By Rene Kolga
What is Application Whitelisting?
One approach in combating viruses and malware is to whitelist software which is considered safe to run, blocking all others (source). This default deny or zero-trust approach has a number of benefits. The US Government, including the intelligence community, is a strong supporter of whitelisting. National Institute of Standards and Technology (NIST) states, “Application whitelisting solutions are generally strongly recommended for hosts in high-risk environments where security outweighs unrestricted functionality.”
However, the management overhead of application whitelisting can be a significant burden in many environments. Just like the number of malware variants borders on infinity, the number of applications can easily stretch into the millions. Whitelisting can create an incredible amount of friction if deployed widely in the workplace. Today’s knowledge workers with a broad range of responsibilities require a diverse and an ever-evolving set of applications to perform their roles.
In the last few years, the use of fileless malware and, the so called living-off-the-land techniques, have become prevalent. They use legitimate clean administrative tools often included with the operating system itself. By leveraging these, attackers can bypass application whitelisting as well as many other security tools. Even Symantec cautions that “Pure application whitelisting will not prevent the misuse of dual-use tools.” (source)
Zero-day attacks are attacks that exploit a software vulnerability that was previously unknown or undisclosed by the software vendor. Whitelisting may not protect an organization if the vulnerability exploited is within an approved (whitelisted) application. Vulnerabilities within web browsers, Java, Adobe and Microsoft Office applications are very common. There are very few environments where these applications are not whitelisted.
At its core, Nyotron took all the benefits of whitelisting and made it even more secure as well as usable on an enterprise scale. Instead of being focused on applications, we have mapped all the normative ways that may lead to damage, such as file deletion, data exfiltration, encryption, and more. Focusing on these finite “good” actions allows PARANOID to be completely agnostic to threats, applications and attack vectors.
Here are just a few highlights of the benefits of Nyotron’s PARANOID vs. whitelisting:
|Capability||Application Whitelisting||Nyotron’s PARANOID|
|Protection against fileless attacks||NO||YES|
|Protection against application vulnerabilities & zero-days||NO||YES|