Implicit whitelisting blocks malware instead of productivity

Application whitelisting is one way to ensure that unwanted software doesn't execute in your environment. Traditional whitelisting products are often too restrictive; they inhibit productivity when workers can't access the applications they need. Savant Protection offers a whitelisting solution that takes its cue from the applications your users already have installed. This helps you get control without breaking the endpoint.

Amit Yoran, security consultant and former director of the U.S. Department of Homeland Security's National Cyber Security Division, says that tools like antivirus software are effective for 25% to 40% of cyber threats. "It's necessary but inadequate," according to Yoran. A more effective approach to cyber security is to layer multiple complementary tools and solutions.

One of the layers you might be interested in implementing is application whitelisting. This is the process of specifying which applications are the only applications that are permitted to run on a computer or network. Whitelisting is very effective at blocking out undesirable programs such as viruses, malware and peer-to-peer file sharing. Unfortunately, it's also very effective at blocking genuine productivity applications that have not been explicitly added to the "approved" list. Many users find whitelisting too disruptive to their work productivity when they have to contact someone to approve an application and add it to the list.

10 security companies to watch

Savant Protection offers a different slant on application whitelisting. Savant's solution automatically creates a unique whitelist for each individual device, and that list becomes the ultimate authority of what is permitted to run on that specific device. This eliminates the need for complex policies and a centralized whitelist database.

You start by installing a Savant client on each computer you want to protect. The client scans the system drives to identify the existing executables and other files that access the CPU. For each file it identifies, Savant generates a unique key that it permanently assigns to that file on that specific device. The keys are encrypted and stored locally. From that point on, any new executable that does not have a key assigned to it cannot run. So, for example, if malware code does make its way onto the device, it simply dies on the vine because it doesn't have a key to run.

Of course, there are times when you want to install new software or updates to existing software. In this case, Savant allows a trusted agent that you specify to automatically install and whitelist trusted applications. Examples of trusted agents include Windows Updates, antivirus agents and desktop configuration agents. This allows you to keep the computers current with all patches and updates without having to intervene to add the new executables to the whitelist.

The next obvious question is, what if you automatically whitelist something bad when you first install the client software? For example, what if a PC has botnet malware installed on it and you don't know about it? The Savant client will whitelist that malware and give it a key to run on that specific machine. However, the malware can't move to other devices on your network and continue to run because the key assigned to it is unique to only one device. The effect is a fully contained piece of malware.

To prevent the malware from ever being whitelisted in the first place, Savant Protection recommends you run your antivirus software, conduct system scans and clean up your devices as much as possible before installing the Savant client software. While it's possible that malware and other undesired applications can get whitelisted, at least they are contained and can't replicate to other devices. As Mr. Spock once famously said, “The needs of the many outweigh the needs of the one.”

The client software runs locally and doesn't need to communicate with a server, making Savant's solution ideal for mobile devices that are frequently off-network. What's more, the client software is independent of Windows administrator mode, so a user who has administrative rights can't simply override Savant's protection to install whatever he wants.

Savant Enterprise Management System (SEMS) is a Web interface console that enables centralized visibility and control of the endpoints. SEMS allows for endpoint management integration with desktop management systems such as Symantec's Altiris Client Management Suite or Microsoft System Center Configuration Manager (SCCM) or Systems Management Server (SMS). These kinds of tools would be your trusted agents that are allowed to automatically update the devices.

SEMS also allows you to remove unwanted software from the endpoints; control devices such as USB ports and CD/DVD drives; log, alert on and report on activities at the endpoints; and remotely manage Savant clients.

The Savant solution works especially well for single-purpose devices such as point-of-sale (POS) terminals and industrial control systems (e.g., SCADA). Such a device can be essentially locked down to run only authorized applications, but these applications can be updated as needed by trusted agents. Redner's Markets, a chain of warehouse grocery stores headquartered in Reading, Pa., has deployed Savant Protection on about 600 POS devices in its stores. System administrator Eric Moody chose the whitelisting solution because it is more effective than antivirus and it allows him to block off USB access at the cash registers. Moreover, it helps the grocer meet its PCI requirements.

The application whitelisting provided by Savant Protection is intended to allow you to get control of your user environment without "breaking" the endpoint to the state where workers can't run what they need to run locally. The solution's focus is on ease of use and operational efficiency without business disruption -- all with minimal requirements for administration. It's not an absolute panacea, but it's an important security layer to add to your arsenal.

Learn more about this topic

Whitelisting made strides in 2009

Whitelisting security comes of age

New approaches to malware detection coming into view

Join the discussion
Be the first to comment on this article. Our Commenting Policies