InfoWorld review: Whitelisting security offers salvation
Die, unknown executable! Keeping up with malware signatures is becoming unsustainable, so blocking all but known good programs may be our only hope. A review of five whitelisting security packages yields a clear winner in the battle for 21st century security
Columnist, InfoWorld |
Layer 8 considerations
Administrators trying to implement a whitelisting program across a large organization should make sure to have senior management's buy-in. Once you start taking away users' "freedom," the complaints will start coming. I've yet to see an administrator turn on enforcement mode, even after weeks of application inventorying, without some mission-critical application that escaped detection being temporarily interrupted. IT shops using application control must be immediately responsive to customer needs and requests.
One of the biggest unexpected side effects of using a whitelisting program in enforcement mode is lower support costs. Companies that are able to lock down desktops have significantly fewer troubleshooting events and rebuilds. Although some users will complain about their inability to install anything they like, the lockdown also means that users won't install nearly as much malware, and that, along with the savings in support costs, usually translates well to senior management.
Most companies will want to define emergency and ad hoc approval processes so that requested software can be whitelisted and allowed to run as quickly as possible. No one wants to tell the CEO that he has to wait a week for his new golf game or stock trading program to get approved. Some environments enable enforcement mode only on problematic users with a history of abuse, while running auditing mode for everyone else. Every company should create baselines from images and programs their users are supposed to be running, and use the whitelisting solution's reporting feature to track deviations and drift.
This review ranks the whitelisting programs based upon overall functionality, including the file types and operating systems they cover, accuracy and effectiveness against policy violations, administration (how hard was it to configure and manage), reporting (including alerting), and overall value. As noted above, all of the reviewed products performed well. There are many good choices here, and the real challenge is in picking a product that has the best feature set for your environment. One product, Bit9’s Parity, rose to the top and should be included in anyone's consideration list.
Read the individual reviews:
Application whitelisting review: Bit9 Parity Suite
Bit9 Parity 5.0 shines brightest among whitelisting competitors with strong protection and useful risk metrics
Application whitelisting review: CoreTrace Bouncer
CoreTrace Bouncer 5 provides first-rate application control with a few unique features
Application whitelisting review: Lumension Application Control
Lumension Application Control is a competitive product with a number of standout features and one significant omission
Application whitelisting review: McAfee Application Control
McAfee's whitelisting protection for Windows, Linux, and Solaris is short on shortcomings
Application whitelisting review: SignaCert Enterprise Trust Services
SignaCert is great for monitoring compliance with application and configuration policies, but it lacks built-in blocking
Application whitelisting in Windows 7 and Windows Server 2008 R2
Microsoft's AppLocker is limited compared to third-party options, but you can't argue with the price
This story, "InfoWorld Test Center review: Whitelisting security comes of age," was originally published at InfoWorld.com. Follow the latest developments in information security and endpoint security at InfoWorld.com.
Copyright © 2009 IDG Communications, Inc.