Added to that is a reputation scoring system that pulls in from the company's global threat intelligence and a reputation cloud that tracks known good and bad URLs and IP addresses.
For brand new, not-previously seen software that a user wants to download, the software is sent to a dynamic container. "We're going to let her download it, but we're going to ringfence it, and only allow it to do certain things on the system," Worley says. "And by watching its behavior, and how it executes in the sandbox, it will actually be able to determine whether it's good or bad. If it's bad, it will spit out an indicator of compromise, what to look for, and from that you can create behavioral rules and signatures going forward."
McAfee notes that machine learning is not applicable as part of dynamic application containment on the endpoint, given the small set of known most malicious execution behavior rules that are monitored and/or blocked. However, Network Sandboxing technology uses machine learning to convict sandbox-aware malware.
Many other antivirus vendors have also added dynamic whitelisting capabilities. Kaspersky, for example, uses dynamic whitelists to speed up the performance of its antivirus software. In addition, enterprises can deploy full whitelisting that combines the company's own whitelists with Kaspersky's cloud-based and allows the company to set rules as to which types of applications are allowed.
Advanced endpoint protection vendors also offer dynamic whitelisting as part of their product suites, including Trend Micro, Carbon Black, Lumension and Digital Guardian.
In addition, Microsoft has been updating its own whitelisting toolset. In Windows 10, enterprises have more configuration options to create whitelists based on rules such as whether the software comes from a trusted source. It's not yet a full dynamic whitelisting solution, but is a step in that direction.
Time to change the paradigm
What it all comes down to is that the old approach of spotting and blocking malicious software may have reached its limits. "Fundamentally, we need to change the way we interact with the Internet," says Frank Dickson, research director, worldwide security products at Framingham, Mass.-based International Data Corp. "This whole reactive approach we've taken for years just doesn't work."
Isolation technology is a good solution for when users want to surf the web or check their email, and might be visiting malicious sites or accidentally downloading infected attachments. Virtual endpoints can be set up either in the cloud or locally, on the user machine's. "If I download something bad, and it totally wrecks that virtual endpoint, that's okay," he says. "At the end of my browsing session, I close it down, and it's destroyed. It creates an isolation layer."
Sign up for Computerworld eNewsletters.