• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
 
 
The Positive Trust Model and Whitelists
Dr. Luke O’Connor 19/11/09
Introduction
I recently came across the presentationThe Positive Trust Model and Whitelists , by   Wyatt Starnes of Signacert, a company that specialises in whitelisting solutions (getthe videohere). I thought the presentation made some good points, worth repeatinghere, and extending with other opinions (of which there are many). Whitelisting, like virtualisation, is a mainframe concept largely forgotten in the era of personal computing, recently rediscovered in our modern IT environment. There are various forms of  whitelistingfor security  purposes, for example in the context of  combating email fraud and SPAM, but here we will be concerned with application whitelisting - a method to ensure that only approved applications and theirassociated executables are permitted to run on a given machine.John W. Thompson, CEO of Symantec, from his 2008 RSA keynote, supported whitelisting in the face of growing malware diversity (quoted by Starnes)
 From where I sit, a few things are very, very, clear. If the growth of malicioussoftware continues to outpace the growth of legitimate software, techniques likewhitelisting, where we identify and allow only the good stuff to come in, will become much, much, more critical.
This is a telling statement from the CEO of a company whose cash cow is desktop AV software, the epitome of blacklisting technology. Thompson, and other companies whose business models are firmly based on blacklisting, now agree that whitelistingas a malware defence is an idea whose time has come.
Malware is Increasing
Blacklisting is not really about maintaining a list of prohibited software, but rathermaintaining a database of malware signatures to evaluate the state of softwarethrough scanning. Software is blacklisted when it is identified to have characteristicsidentical or similar to known malware. And this is the key point -
known
malware.
Email:lukejamesoconnor@gmail.comBlog:http://lukenotricks.blogspot.com/
 
The Positive Trust Model and Whitelists
The successful and timely identification of malware depends on the rapididentification, production and distribution of updates to signature databases.Over the last year an inflection point was reached where malware crossed over as being produced in greater quantities than legitimate software. We are heading to thesame state of affairs in email where SPAM dominates the number of legitimatemessages. Starnes depicted this situation as followsThe slide heading for the graphic above is
Chase the Infinite or Confirm the Finite? 
The question asks whether it is a better IT defensive strategy to attempt to screen a wide and increasing variety of malware, or focus on maintaining the current integrity of the known components of your IT system. A presentation from MartinFréchette of Symantec Labs, given at RAID 2007, provides more background. First he has a more detailed graph on the number of new threats, which are essentially increasing exponentially.
2009-11-192
 
The Positive Trust Model and Whitelists
By the end of 2008 there were approximately 1,000,000 known examples of malware, over 2/3 of which had been produced in 2008. That is, 2008 saw moremalware produced than all previous years combined. While this sounds alarming,Fréchette notes that part of the reason known malware has been increasing rapidly isdue to better detection methods, in particular honeypots and malware sensornetworks.But malware is also increasing due to a change in strategy of the malware industry.Fréchette observes a shift from a mass distribution of a small number of threats tomicro distribution of millions of distinct threats, more recently referred to astargeted attacks. Symantec has observed single days where 10,000 new virus strainshave been produced, mainly through a technique known as server-sidepolymorphism, which can automatically regenerate malware strains.Fréchette notes that the micro distribution strategy is greatly reducing theeffectiveness of classic malware signature detection. Even just a few years ago asingle signature could be expected to protect 10,000 users whereas today thatexpectation has dropped to less than 20 users. That is, malware attacks are sospecific that signatures serve only to protect small groups of users. Thus signaturesmust be produced in vast numbers to protect the broader user community.
The Twilight of Blacklisting
The AV blacklisting industry has reached a point of diminishing returns - the marginal value of producingadditional signatures is minimal, but the underlying modelcan offer no more advice than to simply keep doing exactly 
2009-11-193
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...