Educause Security Discussion mailing list archives
Bit9 and other whitelisting history
From: Gene Spafford <spaf () CERIAS PURDUE EDU>
Date: Tue, 16 Jul 2013 13:10:42 -0400
Many years ago, I designed a white-listing system that I knew would make a difference in system protection. It was designed to "fill in the gaps" left by my design of Tripwire. I architected it to address the risks at every level of use. Wyatt Starnes, the then-CEO of Tripwire, was really excited about the idea, and started some low-level development in the late 90s. Wyatt left the company, and after a few years downtime, bought the rights to the idea and I helped him start a new company around it: SignaCert. SignaCert has patents on several of the techniques it uses. One of the key elements of my design was to connect with various companies producing software -- including Microsoft and Red Hat -- to get agreements on whitelist "harvesting." Wyatt labored hard and long on this, and got a lot of buy-in from dozens of major players (including the ones mentioned). Where Bit9 and others (including some of the community harvesting done by antivirus vendors) depends on collecting specimens "in the wild" to build their data sets, SignaCert collected the at the vendors, from the golden masters of not only the releases, but of all the possible combinations of patch application. Thus, the signatures had extremely high trust. Plus, the SignaCert approach took multiple different kinds of cryptographic hashes to ensure long-term viability (inherited from my philosophy with Tripwire). I will also note that Wyatt and I stressed internal security of the entire dataset and software chain, to ensure the highest trust. We knew that if any of that was compromised, so was the entire trust chain. NB the contamination of Bit9's database via certificate compromise a few months back. Wyatt worked tirelessly with various industry leaders and government folk, including NIST, to get the idea more widely adopted. Instead, several other vendors began to include similar ideas in their products (the core idea of whitelisting is very old and public). Ultimately, the timing was bad and sales didn't quite ramp as quickly as they wanted so the backers got cold feet; SignaCert was sold at a loss to Harris Corp., where it continues to be operated as a subsidiary. If you visit www.signacert.com you will see that it is still being marketed and developed, and it is SCAP certified. They have various compliance management features built in, it seems. Wyatt stayed with SignaCert for some time, and continued to try to ensure it was on a good trajectory. He retired about 2 years ago -- well-deserved, but undoubtedly a little frustrated that we hadn't been able to make the timing work a little better. Neither Wyatt nor I are now involved with the company in any way; I never made anything off the system (I was hoping to pay my daughter's college education, but...so much for dreams). I can't see that either of us is mentioned anywhere on the WWW site. I can't say anything about the current quality of the product because after Wyatt left, no one there has ever been in touch with me. However, if you are on the market for such things, you might check it out. It has an excellent pedigree. :-) --spaf
Current thread:
- Bit9 - Trust Based Security - Feedback Greg Schmalhofer (Jul 16)
- Re: Bit9 - Trust Based Security - Feedback Joel L. Rosenblatt (Jul 16)
- Bit9 and other whitelisting history Gene Spafford (Jul 16)
- Re: Bit9 - Trust Based Security - Feedback Hudson, Edward (Jul 16)
- Re: Bit9 - Trust Based Security - Feedback Mike Osterman (Jul 16)
- Re: Bit9 - Trust Based Security - Feedback Joel L. Rosenblatt (Jul 16)
- Re: Bit9 - Trust Based Security - Feedback Rich Graves (Jul 16)
- Re: Bit9 - Trust Based Security - Feedback Mike Osterman (Jul 16)
- Re: Bit9 - Trust Based Security - Feedback Joel L. Rosenblatt (Jul 16)