There is no one best way to fight today's advanced malware threats, but application whitelisting at the desktop level can provide plenty of bang for the buck.
Although many anti-malware technologies are available, I continue to see businesses struggling to keep advanced malware off their systems. Network-level protection, endpoint protection and user training aren't be-all, end-all solutions. Here's why organizations should consider application whitelisting:
- Regardless of their role or purpose, Windows endpoints are targets, and based on what I see in my work, most are woefully unprotected from advanced zero-day malware attacks that exploit flaws we haven't even heard about yet.
- Even with the greatest of protection technologies on endpoints, over the network and at the external perimeter, most desktop administrators and IT managers I talk to are stretched so thin that they'd never catch advanced malware infections in their environments.
- Removing local Windows admin rights is a great step in the right direction, but it is not the cure for endpoint protection.
- Many enterprises use personal firewalls -- both Windows Firewall and third-party commercial firewalls -- but they're rarely configured to block outbound traffic.
- We all know that prevention is key, and the general assumption is that standard antivirus protection is "good enough." Still, many malware attacks are still carried out via virus infections. In fact, 49% of all attacks last year incorporated malware, according to the 2011 Verizon Data Breach Investigations Report.
We're nearly two decades into the modern desktop era, so it's probably a good time to step back and come up with meaningful ways to stop advanced malware attacks on Windows endpoints once and for all. Microsoft software-restriction policies can help with all of the problems listed above. Better yet, look at the third-party application whitelisting solutions from vendors such as Bit9, Lumension, Viewfinity and CoreTrace.
These tools can provide you with very granular controls to ward off zero-day attacks, controlling applications without removing local admin rights and defining which applications can only run when disconnected from the corporate network. These tools allow you to (finally) gain control of your enterprise desktops once and for all.
Ask yourself if your current security tools will help you prevent -- or even detect -- advanced malware on your enterprise desktops. If you look at it honestly, you'll likely find some gaping holes. Like a finely tuned Web app or firewall that allows through only what is expected, application whitelisting can serve as a great final layer of endpoint defense.
Once you define what is allowed to run, you'll have bought yourself a ton of control -- and visibility -- so you can say with conviction that you know what's actually happening on desktops when the auditors come knocking or if a breach does occur.
Some people may fret at application whitelisting's complexity. Many of us have technologies whose annoying confirmation boxes pop up every single time a new or suspect application runs. That’s a valid concern. The last thing you want to do is put a control in place that ends up creating more business problems than it solves.
I think, however, that the technology is mature enough to weaken that argument. Some people may say that application whitelisting is at least as expensive as enterprise antivirus protection or too costly. After all, the argument goes, why deploy application whitelisting when antivirus software already has seemingly similar controls? Only you will know what's most important in your unique environment and how much that's worth to your organization.
Rather than arguing for their own limitations, savvy desktop admins and IT managers will instead use whatever technologies best serve their businesses. Application whitelisting can serve as a nice standalone tool to lock down your desktops or, depending on which technologies you have in place, they may play well with other security controls to help minimize the siloed security control effect. Looking at today's enterprise desktop security needs, application whitelisting will most likely be a part of that equation.
ABOUT THE AUTHOR:
Kevin Beaver is an information security consultant, expert witness, author and professional speaker at Atlanta-based Principle Logic LLC. With over 23 years of experience in the industry, he specializes in performing independent security assessments revolving around minimizing information risks. Beaver has authored/co-authored 10 books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking For Dummies. In addition, he's the creator of the Security On Wheels information security audio books and blog, providing security learning for IT professionals on the go. You can reach him through his website www.principlelogic.com, on LinkedIn or follow him on Twitter at @kevinbeaver.
This was first published in March 2012