If security is too complex for blacklists, what's next?

Whitelisting is the new norm, even though it is difficult to manage

In an increasingly complex computing environment with increasingly sophisticated threats, using signatures and addresses to blacklist known threats is no longer adequate, said Toney Jennings, president and CEO of CoreTrace.

“Blacklisting doesn’t stand a chance because, by definition, it is reactive” and can’t be applied until someone compromises a system. And when the target is high-value intellectual property, which advanced persistent threats often set in their sights, one compromise is too many.


Related coverage:

Advanced persistent threats are a new way of life


Not surprisingly, Jennings, whose company sells whitelisting security services, advocates whitelists as the solution. Whitelisting is effective because it prohibits everything that isn’t known to be safe or trusted. But it has been difficult to manage, especially in large enterprises where thousands of users swamp the help desk with change requests, which can be a bigger problem than most malware.

Jennings said whitelisting has matured and become easier to manage — not as easy as blacklisting and signature-based systems but easy enough to warrant a second look.

“It’s not a perfect system,” he said. And if you operate in a user-friendly environment in which users expect complete control over their computer, it might not be right for you. But at more secure government enterprises, it could be a valuable supplement to help catch the 30 percent of threats that blacklists let through.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Mon, Apr 18, 2011

There are almost an infinite number of bad things in software that can hurt you and therefore shouldn't be allowed to run. Mathematically and performance wise, it is impossible to stop them.

Meanwhile, there is a definable set of things you want to allow to run.

Whomever figures out how to make white listing manageable will have the next "killer app"

Couple white listing of digitally signed code and throw-away virtual desktops, and a lot of the problems we have today go away.

Fri, Apr 1, 2011 Joe Gottlieb San Francisco, CA

We are already seeing a mixture of blacklisting, behavioral and whitelisting approaches to security enforcement in large enterprises and government agencies. These and other enforcement technologies, properly logged, provide a wealth of information that can be used to monitor for increasingly subtle and sophisticated attacks (e.g., APTs). To leverage this information as a compensating control for all of your enforcement efforts, you must collect all of it in a scalable security data warehouse and then automate the exception filtering of that data to isolate the conditions that warrant real-time incident response, follow-up investigation and/or post-mortem analysis by your precious few security analysts. Why not open up, standardize and "crowd-source" these exception filtering analytics using SQL and well-established Business Intelligence tools? This will enable our top security analysts to collaborate and retake strategic advantage over cyber militants, terrorists and criminals. If this sounds interesting, come join the dialogue at www.opensecurityintelligence.com.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above