• 09/17/2008
    4:30 PM
  • Rating: 
    0 votes
    Vote up!
    Vote down!

Positive Security: Worth The Work?

New approach requires in-depth systems knowledge, but the payoff is substantial.
Think Positive
>> Bit9's Parity is backed by a vast database that allows quick rule creation with a variety of application categories
>> CoreTrace's Bouncer whitelisting offering is based on a centralized management appliance
>> Faronics' Deep Freeze allows software modifications to be undone on reboot; its Anti-Executable blocks unapproved apps at the outset
>> Lumension's Sanctuary Application Control offers whitelisting and script and macro protection
>> Savant Protection's End Point Security Software has a distributed approach that lets it function without a centralized server and database
Positive security, in which it whitelists everything from entire applications down to specific functions before allowing access, sounds extreme. But unfortunately, the desktop environments we know and love prioritize ease of use over security, and we're all feeling the pain: More than half of respondents to our 2008 InformationWeek Analytics Strategic Security poll have been hit by a virus this year, and nearly 30% have been attacked through OS vulnerabilities.

Two forms of positive security worth exploring are application whitelisting and mandatory access control, or MAC.

Instead of letting every program run on a computer by default and trying to stop bad ones after they've caused trouble, whitelisting allows only approved applications to run. The concept can be applied not just to software, but also to the functions that applications are allowed to perform. It's complex and won't stop everything, but with more threats coming online every day, it's an option worth exploring.

MAC, meanwhile, allows much more powerful and granular control compared with the discretionary access control (DAC) methods commonly used to secure today's desktop operating systems. MAC also is more complex than DAC, which is best summarized as allowing or denying access based on identity. A user is either logged in to a privileged account or isn't, and is either a member of a particular group or isn't.

In a MAC environment, a user account may have full control over the user's files, but a mail client run by the same user may have a reduced set of permissions, such as restrictions on which directories it may read or write to. Think about it this way: If your Web browser needs only to execute some libraries or plug-ins, save files to a download folder, and create network connections, why should it have the ability to execute any other binary or access the memory of other running applications?

Configuring and maintaining a positive security model is more expensive than traditional laissez-faire methods, but the benefits of MAC and application whitelisting are beginning to outweigh implementation costs, and the trend toward positive security features and policies is growing, not only in third-party security products, but also in operating systems. In our Strategic Security poll, the practice of reducing software features to essentials made our list of the top half-dozen most effective vulnerability management practices.

InformationWeek Reports

Vendors also are taking small steps: Kaspersky Lab has added application whitelisting vendor Bit9's database into its product. Kaspersky uses this whitelist as an initial check to speed up scanning--not a true positive security model, but it's a start. Among large antivirus vendors, Symantec has been vocal about its desire to migrate to a positive security model, and has started to implement features similar to Kaspersky, including a lockdown mode that prohibits new programs. The application whitelisting market also is expanding (see vendor list, above).

There are problems positive security can't solve, as well as common deployment inhibitors. First, although some mechanisms use positive security models to combat insider threats, the majority of such systems require trusted endpoints, and a sufficiently clued local user can subvert such a system. In addition, positive security models aren't proof against approved applications that have vulnerabilities. These models can help prevent most malicious software from running and limit the scope of a compromise, but malware can still leverage a software vulnerability to infect a system.

The thing to remember is that the vast majority of current threats will fail in an environment with application whitelisting or MAC. A strategy need not be perfect to be worthwhile.

The biggest barrier to positive security is the management cost. In sites with just a few standard desktop builds and relatively static application sets, a positive security strategy makes good sense. Servers, in particular, tend to perform a few specific functions and have access to more critical resources than endpoints. Conversely, it's difficult to implement a positive security program when users can install their own software or require a constantly changing set of apps.

Find out how to make your security dollars go further with our 2008 Strategic Security Study.lurb
Note, too, that neither blacklists nor whitelists are static. Blacklists are lists of negative behaviors or objects, typically used as a component of a negative security model, also known as "default-allow," "default-permit," and "the state of the antivirus industry for most of the last two decades." A negative security model blocks only known bad behaviors or objects. The advantage is that new, good objects require no modification to the system. However, blocking new bad objects requires frequent updates.

Conversely, a whitelist is not necessarily synonymous with a positive security model, though the two terms are sometimes used interchangeably.

For example, a whitelist in an antivirus application may refer to specific known-good applications that should always be allowed to run, but that does not necessarily mean the antivirus product uses a default-deny policy. Just because an application employs a whitelist does not mean it uses a positive security model, which specifies a list of good behaviors or objects and blocks all else by default.

Log in or Register to post comments