Page 108 - index
P. 108
IT Security’s 50 Shades of Gray
On any given endpoint application list, there’s white and black and there are
about 50 shades of gray
by Leonid Shtilman, CEO, Viewfinity
Any pragmatic security professional understands all too well that there's a world of difference between
theory and practice when it comes to protecting corporate data and managing risks. In theory, antivirus
detects malicious software and stops it from ever executing on endpoints. In practice, intruders always
exploit a time slot before malicious software will be added to and detected by AV databases. In theory,
instituting compliance mandates is all it takes to maintain a successful security department. In practice,
a lot of risks must be managed outside the rudimentary requirements instituted by regulators. In theory,
security professionals have an endless supply of resources at hand to install every control they identify
as beneficial to enterprise security. In practice, well, we all know that never happens.
It's that differential between sounds-good-at-first theories and the day-to-day realities of IT operations
that have kept the very rational approach of security whitelisting from ever taking root in the enterprise
in any meaningful way. The idea behind whitelisting is to only accept a very constrained list of known-
good applications to run on enterprise endpoints and block all other unknowns. The problem is that on
any given endpoint application list, there's white and black, and then there are about 50 shades of gray.
For every obvious productivity program and obvious malicious program, there are about a dozen more
that are not so obvious and administrator simply do not have the time to handle the categorization
process.
There are some programs that aren't malicious but might not be really appropriate on a work machine,
such as an employee's copy of a Porsche simulator. There are some very productive programs that only
a very selective audience might use and IT might not see all the time. And then there are still other
programs that might be somewhat beneficial to employees but have such dangerous behaviors that
they aren't worth the risk to have on a machine. But the work it takes to sift through all of those gray
applications and scenarios to categorize them as good or bad quickly becomes onerous.
In our study of customer endpoints, Viewfinity has found that it is not unheard of to find over 20,000
different applications once you consider all of the processes associated with executables under the
hood. With that kind of scale, the task of going through all of those applications to identify the working
white list is a monumental first step. And that's not even the most difficult part. The most difficult part
comes the day after the first day. Because few applications are ever really static—they usually need to
be updated and patched. So, now IT needs to distinguish whether an update is legitimate or not. For
example, when somebody is updating Adobe Reader, is that indeed Adobe's program updating them or
is it a malicious intruder installing something on the computer?
108 Cyber Warnings E-Magazine – August 2013 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
