Whitelist Security Approach

  • The cyber environment

    Naturally, all malicious software must be blacklisted. However, such software grows ever more complex by the day, and its quantity increases so quickly that blacklisting technologies become less and less effective.

    One of the most important distinctions between 'yesterday' and 'now' is the emergence of a digital reality. Everything we see around us now has an electronic equivalent. While back in 2009 the total volume of digital information in the world was approximately 0.8 Zettabytes (1 ZB = 1012 Gigabytes), in 2010 it became 1.2 ZB, and by 2020 it will be 35 ZB. Most of this data will be available from more or less anywhere on the globe and from any mobile or stationary device.

    Significant part of this data is software, which in its turn falls into three categories: known legitimate (clean) software, known malicious software (viruses, Trojans etc.) and unknown (‘grey’) software. Naturally, all malicious software must be blacklisted. However, such software grows ever more complex by the day, and its quantity increases so quickly that blacklisting technologies become less and less effective.

    Figure 1
    Unknown Software and Blacklist

    Figure 2
    Malware files growth

    At the same time, the biggest threat is posed by the huge mass of unknown software which can be a source of unknown malware. Effective protection may not exist to combat these threats when they first appear.

  • Whitelist Security Approach

    A new approach, distinct from the classic blacklist, is required. The effectiveness of this approach should not depend on the amount and complexity of malware, and at the same time it should allow the user to work with all types of clean and legitimate software.

    The combination of Blacklist, Whitelist and other technologies ensure multilayer protection with levels complementing and supporting each other, which in turn ensures maximum safety for the user

    The Whitelist Security Approach developed by Kaspersky Lab is based on systemizing knowledge of legitimate software. The principle is as follows: traditional signature-based computer protection prevents the execution of the malicious code; whitelisting technology allows the execution of legitimate software. How do we know exactly what software is clean? As part of the Whitelist Security Approach a dedicated whitelisting database is created that consists of programs that have already been checked to ensure they are legitimate.

    The combination of Blacklist, Whitelist and other technologies ensure multilayer protection with levels complementing and supporting each other, which in turn ensures maximum safety for the user. The combination of these technologies makes the execution of unknown and potentially dangerous programs virtually impossible.

    In Kaspersky Lab's products for corporate users the new approach is implemented as part of the Application Control module, which resorts to both local whitelist databases and the Whitelist database, located 'in the cloud'.

    Figure 3
    Whitelist security approach

    Whitelist technology is available for both Kaspersky Lab’s consumer users (Kaspersky Anti-Virus/Kaspersky Internet Security/Kaspersky PURE) as well as corporate customers (Kaspersky Endpoint Security 8). The key features of the Application Control module that implement the Whitelist Security Approach in Kaspersky Lab’s corporate products are listed below:

    Figure 4
    Categorization of software installed on the corporate network

    • Inventory: allows a record to be kept of software installed on the corporate network and to provide results in a convenient format for analysis;

    • Categorization: allows functional categories to be assigned to installed software (OS, browsers, multimedia, games etc.). Using these categories makes it easy to identify applications that are work-related. The administrator can then restrict or block the execution of programs that are not connected to work tasks;

    • Trusted Updaters: this feature ensures regular updates of legitimate software in order to close any vulnerabilities discovered;

    • Implementation of Flexible rules allows administrator to use dozens of Kaspersky Lab rules or create his own depending on multiple available options such as file name, MD5, vendor, source folder, etc.

    • Kaspersky Lab Global Whitelist database is always available in the cloud. Also administrator can create local Whitelist database which will be valid for his corporate network only.

    • The Golden Image category, which contains files that come with OS installation files and other important software, can be used when the Default Deny scenario is performed, meaning the launch of any software not included in whitelists on the corporate network nodes can be blocked. Considering the large number and diversity of software on the corporate network, it is often easier to choose only useful programs which are required for work than continuously combating new threats.

    Considering the large number and diversity of software on the corporate network, it is often easier to choose only useful programs which are required for work than continuously combating new threats.

  • Analytical Agency’s View

    What the leading analytical agencies think

    Having forecast technological developments in the sphere of corporate IT security, the major analytical agencies have paid a lot of attention to the concept of Endpoint Protection Platforms (EPP) as well as Whitelist and Application Control technologies. Gartner, for instance, has stated the following *:

    Reputation databases based on community reporting could be commoditized for widespread use, lowering the costs of protection.
    • Traditional endpoint security markets for point solutions such as anti-malware, encryption, device control, and network access control are being eclipsed by endpoint protection platforms (EPPs).

    • If live reputation and default deny Whitelist technologies live up to their promise they could disrupt the current market convergence on ever-larger signature databases, heavier agents, and larger security suites

    • Light client-side agents leveraging live reputation checks would sit more easily on handhelds and provide some support for other unmanaged devices.

    • Reputation databases based on community reporting could be commoditized for widespread use, lowering the costs of protection.

    • Vendors must combine proven anti-malware tools, data protection capabilities, and new technologies such as live reputation database lookup and Whitelist to provide customers with effective, manageable protection on a growing variety of traditional and emerging endpoint platforms.

    • Default deny application control and Whitelist systems, however, offer some game-changing protection potential versus blacklisting solutions. Default deny Whitelist puts endpoints into a stronger defensive posture by preventing any software not explicitly allowed by policy from installing or launching.

    • Strategic plan to migrate to a standard user desktop and deploy default deny application Whitelist. Gartner considers this an excellent protection strategy.

    Default deny application control and Whitelist systems, however, offer some game-changing protection potential versus blacklisting solutions.

    *Source: Gartner, [Endpoint Protection Platforms Blending Security, System Management, and Data Protection], [Application Control and Whitelisting for Endpoints], [10 March 2011]

  • Dynamic Whitelisting

    Dynamic whitelisting database

    Despite the seeming simplicity of the Whitelist Security Approach, its implementation is far from being an easy task. The software world is developing rapidly – numerous new programs and updates are released daily. In addition, hacker attacks and the placing of malware on legitimate websites are becoming more frequent - for instance, on file portals in the Internet.

    As a result, there are three main tasks facing the developers of whitelisting technology:

    • Ensuring the database is complete – ideally, all trusted software should be included. This means that the number of files in the database should be constantly increasing;

    • Ensuring the database is updated quickly. New software should be added to the database immediately after it is released, or even better, before it is released;

    • Ensuring high quality scanning of applications for whitelists, i.e. no mistakes when identifying software (false positives).

    All this requires major financial and technological outlay by the developer. To resolve the aforementioned tasks Kaspersky Lab has created a dynamic whitelist database.

    The Dynamic Whitelist facilitates an immediate reaction to any updates in software world providing maximum quality, fullness and speed of database. It is achieved as follows

    Figure 5
    Kaspersky Lab Dynamic Whitelist

    Infrastructure

    A globally-distributed multi-layer infrastructure is necessary to gather and analyze information, which then becomes available through updates and via the cloud.

    To keep the database up to date, the contents of whitelists are checked on a regular basis

    Regional information collection centers forward information to processing centers for further processing – analysis, classification, functional categorization etc. After thorough checks, information on legitimate software is included in the trusted files database.

    At the same time the fact that the file has been added to a whitelist is not in itself a guarantee that it will remain there permanently, as its reputation may change, e.g. as a result of a compromised certificate. To keep the database up to date, the contents of whitelists are checked on a regular basis.

    Kaspersky Lab’s leading role in the IT security industry ensures premium quality data analysis

    Expertise

    After the information on an application is processed, clean software is automatically added to the whitelisting database. However, cases that are not clear-cut, such as those that involve suspicious programs, require detailed expert analysis which is performed by the Virus Lab. Kaspersky Lab’s leading role in the IT security industry ensures premium quality data analysis.

    Intelligence

    Tens of millions of users worldwide participate in the Kaspersky Security Network, a globally-distributed malware detection and reporting system. This enables real time tracking of new software which is released daily in different countries.

    ...real time tracking of new software...

    A considerable amount of software is created and used “behind closed doors”, and information about it is not freely available. The Partner Whitelist program is designed to solve this problem, allowing information to be received about software from the world’s leading vendors and distributors immediately after, or even before, the release of a product.

    Innovations

    Operational control of whitelists is performed by a dedicated Whitelist Lab, whose functions include training of intelligent systems that participate in gathering and processing data and categorizing software. Whitelist Lab specialists track compromised certificates, the publication of malicious content on legitimate websites and other incidents which require prompt action and modification of the data in the whitelist database.

  • Practical Application

    The aptly-named Whitelisting approach to security ensures effective protection of different user categories and helps to solve a number of problems that are relevant today.

    Boosting anti-virus performance

    An application which is on the global Whitelist does not require regular checking by the security program. This helps to save system resources and improve the application’s performance, while at the same time minimizing the number of inquiry messages displayed to the user.

    The Whitelisting database is enormous and is replenished daily with information about millions of new files. If no malicious code is detected, the programs are added to the database. Since 2009, Whitelisting technology has been successfully deployed in Kaspersky Lab’s home user products, i.e. Kaspersky Anti-Virus and Kaspersky Internet Security. With this technology, results from the checking of each individual piece of software are sent to the Kaspersky Network Security (KSN) cloud and become available to its users around the globe almost instantly.

    Minimizing the cost of maintaining network security

    Network management is getting more easy and less time-consuming with simple use, efficient rules and policies and flexible system.

    In medium-sized and large businesses, a network administrator’s responsibilities typically include a broad range of security maintenance tasks. Quite often, one person services networks of several offices at the same time, which may affect the quality of security services provided. This in turn leads to a lower quality of network infrastructure protection and puts the entire business or businesses at serious risk.

    In this situation, the system administrator’s job is greatly assisted by comprehensive solutions with single management consoles and integrated multi-tier security tools such as WEB Control, Device Control, Application Control.

    Therefore the system administrator can arrange different network rules and policies, as well as access vendor’s databases delivered via the cloud or locally in the endpoint. Network management is getting more easy and less time-consuming with simple use, efficient rules and policies and flexible system.

    Improving the efficiency of corporate resource usage

    Nowadays, medium-sized and large businesses increasingly face the problem of employees using corporate resources for non-business related purposes, or corporate networks being inadvertently infected with a virus or a Trojan. These problems lead to additional equipment maintenance and network security costs.

    Investigations of companies running corporate networks with more than 1,000 computers have demonstrated that up to 80% of all network traffic is non-business related, and up to 70% of employees’ working hours may be spent on non-business related activities. Non-production applications are run on more than 40% of all computers in a network.

    Besides working, corporate employees often spend time in chat rooms, on social networks, visiting online stores and exchanging photos via web galleries, etc. Users also install and run applications on their work computers that are not related to their business activities. On average, 3 new applications are installed on a typical corporate network each day, including those that are forbidden by corporate security policies.

    ...simple and flexible management of all the applications installed on a corporate network...

    To address these problems, a new solution is needed that can combine the advantages of a regular antivirus program with the latest technologies, and which could provide simple and flexible management of all the applications installed on a corporate network. This is our new product based on Application Control and Whitelist technologies.

    How it works

    When run, an application is checked against the local whitelist database created by the system administrator. This type of database is strongly recommended, as corporate networks usually contain lots of applications.

    If the application is not found locally, a request is sent to the global whitelist database located in the cloud. This request only delivers meta data, not the application itself. The cloud-based database constantly receives data from all over the world, which makes it possible to learn more about almost any application.

    Figure 6
    Application control. How it works

    After the check is completed, any relevant information is instantly sent back to the network, including file category, e.g. driver, operating system, browser, media, etc. As a result, the system administrator is automatically provided with external expertise about a previously unknown object.

    The file is then marked as “allowed” or “forbidden”, according to the local network security rules set up by the administrator in Application Startup Control. Non-work-related applications such as games, media or social network clients can be blocked for all users or for a group of users only. The system administrator can also allow access to such applications according to a schedule.

    This is an effective solution to the problem of non-productive use of corporate resources as well as increasing corporate network security, which in turn reduces technical support costs.

    Protection from targeted attacks

    When cybercriminals want to harm a specific company or an individual employee within that company, organized targeted attacks are often used. These attacks can do irreparable damage to a business.

    Commonly, corporate security policies allow the execution of any code not identified as malicious. This also drastically reduces a company’s level of network security, making it vulnerable to targeted attacks and the actions of unwary users within the company.

    The Default Deny tool is the most effective method of protecting against such occurrences as it prevents the launch and spread of malicious software.

    The Default Deny tool is the most effective method of protecting against such occurrences as it prevents the launch and spread of malicious software. This tool is unique as it blocks the launch and execution of any objects which are not on the Whitelist and which have not been clearly identified as secure by the administrator, rather than allowing the execution of any code that is not identified as suspicious or malicious, as regular security products do.

    To help system administrators handle the task of applying the Default Deny tool, Kaspersky Lab’s specialists have implemented a feature called the Golden Image. This contains a list of all the essential software needed for a computer to operate correctly.

    The use of the Golden Image, the list of locally approved applications and the Whitelisting database in the cloud allows system administrators to create effective policies and rules that ensure network security and prevent targeted attacks.

  • Kaspersky Lab's Approach

    Cloud technologies and Kaspersky Lab’s approach to Whitelisting

    ...the new technologies are designed to compliment rather than replace existing protection tools that have demonstrated their effectiveness over many years.

    Some companies providing security solutions based on Application Control and Whitelisting technologies state that new technologies are capable of replacing conventional signature analysis techniques (blacklisting). This is not really possible: the new technologies are designed to compliment rather than replace existing protection tools that have demonstrated their effectiveness over many years.

    When working on creating an optimum solution combining new and conventional technologies, it is important to create, develop and integrate both methods into a single technology base from a single vendor company.

    This is exactly the approach that Kaspersky Lab’s experts have used: they have taken the company’s cutting-edge Application Control and Whitelisting technologies and seamlessly integrated them with other protection components in their new security products.

    Figure 7
    Kaspersky Lab Whitelist

    The dynamic Whitelisting database contains more than 300 million unique files. Each day, information about more than a million files is added to it.

    • The dynamic Whitelisting database contains more than 300 million unique files. Each day, information about more than a million files is added to it.

    • Every day, the Kaspersky Security Network (KSN) collects information about new software from many millions of consenting users right around the world, this information is then shared in real-time with all the other members of the network.

    • An effective usage of automated processing of new threats, regular review of an existing database content and great expertise of antivirus lab specialists provide the highest Whitelist quality.

    • Whitelist Lab division is responsible for monitoring and training of Whitelist intellectual systems. It should be noted that as of today Kaspersky Lab is the only company that has such unique division as Whitelist lab in its structure.

    • The very low number of false positives, i.e. when clean software is identified as malicious, is just one of the benefits of creating a Whitelisting database. Kaspersky Lab cooperates with more than 200 large and globally renowned software developers and distributors, including HP, Adobe, Intel, Asus, MSI, Mozilla etc. The company receives information about programs even before they appear on the market, thereby allowing Kaspersky Lab’s experts to keep their database right up to date, which minimizes the risk of false positives.

    • All this means our whitelist technology reacts immediately to the evolution of the software ecosystem and ensures qualitative, fast, and comprehensive database updates.

    Today, the use of technologies such as those described above is a key factor in boosting the efficiency of corporate network protection.

    Today, the use of technologies such as those described above is a key factor in boosting the efficiency of corporate network protection. Kaspersky Lab’s unparalleled experience and high-tech solutions will help protect your business and allow it to run effectively.