Bit9 and other whitelisting history

[Gene Spafford <spaf () CERIAS PURDUE EDU>]

Many years ago, I designed a white-listing system that I knew would make a difference in system protection.  It was 
designed to "fill in the gaps" left by my design of Tripwire.  I architected it to address the risks at every level of 
use.

Wyatt Starnes, the then-CEO of Tripwire, was really excited about the idea, and started some low-level development in 
the late 90s.   Wyatt left the company, and after a few years downtime, bought the rights to the idea and I helped him 
start a new company around it: SignaCert.

SignaCert has patents on several of the techniques it uses.  One of the key elements of my design was to connect with 
various companies producing software -- including Microsoft and Red Hat -- to get agreements on whitelist "harvesting." 
 Wyatt labored hard and long on this, and got a lot of buy-in from dozens of major players (including the ones 
mentioned).

Where Bit9 and others (including some of the community harvesting done by antivirus vendors) depends on collecting 
specimens "in the wild" to build their data sets, SignaCert collected the at the vendors, from the golden masters of 
not only the releases, but of all the possible combinations of patch application.   Thus, the signatures had extremely 
high trust.  Plus, the SignaCert approach took multiple different kinds of cryptographic hashes to ensure long-term 
viability (inherited from my philosophy with Tripwire).

I will also note that Wyatt and I stressed internal security of the entire dataset and software chain, to ensure the 
highest trust.  We knew that if any of that was compromised, so was the entire trust chain.  NB the contamination of 
Bit9's database via certificate compromise a few months back.

Wyatt worked tirelessly with various industry leaders and government folk, including NIST, to get the idea more widely 
adopted.  Instead, several other vendors began to include similar ideas in their products (the core idea of 
whitelisting is very old and public).

Ultimately, the timing was bad and sales didn't quite ramp as quickly as they wanted so the backers got cold feet; 
SignaCert was sold at a loss to Harris Corp., where it continues to be operated as a subsidiary.   If you visit 
www.signacert.com you will see that it is still being marketed and developed, and it is SCAP certified.  They have 
various compliance management features built in, it seems.

Wyatt stayed with SignaCert for some time, and continued to try to ensure it was on a good trajectory.  He retired 
about 2 years ago -- well-deserved, but undoubtedly a little frustrated that we hadn't been able to make the timing 
work a little better.

Neither Wyatt nor I are now involved with the company in any way; I never made anything off the system (I was hoping to 
pay my daughter's college education, but...so much for dreams).   I can't see that either of us is mentioned anywhere 
on the WWW site.

I can't say anything about the current quality of the product because after Wyatt left, no one there has ever been in 
touch with me.  However, if you are on the market for such things, you might check it out.  It has an excellent 
pedigree. :-)

--spaf