Die, unknown executable! Keeping up with malware signatures is becoming unsustainable, so blocking all but known good programs may be our only hope. A review of five whitelisting security packages yields a clear winner in the battle for 21st century security
Layer 8 considerations
Administrators trying to implement a whitelisting program across a large organization should make sure to have senior management's buy-in. Once you start taking away users' "freedom," the complaints will start coming. I've yet to see an administrator turn on enforcement mode, even after weeks of application inventorying, without some mission-critical application that escaped detection being temporarily interrupted. IT shops using application control must be immediately responsive to customer needs and requests.
One of the biggest unexpected side effects of using a whitelisting program in enforcement mode is lower support costs. Companies that are able to lock down desktops have significantly fewer troubleshooting events and rebuilds. Although some users will complain about their inability to install anything they like, the lockdown also means that users won't install nearly as much malware, and that, along with the savings in support costs, usually translates well to senior management.
Most companies will want to define emergency and ad hoc approval processes so that requested software can be whitelisted and allowed to run as quickly as possible. No one wants to tell the CEO that he has to wait a week for his new golf game or stock trading program to get approved. Some environments enable enforcement mode only on problematic users with a history of abuse, while running auditing mode for everyone else. Every company should create baselines from images and programs their users are supposed to be running, and use the whitelisting solution's reporting feature to track deviations and drift.
This review ranks the whitelisting programs based upon overall functionality, including the file types and operating systems they cover, accuracy and effectiveness against policy violations, administration (how hard was it to configure and manage), reporting (including alerting), and overall value. As noted above, all of the reviewed products performed well. There are many good choices here, and the real challenge is in picking a product that has the best feature set for your environment. One product, Bit9’s Parity, rose to the top and should be included in anyone's consideration list.
Read the individual reviews:
Bit9 Parity 5.0 shines brightest among whitelisting competitors with strong protection and useful risk metrics
CoreTrace Bouncer 5 provides first-rate application control with a few unique features
Lumension Application Control is a competitive product with a number of standout features and one significant omission
McAfee's whitelisting protection for Windows, Linux, and Solaris is short on shortcomings
SignaCert is great for monitoring compliance with application and configuration policies, but it lacks built-in blocking
Microsoft's AppLocker is limited compared to third-party options, but you can't argue with the price
This story, "InfoWorld Test Center review: Whitelisting security comes of age," was originally published at InfoWorld.com. Follow the latest developments in information security and endpoint security at InfoWorld.com.
You may still be better off sticking with Win7 or Win8.1, given the wide range of ongoing Win10...
Early results look promising: the many-hours-long Win7 waits may be behind us
Now that we're down to the wire, many upgraders report that the installer hangs. If this happens to...
Here’s how to step out of the server closet and into a more robust (and possibly more rewarding) tech...
Boiling the ocean never works. But the right proof of concept can provide a key transformative example...
If old Python networking and web libraries aren't fast enough for you, these new additions break speed...
The DDoS attack against Dyn affected numerous websites, but the biggest victims are the enterprises...