September 10, 2012
Guest Post From Researcher Chris Sherman
Traditional antivirus techniques have been fighting a losing battle for years. Popular hacker exploit kits pounce on new vulnerabilities quickly while advanced tools such as polymorphic viruses propagate their malicious intents. As a result, signature databases (known as “blacklists”) have ballooned in size, causing strain on a company’s infrastructure and endpoint performance. Combined with the fact that antivirus vendors miss a significant number of the unknown or zero-day threats, many security professionals are left questioning their antivirus-centric approach to endpoint protection. As the number of malware samples rise, this traditional "Whack-A-Mole" blacklist strategy of signature-based antivirus protection is simply unscalable.
In our new report “Application Control: An Essential Endpoint Security Component,” my colleague Chenxi Wang and I discuss the importance of supplementing antivirus with application control in an effort to reduce the number of potential avenues for attack (otherwise known as the endpoint’s attack surface). One of the most promising forms of application control comes is application whitelisting. Whereas traditional antivirus technologies laboriously scan every file on the endpoint looking for known bad scripts, whitelisting takes a very different approach and blocks everything except those applications known to be trusted. This leads to faster endpoint performance and overall better protection against zero-day threats when compared to traditional antivirus techniques.
Now of course, there are operational challenges that make the move to a whitelisting approach difficult in certain environments. Organizations will sometimes struggle with building an initial whitelist, and there can be many difficulties maintaining one once it’s set in place, especially in dynamic environments. Deciding which applications are necessary and which should be eliminated is not a trivial task. However, at the end of the day you are left with an endpoint environment with less reliance on antivirus techniques and a significantly reduced attack surface.
For more information on the challenges and benefits of application control, as well as how the attack surface can be further mitigated through targeted patch management and privilege management, look to our published report. And as always, we welcome your comments below.