Blacklisting and Whitelisting: What Color Is Security?
Blacklisting is a common security tactic -- information about a known bit of malware is distributed, and endpoint security tools search and destroy. Conversely, another approach called "whitelisting" only permits known safe programs to run at all. It can be a sturdy layer of extra protection; however, the system lock-down that sometimes results can be a pain for IT admins to manage.
This story was originally published on Oct. 9, 2008, and is brought to you today as part of our Best of ECT News series.
For many businesses, keeping computers out of harm's way is a full-time job. IT departments spend increasing amounts of resources keeping out the bad stuff or finding and removing it when malware does slip in from careless users or sloppy adherence to best practices. Viruses, spyware, Trojans and many more unwanted programs can cause serious damage to a computer, or an entire network.
The most common prevention method for dealing with malware is the process known as "blacklisting." Antivirus and antispyware applications, armed with signature-matching databases and resource-hungry scanning engines, look for unwanted programs and remove them from memory and the hard drive when -- and if -- they're detected.
However, as intrusive software deployment becomes more sophisticated and more widespread, some security vendors are promoting a change in tactics. Why wait for a bad program to run at all, they argue. Instead, a technique known as "whitelisting" only permits approved software to install and run. Products that are not on the control list lock down the computer.
"Blocking the bad just doesn't work anymore. That's the old model under blacklisting. Whitelisting flips upside down the problem and only lets run what is listed as approved," Brian Hazzard, director of product management for security firm Bit9, told TechNewsWorld.
Shades of Gray
The earliest form of whitelisting was used in firewalls. The firewall on an enterprise network served as a gatekeeper, loaded with a list of approved programs. Even some consumer-grade Internet security suites include a firewall component with a whitelist feature for programs seeking outgoing Internet access.
The white-over-black methodology, in theory, means that if only approved products can run, computer users can send their system-slowing antivirus and antispyware products to the trash bin. However, most proponents of whitelisting do not recommend actually doing that. Naturally, traditional security software vendors also question the wisdom of trashing other security products, suggesting that not using antivirus and antispyware apps is much like surfing the Web without a firewall for safety.
Different whitelisting products use a variety of strategies to block executable files from running. Some whitelisting products provide alternatives to total system lockdown if the whitelist is violated. So vendors are developing their own shades of white.
"Whitelisting is not the Holly Grail of computer security that vendors preach. It is not bulletproof. The malware issue doesn't go away. Whitelisting limits the access curve, though, so it does help," Dirk Morris, CTO at network security software maker Untangle, told TechNewsWorld.
The approach Bit9 takes with Parity offers enterprise users the ability to automatically whitelist applications and devices. All other applications, including malware and unauthorized software, will not execute on endpoints.
Most businesses have a good idea about what software its workers need. So Bit 9 developed an adaptive whitelist strategy.
"We provide a two-part process. One is the Global Software Registry. The other is the Automatic Software Acceptance done through our repository," said Hazzard.
The proprietary Global Software Registry is an online index of over 6 billion files. This list contains over 10 million unique applications. The registry acts as a reference library for IT administrators building their whitelists.
Security appliance vendor CoreTrace puts a twist on the whitelist approach. CoreTrace's Bouncer acts much like a security heavy at the door of a nightclub. Those not on the list don't get in at all. Enterprise customers buy the appliance from CoreTrace and install it on their end. An embedded code on each computer talks to the appliance.
Bouncer enables IT departments to predefine multiple sources. Users can safely install applications and have them automatically added to the whitelist without any further IT involvement required.
Called "Trusted Change," Bouncer simultaneously stops bad applications and allows users to do their own installation of known safe programs. This approach can significantly reduce a company's total cost of ownership for every desktop, laptop or server covered, according to the company.
"We designed an infrastructure under the hard drive that makes it unspoofable," Toney Jennings, CEO of CoreTrace, told TechNewsWorld. "Traditionally, whitelisting's strength -- system lockdown -- is its chief weakness. Our solution is to avoid the lockdown response by letting IT specify where users can get new applications. This trusted source is a very different paradigm. It requires a one-time setup. The change is then transparent."
The Bouncer software sits in the kernel space of the endpoint computers, much like a software driver. This is a very small piece of code that does not impact resources, explained Jennings.
'KIS' the Bad Stuff Goodbye
Software security vendor Kaspersky offers both blacklisting and whitelisting for consumers in one package. Kaspersky Internet Security 2009, released last August, uses Bit9's Global Software Registry ratings and adds its own customer information to enhance the whitelist.
"We still use blacklisting used in current-generation antivirus and antimalware products and add the next-generation whitelisting technology. We are the only ones doing both approaches in one product," Jeff Aliber, senior director of product marketing and management at Kaspersky Lab Americas, told TechNewsWorld.
Kaspersky sends user submissions of suspicious software to its virus analysts. Confirmed rogue code is added to Kaspersky's urgent detection system and sent to users via ongoing hourly updates.
"The user has protections sitting on the computer plus real-time cloud updating. It's sort of a Web 2.0 mash-up," said Aliber.
Adoption Rate Slow
Not all enterprises and small businesses have been positively rushing to adopt whitelisting, according to Untangle's Morris. Some view it as too restrictive.
About three years ago, as spyware became more prominent, Untangle thought the concept of locking down machines -- which is what whitelisting does -- would be the ideal business solution. But the company hasn't seen widespread adoption.
"We found that IT sees whitelisting as too much of a pain to lock down a machine and give the approval authority to one person. That's the same response that SMBs have to it. For many businesses, it presents too much of a productivity loss in maintaining it," he said.
Pricing and Availability
Bit9's Parity product costs US$40 per end point scaled for volume.
CoreTrace's Bouncer is priced per seat for a perpetual license. The company did not provide the dollar amount. CoreTrace may add a Software as a Service offering in the future.
Kaspersky's Internet Security 2009 costs consumers $79.95 for three user licenses. The company plans to offer an enterprise product in 2009.