In-Depth
Modern Antivirus, Whitelisting, and Enterprise Security
Whitelisting applications can be a more effective and lower-impact technique for protecting your enterprise than are traditional antivirus approaches.
By Toney Jennings, President and CEO, CoreTrace Corporation
The IT threat landscape has changed dramatically over the last few years. In the past, the majority of attacks were meant simply to make headline news. Today, attacks have become more sophisticated and stealthy, targeting specific organizations to reap financial or political gain. Professional hackers continuously develop new tactics to gain unauthorized, undetected, and ongoing access to an organization’s systems and information.
One gauge of the growing sophistication of attacks is the appearance of blended threats, which integrate multiple attack methods such as worms, Trojan horses, and zero-day threats. Reactive approaches such as traditional antivirus, antispyware, and other signature-based protection measures may have been sufficient to protect an organization’s vital resources a few years ago, but not today.
The situation is further complicated by the sheer volume of attacks that threaten to overwhelm signature-based defenses and is leading to significant performance impacts on protected systems. As attackers develop new threats, vendors must respond with even more signatures. However, as signature databases grow, latency and resource consumption grow as well. IT teams have been forced to either incur the performance degradation or scan less frequently and leave the system exposed to attacks.
Organizations now need proactive endpoint security measures that can protect against these sophisticated, zero-day and targeted attacks, and do so in a way that does not impact performance. What they need is Modern Antivirus.
Modern Antivirus flips the traditional antivirus model 180 degrees by enforcing a whitelist of approved applications on each endpoint computer ("application whitelisting") rather than relying on a malware blacklist for real-time, inline protection. After automatically generating a tailored whitelist of approved applications on an endpoint (desktop, laptop, server, POS terminal, SCADA system, etc.), Modern Antivirus solutions prevent the execution of every executable that is not explicitly on the whitelist -- including custom, zero-day, and targeted malware used by expert hackers and advanced persistent threats (APTs).
In addition to clear anti-malware advantages, Modern Antivirus solutions are gaining acceptance in both physical and virtual environments because of huge performance benefits over traditional antivirus products. One of the greatest advantages of the whitelisting approach is that it has boundaries: permitted activity can be defined. Blacklists, such as malware signature databases, on the other hand, can potentially grow without limit as threats continue to appear. This means that whitelisting approaches can have a smaller performance impact on the systems they protect.
Although the benefits of application whitelisting-based enforcement are clear, Modern Antivirus solutions will not abandon blacklisting completely. In fact, Modern Antivirus solutions actually include cloud-based blacklists. Blacklisting is not dead, it is simply moving away from being the primary defense and into a secondary role offline. Modern Antivirus solutions use whitelisting as the primary mechanism to prevent the execution of unknown and malicious applications, and off-line, cloud-based blacklists for reporting and compliance purposes.
Cybersecurity has always been a measure/countermeasure/counter-countermeasure game. The good guys build a fence and, in short order, the bad guys climb over it. The good guys build the fence taller and the bad guys figure a way over it again. This will not stop with the advent of Modern Antivirus. Today, most attacks are designed to deposit a payload on the targeted machine -- a payload that can remain on the victimized computer and allow remote control access even after rebooting the machine. As Modern Antivirus solutions stop this "simple" attack scenario by preventing the execution of the non-whitelisted payload executable, professional hackers will shift to attacking legitimate, whitelisted applications themselves.
For example, memory attacks try to take advantage of legitimate applications and use their privileges to load malicious processes. To the system and its defenses, it appears to be a legitimate application, but it is really a form of embedded malware. Providers of Modern Antivirus solutions are aware of this next move, and are already building in protection to thwart the attacks. These solutions are designed to help stop attacks inside legitimate, whitelisted applications by controlling the code running in memory. By preventing the execution of any process that is not launched by an approved application, these Modern Antivirus solutions stop attempts to inject DLL libraries, write to kernel memory, etc.
Let's be clear: Modern Antivirus does not stop all attacks within legitimate applications today (e.g., from some macros and other interpreter/scripting approaches). However, the solutions are being architected to continually shrink this attack vector too. Modern Antivirus solutions will technically be able to stop these embedded threats, but the key will be in the implementation. As a practical matter, Modern Antivirus vendors will need to provide IT teams with a tool that mirrors the organization's security model without compromising flexibility. An IT team that wants maximum security will be able to tune the system to prevent the use of all macros, whereas a team that needs more operational flexibility may allow certain macros to run but constrain what the macro is allowed to do on the system. This will be an area of innovation and differentiation for many years to come.
Although they sound similar, note that Modern Antivirus is not the same as "lockdown" or host intrusion prevention systems (HIPS). The security benefits of "locking down" a computer have been known for years. Simply lock a box down and do not allow anything else to execute. Lockdown solutions gained some acceptance in extremely static environments, but they have not been widely adopted for computers that require dynamic changes -- the vast majority of endpoints that need protecting.
Although Modern Antivirus solutions share the security benefits of lockdown products, they are not the same. Unlike lockdown, Modern Antivirus is not just for fixed-function systems and servers; leading solutions can easily handle dynamic, rapidly changing desktop and laptop environments. By establishing "trusted change" sources (e.g., trusted patch management systems, trusted digital certificates, trusted network shares, and even trusted users), Modern Antivirus solutions handle the addition of new applications or upgrades in a manner that is not difficult or time-consuming. Depending on an organization's policies, many of the additions can even be easily handled by end users via simple self-service mechanisms.
HIPS solutions required administrators to write, manage and maintain complex rules for networking, file usage, and registry. HIPS solutions have a reputation for being difficult to maintain and highly prone to false positives and other administrator-created issues, especially for custom proprietary applications. With tailored, auto-generated whitelists for each computer, and trusted change processes for the addition of new applications and upgrades, Modern Antivirus solutions are much simpler to use and administer than HIPS.
Modern Antivirus is not a silver bullet. There is no such thing in security. Modern Antivirus does not focus on network traffic, data encryption, spam, physical security, or a host of other attack vectors. Having said that, when it comes to a highly effective and operationally friendly endpoint protection solution that does not impact performance, Modern Antivirus is quickly becoming the new standard.
Toney Jennings is the President and CEO of CoreTrace Corporation. You can contact the author at tjennings@coretrace.com.