The blacklisting -vs- whitelisting debate rages on. Blacklisting solutions, such as antivirus products, block stuff that is known to be bad. Whilelisting solutions, such as Bit9's Parity, block everything except stuff that's known to be good.
Which is the better approach? Well, that depends on who you listen to. Proponents of whitelisting solutions claim that antivirus products are dead in the water: that they simply can't keep pace with today's rapidly evolving threats and heuristic detection is still far from perfect. Proponents of blacklisting solutions point out that whitelisting still has many shortcomings. Who's to say what's good and what's bad? Will whitelisting make patching and updating an even more complex process? What happens if you have abandonded your antivirus product and somebody then discovers a nice exploit to the whitelisting solution?
There is truth to both sides' claims. Signature-based solutions are indeed struggling to keep pace with new threats. A recent study by Panda found that 72% of networks with more than 100 workstations were infected with malware. That's quite an admission - especially as Panda's own product is signature-based. Additionally, heuristic (behaviour-based) detections also has a number of shortcomings - it's resource intensive and prone to misidentifying good stuff as bad and bad stuff as good (if heuristics was perfect, there'd be no need for signatures, right?).
Whitelisting solutions have shortcomings too. One of the arguments against blacklisting is that the vendors cannot keep pace with emerging threats, but the vendors of whitelisting solutions face a similar problem - there's an enormous number of programs on the market and whitelisting each and every one (and their updates) would be a job of nightmare proportions. Furthermore, not every businesses will want to completely lock each desktop to a base configuration; instead they'll want to allow some users freedom to install the productivity tools of their choosing (without having to put in a call to the Help Desk to do so). Bit9 work around this problem by enabling different sets of privileges to be applied to different users or groups of users. For example, you could permit IT to install software while blocking accounting. Great, but that sort of defeats the object. IT staff are certainly not immune from making mistakes and could install something that they shouldn't.
So, what's the bottom line? At this point in time, I don't think that whitelisting solutions can or should replace other security products. That said, they can certainly complement those products and add an extra layer to existing security strategy.
What do you think? Will the future be black or will it be white ... or, erm, will it possibly be a peculiar shade of grey?
Published
by
Brett Callow
(4,676
pts
)
on
Aug 12 2008, 10:05 AM
to
Computer Security Blog