Re: What's wrong with application whitelisting?

[Joel Rosenblatt <joel () COLUMBIA EDU>]

Hi,

My simple answer is nothing .. we are starting to use it and will continue to roll it out as we can across our 
administrative units.

Several of the whitelisting products are a little restrictive for the .edu environment, but there are some that, in my 
humble opinion, fit.

I believe that the other reason for reluctance is that most audit/compliance requirements specifically require an AV 
solution to be present - and many schools
are reluctant to spend money on both.

AV does serve some purposes (they look at non-executables that whitelisting products will not ever see) and they can 
find potential future problems (bad files
downloaded as part of another package)

I believe that the future will be a combination product, akin to the current combination of AV and Anti-Spyware 
products on the market - we will see all three
in the same package (and maybe with and enhanced firewall thrown in for good measure)

An article on the subject

<http://www.scmagazineus.com/the-white-knight-application-whitelisting-solutions-gaining-appeal/article/159964/>

My 2 cents,
Joel Rosenblatt

Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel


--On Monday, April 05, 2010 1:22 PM -0500 "Watkins, Lewis" <LWATKINS () UTSYSTEM EDU> wrote:

> Colleagues,  Please help me understand something, that I have been trying to make sense of for awhile and just don't get.   
> What's wrong with "application
> whitelisting"?   As best I can tell, application whitelisting has very low penetration in higher education, and I 
> simply do not understand this.   There must
> be issues and dynamics of which I am unaware to explain this.   My confusion is based on the following:
>
> -  Security professionals seem to agree that anti-virus software is no longer working.   No single product does the 
> job, and it is not feasible to run
> multiple products on each device. -  Any executable that anti-virus software will stop should also be stopped by a 
> whitelist, since the application would not
> be on the approved list. -  Zero-day attacks are a major threat.   Anti-virus is particularly bad at stopping zero-day 
> attacks.   Application whitelists are
> particularly good at stopping zero-day attacks. -  Universities use whitelisting on firewalls (i.e. we don't shut down 
> just the ports that prove themselves
> to be bad - we open only those that are needed. ) -  Universities use whitelisting for people (i.e. we don't let 
> everyone in the world have an account until
> they prove to be bad.  We maintain a list of approved users.) -  However, universities use blacklisting for 
> applications.   We tend to allow any application
> that can find its way onto our desktop computers to run.   When a program proves to be bad, we spend lots of labor and 
> effort re-imaging the computer - then
> we do it again later.    To the extent that application whitelisting would help prevent this, costs would be reduced 
> and IT could concentrate more on value
> added efforts. -  We have many bots and Trojans infecting computers and do not seem to have solid solutions for 
> preventing these infections.   If using
> whitelisting, even if a rogue program finds its way onto a person's computer, it will not execute.    I've seen 
> improved network monitoring proposed as a
> strategy so infections will be identified and stopped more quickly based on traffic analysis.  This is good, but would 
> it not be better just to prevent the
> malware from executing to begin with? -  Much of the malware that finds its way onto our computers does so without the 
> user's knowledge.   A whitelist would
> prevent these from executing - thus protecting the user from doing harm without intent or knowledge.  This could 
> prevent us from attacking our neighbors at
> the next desk and other universities and institutions.
>
> There is no doubt that we in higher education have improved significantly over the past decade in the area of 
> information security.  However it seems the
> stakes are higher than ever and our threats and adversaries are evolving very rapidly.   We need new some strategies.
>
> Thanks - I appreciate your insights, comments, and thoughts.   Also, please let me know if the base assumptions above 
> are incorrect.   This is something I
> really do want to understand.
>
>     Lewis Watkins, CISO - University of Texas System
>     lwatkins () utsystem edu
>
>
>
>
> _____________________________________________
>
> **** CONFIDENTIALITY STATEMENT ****
> The information in this message may be confidential.
> If you received the message in error, please notify
> me and delete the message.  Further dissemination
> is prohibited. Thank you.
> _____________________________________________
>
> Lewis Watkins, Chief Information Security Officer
> The University of Texas System
> 201 W. 7th Street, CLB 3
> Austin, Texas 78701
> Ph:  (512) 499-4540  Fax: (512) 579-5085
> _____________________________________________



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel