The Groundswell Begins:
Stand on the observation deck of the Empire State Building on a quiet, spring evening and you can almost here them whispering.
Who? Security analysts and end-users.
What are they saying? "Blacklist anti-virus technology is dead."
Somewhere in the distance a hacker laughs and a CSO wails.
It doesn't take a lot of searching on the Internet to find articles and reports from analyst firms like Hurwtiz, Gartner, and Yankee clearly detailing the impending demise of traditional anti-virus technology. The evidence is certainly mounting, results damning and sentiment railing against the very solutions that had "protected us" for years! With each new viral exploit and hack it is clear that traditional solutions are neither able to deter nor protect our infrastructures from the proliferation of new attacks. It is no secret that inoculation databases are bloated and growing. McAfee made the prediction that by the year 2008 their databases will contain over 400,000 inoculations. Recent studies by Yankee showed that databases average 9Mb in size causing the scan of a 100,000 file system to take 90 minutes or more, inflicting considerable impact on CPU cycles. Couple this with the explosive growth of disk space and the increase in malware variants - the death knoll rings.
These same analysts also go on to say that the answer to the problem is HIPS, Host Intrusion Prevention Systems, also known to many in the industry as "whitelisting". For all intents and purposes, these statements are correct...for the most part. The problem lies in the inclination to take a purist view of effectiveness and use of black versus white technologies. By not fully understanding the underlying strengths and weaknesses of each approach we omit powerful weapons in the war against viral intrusion.
Blacklisting: The Weaknesses
At the risk of making blatant statements of the obvious, consider what most security professional know to be the Achilles heal(s) of blacklisting.
Time
Marketing managers call this weakness the Zero Day problem. Blacklisting technology is unfortunately a reactionary solution, meaning that it relies upon the discovery of a new viral exploit before it can provide a deterrent. Once detected, precious time ticks away as computer scientists trap, dissect and characterize the virus in order to release a new inoculation or heuristic. Once developed, more time is accrued waiting for the new cure to be disseminated, deployed and scanned through petabytes of disk space. Time is clearly the friend of hackers, not CSO's as downtime is critically calculated in hours and dollars spent.
Sacrificial
The often ignored and yet potentially more detrimental aspect of this approach is the necessity of sacrificing a "few" in order to protect the many. New viruses and attack vectors typically don't announce themselves; rather their presence is manifest only once their impact reaches a significant and critical level. This absolute is of no consolation to hundreds or thousands of systems first infected by the unknown intruder.
Expensive
As in any business, the cost of creating goods, providing services and maintaining a product is always passed on to the consumer. Constant vigilance has a significant price attached to it! The cost of analyzing billions of data packets, maintaining countless honeypots, and the construction of the actual inoculation is eventually going to reach the consumer's wallet. As the number of hacker exploits rise, so to the costs of deterrence escalate. Simultaneously and in opposition, market dynamics commoditize these same products reducing profit margin and forcing A/V vendors to cut costs thus negatively impacting effectiveness.
Cycle Stealing
Regardless of the computing power built into a system, blacklisting technology robs systems of not only critical CPU cycles but also heavily impacts disk I/O through scanning. Gains in CPU power, bus speed, and I/O have been mitigated by the growth in virus definition/inoculation databases as well as the data volumes requiring scanning.
Whitelisting: The Weaknesses
Embracing the premise that whitelisting is the next nirvana can be just as dangerous as believing that blacklisting is dead. Consider the following:
Friendly Fire
Everyone knows a coworker who simply lacks the experience or savvy to understand the ramifications of downloading everything and anything that comes their way. It is to these individuals that even the most intuitive solutions will be rendered ineffective. Whitelisting solutions, although straight forward in approach, demand the user to have some level of experience as interceptions of new malware usually require direct interaction with the user. That casual user is now faced with a decision, "Is the intercepted file friend or foe?" Depending upon the choice that is made, the result is either a solution or a problem.
Provisioning Systems
Corporations looking to deploy whitelisting technology are faced with the daunting task of analyzing tens of thousands of systems in order to create both a system specific and an enterprise-wide listing of approved applications. Without this effort, provisioning of certain whitelisting solutions is near impossible. Additionally incomplete analysis can lead to the inadvertent approval of malicious software which is hidden amongst the good. Without a means to identify both, the deployment effort will be both cumbersome and ineffective.
Management Overhead
If implemented incorrectly, whitelisting approaches may sap precious time, energy, and funding. Whitelist technologies that are based on a client-server architecture rely heavily upon staff to manage and disseminate approved application signatures or push out rules. Both efforts are time intensive and will quickly dip deeply into IT budgets. These implementations are clearly expensive to rollout, costly to maintain, generate lots of inbound help desk activity, and worst of all are vulnerable to denial of service attacks and malicious code injection.
The Solution - Think Zebra
In reality, the analysts and industry experts are not wrong. Whitelisting is the only path forward but what they neglect to recognize is that whitelisting alone will fail without the presence of a sustained and complimentary blacklisting effort. A far stronger solution will be derived from the combined use of both technologies.
Whitelisting will, by the very nature of what it does, intercept anything new or unknown that comes along regardless of the delivery vector; email, browsing, media etc.
Whitelisting addresses Zero day issues by effectively closing the Release day hole. It also provides time for the blacklisting technology to catch up (inoculations, rules or heuristics) which is critical to users who need additional information in order appropriately respond to interceptions. Even if the decision is taken out of the end-users hands and managed centrally, smart decision makers will do research before handing over the keys to the castle. This is one place where the blacklisting technology developed over the last decade excels. But there is more...
Traditional blacklisting technology enhances and actually saves whitelisting, by virtue of its ability to clean systems of known malicious code before the systems are whitelisted. Corporations will invariably have "dirty" systems in their midst that must be cleansed. This is clearly a job that traditional whitelisting is ill suited for but one in which blacklisting thrives. Once the network is cleansed, only then can whitelisting perform to its highest expectations and capabilities.
Enter the Zebra: An advanced security approach that embraces the best feature functionalities of both. In the coming decade, the greatest hope corporations will have in defending their infrastructures against malware is to embrace a primarily whitelist solution that has the capability of employing a blacklisting technology on demand - a zebra or hybrid anti-malware solution. Not only is this excellent news for companies wishing to protect their investment in blacklisting technology, it allows the industry to move ahead without making the critical mistake of giving hackers the upper hand. By taking a purist's view of blacklisting versus whitelisting we will create opportunity for attackers to undermine both technologies. Without doubt, the greatest mistake the security industry could make. The wise choice is to embrace complimentary technologies to fortify infrastructures on multiple levels. The wisest choice is to embrace solutions that have integrated the best of multiple technologies.
Savant - Hybrid at its best
Savant provides the industries only self-learning hybrid whitelisting technology. Designed to contain and eliminate the spread of any known or unknown malware, Savant creates an information assurance environment aimed at business continuity without the costly overhead of system scanning, whitelist deployment and management.
The security industry's first hybrid solution, Savant combines the strength of its preemptive spread mitigation technology with on-demand viral analysis. The Savant solution provides a robust tool for immediately determining the validity and safety of applications before allowing them access to computing cycles.
Savant provides dynamically enhanced operational control of enterprise security to the corporation in their battle against escalating hacker intrusions and mandates to keep system integrity at optimum levels.
About Savant Protection:
Savant Protection is the industry pioneer in preemptive malware spread mitigation and containment technology for all business environments. Founded in 2004, Savant Protection quickly established itself as an innovator in its approach to product development, design and the implementation of advanced technologies.
About Ken Steinberg:
Founder and CEO of Savant Protection, Ken brings a track record of over two decades in computing and high technology. As founder of the company, Steinberg has responsibility for its day-to-day operations, overall direction, as well as its technological and business strategies. Prior to Savant, he held senior positions with DEC, Hughes, Hitachi, Softbank and at the John Von Neumann Super Computing Center for the National Science Foundation.
A thought leader in the security/encryption field, Steinberg has addressed national conferences and tradeshows as well as being a columnist and contributing author to several regional newspapers and technology publications.
0 comments:
Post a Comment
Click to see the code!
To insert emoticon you must added at least one space before the code.