Get Smart about Business Spending
Is white listing going mainstream?
White lists will be on every desktop within the next five years, according to Patrick Morley, CEO of Massachusetts-based Bit9. Morley was in town to address the Dow Jones VentureWire Technology Showcase in Redwood City, Calif., on Tuesday. He stopped by CNET News afterward to discuss why he believes white listing will be important in the next few years.
The basic idea behind "white listing" is to define a set of software, a set of vendors, and allow only those trusted applications or files from those vendors to run on your machine. If a file or application is not approved, it will not run. This is the opposite of how we've blocked malware from our machines in the past.
Patrick Morley, CEO of Bit9, believes white listing will be important in the next few years.
(Credit: Bit9)Of the more than 1 million viruses detected by antivirus vendors last year, more than two-thirds were new. Loading 1 million antivirus signatures (or even a percentage of that if generic signatures are used) is a pretty serious undertaking. The idea with white listing is to identify the applications and files we know to be good, which, in theory, should be considerably less than a million.
Over the years Bit9 has created one of the largest catalogs of "known good" and "known bad" applications. Its Global Software Registry (GSR) serves as the policy enforcement center for Bit9's enterprise offerings, ranging from Fortune 100 companies to retail companies like Marks & Spencer, 7-Eleven, and Ritz Camera.
Morley told me his company will continue to concentrate on enterprise solutions, but it is open to licensing agreements with consumer security companies. Already one agreement is public: Kaspersky is using a limited subset of the Bit9 GSR in its Kaspersky Anti-Virus 2009 and Kaspersky Internet Security 2009 product.
The challenge with commercial applications, Morley said, is not to turn the end user into a system administrator. In this case, Kaspersky made policy decisions for the end user and further allows the more advanced end user to customize the settings based on overall comfort level, not individual files.
During our talk, Morley took issue with antivirus vendors who are saying they too have white listing within their products. He said most have lists of good and bad software, but that they stop monitoring the applications after checking it once.
And many of the antivirus products are using community feedback to determine reputation. So if 1,500 users are showing this file on their PC, then Symantec, for example, is going to be more inclined to say that file probably should be on a person's desktop. Symantec says community feedback is just one of the criteria; there are researchers who will be confirming the reputation of a file as well.
"We look at the executable," Morley said. This gives Bit9 the ability to block an application even after it has launched, and then pass that knowledge to all its customers so everyone is protected.
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments. 
Turning the PC into an iPhone or videogame console is a terrible idea.
Seriously - when malware can dodge heuristics and fake checksum reporting, what makes you think that malware will simply not be able to pretend that its a piece of something legit?
re: "Of the more than 1 million viruses detected by antivirus vendors last year, more than two-thirds were new. "
And roughly 99.9999+% of them were written for one platform - Windows. I'm thinking that, QED, the problem lies not with malware detection and avoidance, but with the one environment that fosters it more often than any other...
The last bit of even halfway usable Linux malware came out in roughly 2000. OSX has one, with roughly 4 variants of it... in eight years. Call it 5 total, all trojans. For argument's sake, lets just call Windows' share of viruses at around one million, as mentioned in the article (though IMHO that's probably on the low side).
So... what percentage of one million would "6" be? and why does it not match up with the marketshare figures vis-a-vis Windows vs. OSX vs. Linux?
Think of it as spam logic. Any given virus will only infect a small number of any given population. Even if the infection rate is as high as 10 or 20 percent then would you rather reach 10 or 20 percent of 99% (or 85% using your figures) of computers or 10 or 20 percent of 5 or 10 percent of available computers. Simply economics answers that question. You go where the money is and there is simply not enough mac or linux users at this point to create a viable virus "market" given that for each success there are many failures.
As for this "person" from Bit9 making self serving predictions (what a surprise and don't you love when they do that), it has a snowballs hope in hell.
No surprise cnet would turn something like this into "news", I'd be surprised if this comment stays up long enough for anyone to read since they can't fire me they'll have to delete my criticism towards them.
Why did OX9 have a significantly smaller marketshare then OSX, yet have significantly more malware?
Market share has nothing to do with security. Windows is successfully attacked more because it is the easiest, period.
Looking under the hood of the above argument:
Quote Started : "Of the more than 1 million viruses detected by antivirus vendors last year, more than two-thirds were new. Loading 1 million antivirus signatures (or even a percentage of that if generic signatures are used) is a pretty serious undertaking.
The idea with white listing is to identify the applications and files we know to be good, which, in theory, should be considerably less than a million.
Over the years Bit9 has created one of the largest catalogs of "known good" and "known bad" applications."
First of all as stated above the size of signature database is an issue today and now the whitelist signature will grow as fast. Are we going to write less software or more? How do we propose to restrict the legit software to some less than a million (even in theory as stated above).
I have a fundamental issue with anything that checks against a standard database. No approach that compares to a a big database can be scalable and long lasting.
So what are our options? ...
- Rishi
Director, Product Management
Solidcore Systems Inc.
blog.solidcore.com
Ok, so it seems like we have a bit of agreement in this thread:
> Blacklist is a dead-end street
> Carrying a "big list" black or "white list"is a burdensome endeavor
To your question:
"What are our options?" Let me offer:
IT systems MUST get smarter by design. If a computer is allowed (by the hardware and software) to run anything within the runtime syntax of the compute device, it will eventually run something dangerous (or more often, just wrong or improper for the purpose, user, domain, permissions, etc)
So perhaps it not just about catching malicious code (we should do as good a job as we can), but more about assembling trusted code sets for the compute purpose and setting, and then training our operating system and hardware to run the code sets that WE (the user) say is acceptable for our purpose.
Black lists and white lists do different things, and both are important! The "this one is better than that one argument" is just silly. They overlap a bit perhaps, but let;s be clear: they address different issues.
Solving all of this is an eco-system play at the end of the day. Until the software suppliers (ISV's) and hardware providers (Intel,etc) ensure that their compute elements are "code aware" I don't believe this is a solvable problem by ANY 3rd party provider.
When they (the H/W and S/W heavy weights) get serious, we have a decent shot of creating a policy-driven immune system for safer computing. Until they do, this all academic IMHO.
A major eco-system enabler for all of this will be a 3rd party vendor of platform agnostic trusted software measurements (hashed code value sets that include provenance attributes).
(Ok, I admit that was self-serving........:-) )
So our options are:
> We continue to address the "symptoms"...(bad choice)
> Or the platform and OS owners fix the "problems" (good choice)
> And new vendors and eco-systems emerge in support of the platform/OS folks. (no comment)
And while on the Bit9 subject: just what is a "Graylist"?
Is that "I think it might be good?
I would suggest a more definitive approach is where the ISV's pass THEIR definitive expression of trust for the code that they built (provenance) to a vendor that creates an 3rd party eco-system to transfer the that trust to the compute platforms, and ultimately to the user. Supplemental methods will be required to fill any gaps, including domain and device-specific software expressions.
And to this infinite vs. finite conundrum:
> Black list methods are infinite by definition .
> White list methods - properly defined are finite.
> Gray list a the unspecific (and is at best, of marginal value as methods evolve)
Lets keep in mind that the goal is not to capture 100% of the white list world, rather to capture and validate 100% of what our users care about, and can really trust.. And then to create methods and policies to make sure that trusted code sets are invoked for the desired purpose and environments.
So, yes Rishi, there ARE viable options - but they are "heavy lift" and will require us all to "think differently" (sorry for plagiary Apple)
So in conclusion, let me change the question if I may:
Do we really have any choice ?
- by fishman555 November 22, 2008 1:25 AM PST
- They are never going to fix it and I don't want them too... whitelisting, black listing, certificates, fishingfilter... what's next? If people weren't so dumb they wouldn't get in trouble. Lets face this fact, this "problem" is only so because people are DUMBER THEN ROCKS when it comes to technology.
- Reply to this comment
-
-
- by bit9 November 24, 2008 10:05 AM PST
- I?m seeing a few outdated misconceptions, and a couple of points made above that we can help clarify?
-
-
- by MSSlayer December 11, 2008 10:10 AM PST
- At least half, if not more of the exploits require absolutely no user intervention.
-
-
(13 Comments)I see corporations trying to enclose the internet already since they've lost control. You don't get spyware or malware if you don't download it and have secured your network with a decent firewall. The real problem is TCP/IP protocol and the allowing of zombie machines, it has no "intelligence", all one really needs is to be able to shut down connections remotely at the ISP end of infected machines.
You'll never prevent infections because of stupid users but you can stop them from spreading pro-actively. Any attempt to enclose the PC will move people to linux in droves and away from microsoft, thank god we have options.
Regarding the Bit9 Global Software Registry?the Bit9 GSR is used as a look up service
- in the cloud - for enterprises that want to identify unknown applications. It provides reputation ratings for applications, which are classified by hash. This is completely different than an enterprise's white list of good applications that are allowed to execute. The enterprise decides what applications are included on their white list and which ones are acceptable according to company policy.
The Bit9 GSR is extremely helpful as a service for IT, security, audit and compliance professionals who are deploying white listing protection and want to find out what is on their end points. It is an eye opening experience discovering all the applications that are on an enterprise's endpoints. IT professionals often find something and have no idea what it is. Think of the GSR as the Yellow Pages or Consumer Reports for trusted applications.
What?s clear is that the blacklist-only approach to IT security is quickly becoming extinct. There?s just no way to test, catalog, update, patch and scan our way to protection from malware using antivirus signatures. If there were antivirus signature updates being pushed across enterprise networks every time a virus mutated, the signature files would cause more network slowdowns than the viruses themselves.
- Kate
Director, Marketing
Bit9, Inc.
Granted, most computer users have no business using a computer, especially not one as insecure and user unfriendly as Windows.
Personally, I think that people should have to go through some certification to even own a computer, much less use one. That would be a step in the right direction. Moving corporate machines to Linux or OSX would solve 90% of the security issues, but corporations don't take security seriously until it is to late. Security should be a proactive exercise, not the keystone cops reactive one that it is right now.
As far as whitelists go, they are significantly better then relying on a blacklist that will always be behind the curve. They have caught on with firewalls, shut everything off, and open ports on a case by case basis.