We recently sat down with Nigel Stanley, Analyst at Bloor Research to discuss how whitelisting has evolved over the years and where the endpoint security market is heading in 2010.
Q: What role does whitelisting technology play in protecting a company’s vital information and managing critical risk?
A: Application whitelisting, which is the notion of only allowing pre-determined applications to install and run on a network, is gaining a lot more mindshare from security teams than ever before. Once in place and properly configured, an IT estate protected in this way should be able to prevent unapproved software code or applications from being installed.
Of course, whitelisting is only one part of the information security mix.
Forgetting the world of automatic downloads and so on, one big question I always ask when discussing whitelisting to security people is, whether they see users trying to install unauthorised applications on their work systems. In most cases this doesn’t happen, due to workstation lockdown and techniques such as whitelisting, but when it does, it is interesting to understand the motives of the user in question. This applies especially if the user is trying to install an application to help with their job. If this is the case then we, as information security people, need to see how we can quickly facilitate what is probably a justifiable business need.
At this point I get right on my hobby horse – delivering business benefit is what we security people are all about. Too many people lose sight of this, and application whitelisting must be seen as an enabler for business benefit. I’ll get off my hobby horse now!
Q: Which sectors are you seeing the most adoption of whitelisting technologies? And, do you expect adoption to increase in 2010?
A: As everyone knows IT is pretty beat up at the moment, suffering from the fallout of the worldwide recession. As countries come out of recession and confidence returns budgets will start to become available.
At this point, I expect many businesses will take a long hard look at IT and question the fact that they survived the recession with reduced IT expenditure, so why should money suddenly be spent on IT systems. After all, they have been perfectly adequate over the past couple of years!
Of course, this is one extreme type of thinking, but what I believe we will see is more questioning and greater expectations of the business benefit that IT brings. Failing to demonstrate this business benefit will be fatal.
This is where well implemented and managed technologies such as whitelisting should come into their own. The business should be able to understand the concept of whitelisting and its benefits, which should make adoptions easier.
Traditionally, we have seen the finance sector be the lead adopters of almost all IT technologies, except maybe the National Security Agency and GCHQ!
Having had their businesses and egos dented over the past couple of years I don’t necessarily see finance being the first sectors to adopt whitelisting, and maybe it will be more of an even race across sectors. With the pressure on public sector budgets starting to bite, it will be interesting to see how quickly they embrace whitelisting or indeed any other new IT systems.
Q: What is driving the move towards whitelisting?
A: I see the biggest driver to whitelisting being the frustration of dealing with an avalanche of malicious code, viruses and Trojans. Getting your head around this without using some form of automation will soon lead to madness. I believe the tipping point has been passed and we are now subject to a greater volume of malware than we are of “goodware”. Whitelisting is an obvious next step for many organisations, as it is now easier to say no by default and then let the good bits come through on a case by case basis. That said, the adoption of a whitelisting approach will pose a cultural and operational issue for most IT people, so this needs to be factored into an adoption equation.
Q: Do you think there is a need for the convergence of whitelisting and blacklisting technologies?
A: I think the problem with whitelisting and blacklisting is that, superficially, it is too black and white! Of course there is a range of code out there which can easily be deemed to be nasty and is easy to blacklist. Similarly, there is code which is easier to whitelist – think downloads from major software suppliers. That said, I have known what appears to be “goodware” downloaded from a trusted vendor which then promptly screws up an IT estate due to application compatibility problems.
The merger of whitelisting with blacklisting is probably inevitable, with greylisted code sitting in the middle, maybe subjected to some heuristic analysis. If this analysis fails to work then it will be down to a human making the decision I’m afraid!
Q: What are you expecting to see from the security market in 2010?
A: As I mentioned, I do expect to see budgets slowly becoming bigger and a gentle increase in IT expenditure. I have an old belief which is that people never want less security, so as new IT systems get created information security will be a key requirement. Couple this with the relentless increase in threats (certainly the malware market hasn’t had a recession) security expenditure must increase.
Against this background we will see a need to create business benefit using smarter, more agile and better implemented IT security solutions. The rush to cloud-based computing will leave many early adopters with a sore head, as they realise they forgot some pretty basic issues relating to information security and cloud computing wasn’t the nirvana they expected.
On the other hand I expect to see innovative solutions, such as whitelisting, start to gain mindshare as organisations look for better ways to secure their businesses.
Nigel Stanley, Bloor Research:
Twitter: @securitynigel
Blog: http://www.bloorresearch.com/blog/security.html
Nigel Stanley is a specialist in business technology and IT security and now heads up Bloor’s IT Security practice. Nigel is a published author and regular commentator in the press on IT security issues.
