Bit9: Fighting malware with a white list

In security in the real world, companies screen the people who enter their building and admit only those who are authorized to be there, such as employees with badges and approved guests--a sort of white list for physical security.

(Credit: Bit9)

But when it comes to distributing applications on their computer networks, corporations do the opposite and use blacklists that block some known malware but let everything else in. Because antivirus and other security software doesn't detect every malicious app out there, a lot of bad stuff ends up on employees' machines.

About 65 percent of the applications released to the public are malicious, according to Symantec. To combat that trend, Symantec CEO John Thompson predicted at the RSA 2008 conference last month that technologies like white listing would be critical in the future.

And Microsoft's David Cross, director of program management for Windows security, told the RSA crowd a few days later that there would be an increased emphasis in Vista on white listing.

This is good news for Bit9, a provider of software for enterprises that helps them prevent malware distributions on the network.

"In the next two to four years, every PC will have a white list," said Patrick Morley, Bit9 chief executive and president.

Bit9 allows companies to create their own white list of software they will allow employees to run. They can lock down the computers so they run only the approved applications, set the software to block and alert the company when unapproved software is being downloaded, or simply monitor the situation.

"It doesn't work to let everything in and then try to figure out if it's bad software," Morley said in an interview.

Skeptical, I pointed out that there are varied needs within corporations and managing all the different requirements for individual employees and departments is already an IT headache. True, Morley said: "You can't stop people from doing the day-to-day work. It's got to be done in a way that's easy."

I asked security sage and notorious cynic Bruce Schneier to weigh in. "Seems like a really good idea," he wrote in an e-mail. "The whole idea of 'allow anything except what's on this list' doesn't work. It doesn't work for spam. It doesn't work for network perimeters. And it doesn't work for desktops."

What do you think?

[BenjaminWright]

Elinor: Security technology changes constantly, but lawmakers treat it as static. New regulations from the Massachusetts Office of Consumer Affairs & Business Regulation say that if you store sensitive consumer data, you MUST have anti-virus software with ?virus definitions?. As we evolve away from definition-based protection, this regulator is locking us into it. Similarly, state legislatures are mandating ?encryption? for security in ways that don?t always make sense. ?Ben http://hack-igations.blogspot.com/2008/02/encryption-legislation-goes-overboard.html

[benjaminstraight]

benjamin straight writes: Informative article.