Two changes have occurred in the last couple of decades, which point toward reconsidering the options. First, the numbers game: The amount of bad stuff grows daily and some anti-virus signature files contain approximately 20 million signatures. The good stuff has not grown as fast and a signature file for a standard operating system such as Windows XP Professional will contain nearly 50,000 signatures. Second, the rate of change has increased. Viruses used to be static and did not change, but nowadays they are written to self-adapt or operate in a command-control mode where they can be remotely updated.
Now what? Does a solution provider look for the 50,000 relatively static signatures of the good stuff or the growing 20 million adapting signatures of the bad stuff? Signature Management Most companies hope they never see any bad stuff and have no expertise in the dark science of understanding them. So, it is sensible that both the generation and updating of anti-virus signatures be ‘outsourced’ to the experts, and that is how the industry has developed. Application whitelisting appears to require the opposite approach. Because PCs are unique to every organization, then the organisation itself would be required to both generate and update the signatures of the good stuff. That might take quite a lot of time and effort – and appears counter to the current trend of increasing amounts of IT outsourcing. There is also the issue of diversity to handle as well. With anti-virus the same signature file can be applied to every machine, but with application whitelisting the worst-case scenario might be that the signature file of every PC is different.
Today the concept of "signing" software is becoming commonplace and will contain metadata such as the software author, a checksum to verify that the object has not been altered and versioning information. Signing involves a process using a pair of keys, similar to SSL or SSH sessions. The private key used to sign the code is unique to a developer or company. Those keys can be self generated or obtained from a trusted certificate authority (CA). When the public key used to authenticate the code signature can be traced back to a trusted root authority CA using secure public key infrastructure (PKI), then the user knows that the code is genuine. We see this most commonly today in environments where the source of a given piece of code may not be immediately evident - for example a Java Web Start application accessed from your browser.
In the context of application whitelisting, the most interesting use of signed code to provide updates and patches for software. Most OS manufacturers now provide signed updates to ensure that bad stuff cannot be distributed via the patching system.
That same signing process can now be used by application whitelisting solutions, such as Cryptzone’s SE46. The agent, which checks everything just before it runs, clearly trusts the signatures generated for that PC in the first place, especially if they have been signed in a way similar to the above). But the trust model can be extended to include other signing authorities. That means it would now be possible to have a Windows PC which has the trust model extended to include, for example, Microsoft, Adobe and Cryptzone, so it can now self update without any need to in-house manage the changing signatures. Effectively, the management of the signatures of the good stuff has now been outsourced in much the same way as for anti-virus.
Who is in control of your infrastructure today? With certificate-based application whitelisting we have a way of replacing anti-virus without imposing a significant time/management overhead. So, the answer would be, just you and any developers you choose to allow -- and that's it!
- How To Protect Customers From Online Fraud
- How to Choose a Next-Generation Firewall
- How To Batten Down Network Security and Increase ISP Customer Satisfaction
- How to Successfully Help Customers Mitigate Application Issues Around Windows 7
- How To Accelerate Cloud Adoption Through Windows 8
- How To Prepare for Deploying 100GigE In 6 Steps
- How To Secure Mobile Devices
- How to Prepare for a Microsoft Exchange Migration
- How To Develop Reliable IT Applications While Reducing Costs
- How To Keep Data Safe In the Cloud
- How To Integrate High Performance Computing On the Cloud
- How to Successfully Execute IT Projects Without Fail
- How to Cost Effectively Migrate to a Network Fabric