Don't Black List White Listing

Wednesday, June 22, 2011

Most analysts agree that white listing is more effective than signature based black listing at protecting end points from malware.

In principle. White listing is simply only allowing applications that are approved to run on your computer.  

It is the execution that has held back white listing and allowed your signature based anti-virus, anti-spam, and anti-spyware products (black listing) to continue to thrive. 

My very first day on the job at Gartner in 2000 I met with a team from a Columbian network service provider for South American Banks. They were looking for security metrics that went beyond what they had at the time:  A record of blocked viruses from their AV product. 

That is one of the problems with white listing, you give up that knowledge and reporting of successfully blocked attacks.

 

What has happened in the last decade is that white listing solutions have recognized the addiction on the part of IT admins to these reports, so the new approach is a hybrid. Use the hardening of a positive security model but back that up with a database available from many AV signature providers to provide that reporting.  

Of course, as AV vendors struggle to keep up they too are looking at white listing too.  The trend is toward a hybrid model with white listing doing the heavy lifting to protect end points from zero-day and uniquely fabricated malware and black listing to provide reports.

To hear how CoreTrace, one of the leaders in white listing is addressing this hybridization listen to this interview I conducted with industry veteran, Toney Jennings.  Toney was one of the original team that founded the Wheel Group, one of the first IDS products, which he sold to Cisco.

Possibly Related Articles:
8413
IDS/IDP
Information Security
Antispyware Antivirus malware White Listing vendor IDS/IPS
Post Rating I Like this!