relying on solutions that prevent unauthorized applications from executing in the first place, such as application whitelisting technology, severely reducing the need for patching and thus allowing systems administers to spend more time on other critical IT and security functions.
And now you're wondering why you'd choose one or the the other. Why not blacklisting and whitelisting, for the best of both worlds? IT Business Edge's Carl Weinschenk recently spoke with Bit9's Mario Vuksan about that very topic.