One of the themes in infosec today, and certainly at Infosecurity Europe this week, is the new threat from the evolving BYOD environment. How can we protect the corporate server when we don't have control over the remote device?
Ian Lee of Bit9 suggests that whitelisting rather than the traditional blacklisting of anti-virus might be the solution. Of course, modern anti-virus is far more than just a blacklist of virus signatures; but the argument, he told Infosecurity, goes thus: "How can anti-virus cope with the sheer volume of new signatures required every day?
It cannot. And of course, blacklisting has no hope of stopping zero-day viruses and trojans. It is now more efficient to maintain and operate a whitelist of allowable software than a blacklist of unacceptable software."
It's not easy, of course. It requires a huge database of known good applications, all hashed to provide whitelist signatures and a grading system for potentially bad applications (such as a good application that has an unknown add-on installed). And, of course, a methodology for 'self-certified' good apps that the user has developed in-house. The principle is simple; it is the reverse of the simple principle that has been behind the original AV approach: allow what you know to be good and block everything else. Unlike anti-virus, however, this approach will automatically catch zero-day malware.
But the big advantage for the new BYOD environment is that it automatically provides an effective sandbox for remote devices. Even if such a device gets infected, it cannot pass that infection to the corporate server: it is simply blocked from running on the server. Whitelisting, suggests Lee, solves the BYOD malware problem.
"Whitelisting works," he said. "We're finding that new customers run our system alongside their existing anti-virus. But when the AV license expires, we're finding that they drop the blacklist and just rely on our whitelist."