Microsoft Tuesday...dreaded by systems administrators all over the world. How long you have to patch is completely dependent on how long it takes the hackers to figure out the differences in the patch code, reverse engineer the patch, identify the vulnerability and write the exploit.  Often Microsoft Tuesday is followed immediately by Black Wednesday. And the hackers are getting better.  As the window of time to patch closes, you have to respond faster, deploy the patches faster, depend on your signature based IPS vendor or throw your hands up in defeat.  After all, don’t your configuration management  and best practices require some level of regression testing before the patches are applied? Please read on!

In the past, I’ve not been a strong advocate of host-based security systems. Challenges with deployment, management, false positives, etc. limit the effectiveness and return on investment. In fact, for these reasons and more, I’ve seen more HIDS/HIPS systems yanked than deployed long term. However, growth and maturity in the “Application Whitelist” market has changed my mind.  Let me explain.

For years, host-based IPS/IDS systems have some level of effective use.  Some of these are effective at protecting against known attacks. Most can identify when an executable file has been changed.  But they all have challenges with deployment, management, false positives, false negatives and protection against zero-day attacks. Management, tuning and regular updating are required to make any of the host IPS systems workable. Often, the level of effort is not worth the increase in protection, particularly when the performance impact is considered. Many do little, if any, virus detection. As a result, if you run host-based IPS, you also need to run anti-virus, anti-adware and anti-spyware products to adequately protect a host.  Even after loading all these products, you still can’t protect the system from unauthorized change from users or even insiders (administrators).

Application Whitelisting is Different

First, with a good application whitelisting system, deployment is simple.  I have tested and run CoreTrace’s BOUNCERTM product in a number of evaluations and I have found it to be the simplest to deploy.  Simply load the client program on the host and execute.  The client loads itself into the kernel and surveys the system for all executable files.  It then creates a SHA-1 hash of the files and records their path and size.  When the baseline is enforced, before an executable is given any CPU cycles, it is checked against the recorded hash, path and file size.  If everything is a match, the executable is allowed to run. Otherwise, it is immediately stopped.

Additionally, because BOUNCER runs in the kernel it monitors the memory used by the application.  When an application uses too much memory or executes code from an inappropriate memory location, BOUNCER immediately stops the unauthorized code.

ZERO-DAY THREATS ARE TRULY ELIMINATED!

Blacklist solutions like anti-virus, IDS/IPS and anti-spyware can’t stop attacks they don’t know about in advance. IDS systems (host or network based) rely on signatures or rules that detect attacks against known vulnerabilities.  Antivirus, anti-spyware and anti-adware solutions use hashes and signatures to match the signatures of known viruses. 

This URL demonstrates the inability of the anti-virus solutions to prevent new attacks:  http://www.av-comparatives.org/seiten/ergebnisse_2008_11.php

With application whitelisting, specifically with BOUNCER, only code that is authorized in advance can execute.  NEW CODE WON’T RUN!  While this is not an ideal solution for home systems where we want to download and run new code all the time, in the business environment, our systems shouldn’t change daily.  As a result, preventing code that isn’t authorized in advance is a perfect way to maintain configuration control and to prevent users from installing malicious code inadvertently. 

AUTHORIZED CHANGE

Now everything is protected, but you need to roll out a new Service Pack or a new application to all your hosts. Before BOUNCER, application whitelisting solutions didn’t have a good method of dealing with this.  The process went something like this:  turn off protection, install new code, re-create the baseline, reapply the enforcement policy.  It might even be worse, requiring that the kernel client be reinstalled.

BOUNCER has solved this problem in a patent pending process they call “Trusted Change”.  Trusted Change allows trusted mechanisms to apply change and automatically update the list of authorized code.

Trusted Shares allow new code to be installed from a pre-defined trusted share. For example, a network drive can be identified as trusted and software upgrades, Service Packs, etc. can be installed from there.

Trusted Applications allow specific applications to install new code.  For example, a specific application can be used to install new authorized code.

Trusted Installers can be identified, such as WSUS, to install trusted code.

Trusted Digital Signatures are a great way to trust Microsoft’s and other companies’ updates.

Finally, Trusted Users can be identified.  I almost hate to hear that this option exists, because it is very likely to be overused, at least at first.  The good news is that incremental changes made by the trusted user can be backed out.

SUMMARY

The “beat the hackers to the patch” game is over.  With Application Whitelisting solutions like BOUNCER, no unauthorized code will run.  The race is truly over.

In addition, Application Whitelisting is a great way to get control over your host and server configurations.  Users will not be able to execute, spyware, adware, viruses, games, P2P applications or any other malware. Companies can start treating their hosts more like company-owned computers and less like personal computers. Don’t want users using Instant Messaging, turn it off in the BOUNCER manager.  Don’t want them using P2P applications?  Turn it off.  Windows Player?  Turn it off.  Gain configuration control, recover CPU cycles (Bouncer takes less than 2% CPU versus antivirus that burns up to 25% of your CPU) and increase productivity by globally disabling unnecessary programs that distract your employees.

Want more information:  See http://www.thomasontech.com/coretrace 

or call 210-317-3403.