Companies need to start considering adopting 'whitelisting' as part of their information security strategies to keep ahead of the growing threat that malware presents to their systems and data.
Traditional signature-based and even heuristic anti-virus approaches are struggling to keep pace with the flood of new malware variants that cyber-criminals are unleashing onto the Internet. In essence, the bad is now starting to outweigh the good.
The traditional approach to protecting data and systems from viruses, worms, spyware, and other malware and unauthorised applications is to 'blacklist' pieces of code that are known to be bad. By contrast, whitelisting allows only known, authorised applications to run on the computer. Everything else, including the latest malware strains, are prevented from executing.
The reason whitelisting is emerging as an attractive option for managing the malware threat is that the laboratories of the major anti-virus vendors are battling to keep up with the rapid introduction of new malware variants to the market, as well as the constant evolution of the forms that malicious code may take.
A new piece of malware may be in the wild for hours or even days before the anti-virus vendor can react with a patch to prevent it from damaging its customers' systems, and by then cyber-criminals could have spawned hundreds of different variants. It just makes sense to focus on whitelisting as opposed to managing this exponentially growing blacklist data.
False positives
In this environment, whitelisting is as close to a bullet-proof defence against malware as one can find, no matter how quickly new variants emerge or mutate.
Dean Healy is TrendMicro product manager at SecureData Security.
One Yankee Group report indicates that 62% of companies have suffered virus attacks, although 99% have anti-virus solutions in place. Because anti-virus solutions rely on recognising known code sequences and virus behaviour traits, new variants often slip through the net. In addition, many malware authors are now writing custom malware and testing it against popular anti-virus scanners before deploying it at their targets.
Heuristic solutions, which look for transmission, structure, behaviour and content patterns associated with malicious code, have been coming to the fore for a few years now and provide some protection against day zero attacks. However, these solutions are still immature and often deliver false positives.
In this environment, whitelisting is as close to a bullet-proof defence against malware as one can find, no matter how quickly new variants emerge or mutate. As an added bonus, whitelisting can be used as a control mechanism to ensure users make use only of approved applications on company computers and cannot introduce peer-to-peer apps, chat or other unwelcome programs into the network.
Whitelisting has its own set of challenges. For it to be effective, companies need to inventory all applications and executables that end-users are allowed to use, and then keep this list up to date at all times. This can be especially time-consuming and challenging in a world where applications are frequently patched and updated.
In addition, many malware variants launch from within authorised applications such as Web browsers. A Java applet launched from within Internet Explorer, for example, may not be recognised as an application.
It would be hasty to immediately discard all anti-virus products. Signature-based, heuristic and hopefully soon-to-be whitelist-based anti-virus solutions all have a role to play in a multilayered defence against new and existing malware threats. However, companies can no longer count only on traditional anti-virus software to protect them against day zero attacks.
* Dean Healy is TrendMicro product manager at SecureData Security.
Share