Everybody knows and hates whitelisting. Employees are only allowed to install approved software on their desktops and laptops, so they're always complaining and asking for exceptions. Management eventually gets fed up with it and stops the experiment.
For mobile devices, enterprises have a number of tools at their disposal, including mobile device management. In addition, malware has a harder time jumping from infected phones to the rest of a corporate network. When it comes to infected laptops and desktops, the sky is the limit where potential damage is concerned.
We are in an age of destructive and fast-spreading malware, like the recent WannaCry ransomware attack, and this is encouraging companies to give whitelisting a second look. They will see that whitelisting solutions have matured. Capabilities like cloud-based, peer-to-peer whitelists and reputation scoring give the technology a better chance to catch on, although some believe it is still not ready for prime time.
The new dynamic whitelists are updated in real time based on recommendations from other users, reputation scores, and other data and, in theory, offer the promise of nearly-perfect endpoint security with very low management overhead. Machine learning can help address the question of whether an application is likely to be malicious or not based on its behaviors and on the analysis of known malware and known good software.
"I believe that the number one way to protect against ransomware technologically is the use of application control, or white listing," says Rob Clyde, security consultant and member of the ISACA board of directors. "First generation whitelisting has been difficult to implement. Keeping that list together was a management nightmare, but recently in the last year or two it has become much more straightforward. With next generation whitelisting, the lists are automatically kept and are pre-populated with already trusted, well-known programs."
Robert Huber, chief security and strategy officer at Salt Lake City-based Eastwind Networks, used and tested application whitelisting in the early 2000s, then came back to it again in 2007 with industrial control systems. In fast-changing environments, it was difficult for whitelisting to work, he says. But that is changing. "I believe the intersection of crowdsourcing, machine learning, and cyber threat intelligence coupled with predictive analytics could lead to a model where new applications can be quickly vetted and ranked to speed the decision cycle," he says.
Does it really work?
One Fortune 100 manufacturing company has long been using whitelists for single-purpose desktops and servers, but has begun piloting a next-generation whitelisting product from McAfee. "Overall, it's been pretty good," says a cybersecurity expert at the company, who did not want to be quoted by name.
At first, there was some grumbling, he says. Employees were used to installing anything they wanted on their desktops, and then, if they got infected, the company would wipe and reimage their machines. That slash-and-burn approach doesn't work with the recent increase in malicious attacks, he says. Plus, the focus of the malware has changed. "It's gone from kids trying to gain headlines to industrialized and commercialized efforts to gain control behind the scenes to leverage money-making opportunities," he says.
Sign up for Computerworld eNewsletters.