As the whitelisting technology was rolled out, re-imaging requests fell by about 20 percent a month for the first six months, and then continued to fall at a slower pace. Today, the company gets only a quarter as many re-imaging requests as it used to. That number will continue to drop as more employees in the pilot group come on board, but there's only so far it can go, he says.
"There's always a number of factors that come into effect that reduce the effectiveness of any security product," he says. For example, there are always cases where some users need exceptions to be written in. "And, for various reasons, there's always a small group of end users who try to circumvent security processes for what they think are innocuous reasons." Those employees try to get their downloads approved by trying to sneak them in through an existing exception, without understanding what they're doing or putting in the effort to get the risky software formally approved.
As the new whitelisting system improves security, management overhead has remained low. "Leveraging things like global threat intelligence and reputation and end-user and client feedback and suggestions, the whitelisting programs have become far more effective and intuitive," he says.
So why isn't the company rolling it out more broadly? "There are a lot of gun-shy people out there, especially in management, who don't want to introduce the kinds of impacts that we've seen in the past," he says. "That is changing. It just has to be proven out and communicated and all that good stuff."
Clouds, peer-to-peer, sandboxing and reputation scoring
The new whitelisting solutions typically use a combination of technologies to reduce errors and management overhead. Security managers can often choose from some combination of internal blacklists and whitelists; external whitelists generated and vetted by screened industry peers; vendor testing and analysis; and reputation scores.
For example, McAfee offers a multi-leveled approach to whitelisting that avoids the pitfalls associated with relying exclusively on one method. Take, say, crowd-sourced whitelists. "Anytime you have crowd sourcing, there can be a question about the integrity of the white list," says Candace Worley, VP and chief technical strategist at Santa Clara, Calif.-based McAfee LLC. "If I'm a bad guy, certainly that becomes a very attractive approach to spoofing my way into the environment. If someone is approaching whitelisting through purely crowd source, there's an inherent risk in that."
McAfee also uses other sources to build its whitelists, including allowing customers to designate trusted sources such as their own update server or vendor application management solutions. "Microsoft is updating its operating system three or four times a year," Worley says. "If you have to manually update your whitelist every time you get an OS update, application update or service pack, that's untenable from a resource perspective."
Sign up for Computerworld eNewsletters.