Positive Security: Worth The Work?
New approach requires in-depth systems knowledge, but the payoff is substantial.
Two forms of positive security worth exploring are application whitelisting and mandatory access control, or MAC.
More Security Insights
- Get Actionable Insight with Security Intelligence for Mainframe Environments
- Getting a Grip on Mobile Malware
White PapersMore >>
Instead of letting every program run on a computer by default and trying to stop bad ones after they've caused trouble, whitelisting allows only approved applications to run. The concept can be applied not just to software, but also to the functions that applications are allowed to perform. It's complex and won't stop everything, but with more threats coming online every day, it's an option worth exploring.
MAC, meanwhile, allows much more powerful and granular control compared with the discretionary access control (DAC) methods commonly used to secure today's desktop operating systems. MAC also is more complex than DAC, which is best summarized as allowing or denying access based on identity. A user is either logged in to a privileged account or isn't, and is either a member of a particular group or isn't.
In a MAC environment, a user account may have full control over the user's files, but a mail client run by the same user may have a reduced set of permissions, such as restrictions on which directories it may read or write to. Think about it this way: If your Web browser needs only to execute some libraries or plug-ins, save files to a download folder, and create network connections, why should it have the ability to execute any other binary or access the memory of other running applications?
Configuring and maintaining a positive security model is more expensive than traditional laissez-faire methods, but the benefits of MAC and application whitelisting are beginning to outweigh implementation costs, and the trend toward positive security features and policies is growing, not only in third-party security products, but also in operating systems. In our Strategic Security poll, the practice of reducing software features to essentials made our list of the top half-dozen most effective vulnerability management practices.
Vendors also are taking small steps: Kaspersky Lab has added application whitelisting vendor Bit9's database into its product. Kaspersky uses this whitelist as an initial check to speed up scanning--not a true positive security model, but it's a start. Among large antivirus vendors, Symantec has been vocal about its desire to migrate to a positive security model, and has started to implement features similar to Kaspersky, including a lockdown mode that prohibits new programs. The application whitelisting market also is expanding (see vendor list, above).
NOT QUITE EVERYTHING
There are problems positive security can't solve, as well as common deployment inhibitors. First, although some mechanisms use positive security models to combat insider threats, the majority of such systems require trusted endpoints, and a sufficiently clued local user can subvert such a system. In addition, positive security models aren't proof against approved applications that have vulnerabilities. These models can help prevent most malicious software from running and limit the scope of a compromise, but malware can still leverage a software vulnerability to infect a system.
The thing to remember is that the vast majority of current threats will fail in an environment with application whitelisting or MAC. A strategy need not be perfect to be worthwhile.
The biggest barrier to positive security is the management cost. In sites with just a few standard desktop builds and relatively static application sets, a positive security strategy makes good sense. Servers, in particular, tend to perform a few specific functions and have access to more critical resources than endpoints. Conversely, it's difficult to implement a positive security program when users can install their own software or require a constantly changing set of apps.
Conversely, a whitelist is not necessarily synonymous with a positive security model, though the two terms are sometimes used interchangeably.
For example, a whitelist in an antivirus application may refer to specific known-good applications that should always be allowed to run, but that does not necessarily mean the antivirus product uses a default-deny policy. Just because an application employs a whitelist does not mean it uses a positive security model, which specifies a list of good behaviors or objects and blocks all else by default.