SlideShare a Scribd company logo

CoreTrace Whitepaper: Application Whitelisting -- A New Security Paradigm

CoreTrace Corporation, profile picture
CoreTrace Corporation

The document discusses the inadequacies of traditional endpoint security strategies, particularly blacklisting, which cannot effectively counteract modern malware threats. It proposes application whitelisting, specifically CoreTrace's Bouncer v2.0, as a superior security solution, emphasizing a proactive approach that allows only authorized code to execute. This revolutionary strategy aims to enhance endpoint security by controlling execution at a low level and preventing unauthorized programs, ultimately addressing the vulnerabilities inherent in previous methods.

TechnologyBusinessEducation
Related topics:
endpoint-security
1 of 9
Download to read offline
1
2
3
4
5
6
7
8
9
applicatiOn whiteliSting: a new Security paradigm True Endpoint Security— A Matter of 180° With a defense‑in‑depth strategy in place complete with an Endpoint Security v1.0 (i.e., blacklisting) antivirus solution, personal firewall, and up-to-date security patches— endpoint security is covered, right? It shouldn’t matter that the web is the preferred malware attack vector and that in 1Q08 a new infected webpage was discovered every five seconds. It shouldn’t matter, but unfortunately, it still does because Endpoint Security v1.0 is about as useful as a restraining order—seemingly proactive and affording a false sense of security; all very nice until this essentially reactive strategy that surrenders control to the criminal offers no protection when it counts. Endpoint Security v1.0’s failures are well‑documented in the headlines: data breaches, identity theft, cyberextortion, etc. It should have been game over for this flawed strategy long ago, but in the absence of a superior alternative, Endpoint Security v1.0 was allowed to play out. Fortunately, application whitelisting is now available to provide superior endpoint security; however, application whitelisting solutions are not created equally. True endpoint security is a matter of degrees—180° to be exact. BOUNCER by CoreTrace™ with its unique v2.0 revolutionary 180°‑shifted approach provides true endpoint security from within the kernel. cOntentS 1 Overview 1 endpOint Security v1.0 (BlackliSting) 2 endpOint Security v1.1 (90°‑Shifted whiteliSting) 3 BOuncer’S endpOint Security v2.0 (180°‑Shifted whiteliSting) Core Tenet #1—Control What You Know Core Tenet #2—Control at the lowest Possible level Core Tenet #3—Control Transparently 7 Summary Ju ly 20 08 CoreTrace Corporation 6500 River Place Blvd., Building II, Suite 105, Austin, TX 78730 512‑592‑4100 | sales@coretrace.com | www.coretrace.com
BOUNCER by CoreTrace™ Overview “ To keep up with the criminals, antivirus With a defense-in-depth strategy in place complete with an Endpoint Security v1.0 (i.e., blacklisting) antivirus solution, personal firewall, and up-to-date security patches— companies plan endpoint security is covered, right? It shouldn’t matter that the web is the preferred malware a major shift in attack vector and that in 1Q 2008, a new infected webpage was discovered every 5 seconds for approach, called an average of more than 15,000 per day (79% of these were legitimate websites); 3 times more ‘whitelisting’. As a than in 2007.(1) It shouldn’t matter, but unfortunately, it still does because Endpoint Security vast flood of new v1.0 is about as useful as a restraining order—seemingly proactive and affording a false sense malware threatens of security; all very nice until this essentially reactive strategy that surrenders control to the to overwhelm criminal offers no protection when it counts. antivirus software, security companies Endpoint Security v1.0’s failures are well-documented in the headlines: data breaches, identity have begun theft, cyberextortion, etc. Blacklisting, the perpetual one-step-behind solution, tries to identify changing how their malware and keep it out by using a reactive approach (it is dependent on timely signature programs protect updates); therefore, it is simply unable to defeat zero-day threats. In effect, blacklisting PCs. To avoid being surrenders control to the cybercriminals, handing them the first-strike advantage. Cybercriminals left in the dust by know that with Endpoint Security v1.0, control of an endpoint is only a malware variant away— the crooks, today, tomorrow, forever. It should have been game over for this flawed strategy long ago, but companies plan to in the absence of a superior alternative, Endpoint Security v1.0 was allowed to play out. turn the tables on them by allowing Fortunately, a new security paradigm—application whitelisting that only allows authorized only known good code to execute—is available to provide superior endpoint security over traditional blacklisting programs to run. solutions; however, application whitelisting solutions are not created equally. True endpoint The technique, security is a matter of degrees—180° to be exact. BOUNCER by CoreTrace™ with its unique known as v2.0 revolutionary 180°-shifted approach to endpoint security fills the security gap that is the whitelisting, could bane of v1.0 solutions and provides true endpoint security from within the kernel. help protect your computer…whitelist endpOint Security v1.0 (BlackliSting) security may be a tool for techies In the early days of the Internet, organizations helped keep their end users, assets, and today. But soon it’ll information protected by implementing antivirus solutions as a part of their defense-in-depth be de rigeur in the strategies. The premise of these solutions is simple: a security vendor detects a malicious battle against threat and creates a signature of that threat; the signature is pulled onto the endpoints of malware.(2) end users that have paid for protection (the timing being dependent on the update setting — Erik Larkin on each endpoint); a scan is run and all files on the endpoint are compared against the new PC World signature to detect the presence of the threat (the speed of which is directly correlated with the number of files on the endpoint); and if the threat is found, the antivirus program detects it and cleans it off the endpoint (if possible). “ In terms of deliberate action Endpoint Security v1.0 blacklist solutions work best when the threats being detected are against information infrequent and readily apparent. The Internet’s early threats fit that requirement. Viruses, the systems, hacking Internet equivalent of graffiti, came out infrequently and with great fanfare since their authors and malcode were driven by ego in a quest to be infamous—they wanted the program to be detected after proved to be the causing widespread damage. Today, most malicious threats are driven by profit-seeking attack method cybercriminals that strike quickly and oftentimes invisibly. Blacklist solutions do not provide true of choice among endpoint security due to the following weaknesses: cybercriminals… Ninety percent of „ Zero‑Day Threats—The Achilles’ heel of blacklist solutions is the zero-day threat—it is known impossible for a signature to be created for a threat that has just been released. With blacklist vulnerabilities solutions, endpoints and end users will be impacted until the blacklist is updated.(2)(3) exploited by these attacks had patches available for at least (1) Sophos; Security Threat Report; Sophos.com; Q1 2008. six months prior to (http://www.sophos.com/pressoffice/news/articles/2008/04/secrep08q1.html) the breach.(3) (2) Erik Larkin; Coming: A Change in Tactics in Malware Battle; PC World; June 23, 2008. (http://www.pcworld.com/article/147374/coming_a_change_in_tactics_in_malware_battle.html) — Wade H. Baker, C. David Hylender, (3) Wade H. Baker, C. David Hylender, and J. Andrew Valentine; 2008 Data Breach Investigations Report; and J. Andrew Valentine Verizon Business RISK Team; June 11, 2008. Verizon Business RISK Team (http://www.verizonbusiness.com/resources/security/databreachreport.pdf) Application Whitelisting: A New Security Paradigm 1
BOUNCER by CoreTrace™ „ Targeted Attacks—Whether Trojan horses specifically designed to stealthily steal or bots that send spam or conduct paid-for denial of service (DoS) attacks, the vast majority of targeted threats will never be distributed widely enough to warrant their own signatures. Since their motivation is financial, cybercriminals have every incentive to remain below the “ I always patch my system and run radar. regular scans with updated antivirus „ Variants—The rapid retargeting of the same fundamental attack, but in a slightly different and antispyware way presents a significant problem for security vendors that rely on signature files or scanners. But while blacklist databases. The blacklist approach, one in which a unique signature is created for researching this new threat variant, is simply inadequate to keep up with threats when breaking a signature story, I got hit by a is as simple as loading a new webpage. Trojan…that was too The rapid expansion of the number of variants of malicious code and the number of new for my antivirus ways that malicious code can get onto an endpoint has created a problem for any program to catch. security vendor that concerns itself with looking for things that are bad. Regardless of Whether it’s a new whether a security technology is looking for bad files, bad behaviors, or bad executables variant on a familiar the keeping-the-bad-guys-out approach cannot work with rapidly changing malware or foe…or a completely attacks that are so targeted that they will never be widespread enough to have a signature new type of attack, created. today’s threats can leave even „ Rogue Applications—Unauthorized, but legitimate, applications can impact an endpoint’s the most security performance and availability, but they will never be detected by blacklist solutions that are conscious among us designed to prevent malware. vulnerable.(4) Endpoint Security v1.0 with its multiple layers of reactive antivirus and blacklisting databases, — Andrew Brandt security patches, and personal firewalls (all of which slow performance and add significant cost PC World to network operations) can’t defeat today’s threats (i.e., zero-day threats from malware, rootkits, and buffer overflows)—let alone tomorrow’s. endpOint Security v1.1 (90°‑Shifted whiteliSting) Fortunately, the majority of cyberattacks can be defeated if the right approach is taken defending the IT network—that is BOUNCER’s Endpoint Security v2.0 whose revolutionary 180°-shifted approach starts by turning v1.0 blacklisting on its head and proceeds from there. Note the phrase, starts by turning v1.0 blacklisting on its head and proceeds from there. Endpoint Security v2.0 strategy is to only allow authorized code to execute (i.e., whitelisting), “ so even if malware gains access to a system, it cannot execute and is neutralized— that’s the short answer. For security reasons, the details in the execution of that strategy Nobody has a are as important as adopting the strategy. full list of all good software… Endpoint Security v2.0 is predicated on three core tenets: control what you know, control at the displaying a lowest possible level, and control transparently. To be considered a true Endpoint Security v2.0 pop‑up that asks solution, the security features shown in Table 1 must be present. you to decide BOUNCER does not maintain a database of size and digest information created from vendors’ whether an original media to compare to the whitelist it creates from an endpoint. While this approach may unknown app is produce some sense of security for known file matches, it clearly doesn’t address unknown or okay to run undocumented ones. Updates to existing applications are constantly released and all of those ensures that would have to be entered into the database. Many organizations have legacy or internally you’ll eventually developed applications and others run software that would not be a part of the database. With make the wrong this model, the whitelist database would suffer from the same shortcomings found in the blacklist call and break antivirus model—antivirus vendors simply cannot keep it current. More importantly, the whitelist your software or database approach is subject to database corruption by the possible inclusion of Trojanized even your system… files in the database that would in essence become authorized software.(4)(5) And then there’s the big question: Who maintains the list?(5) (4) Andrew Brandt; The 10 Biggest Security Risks You Don’t Know About; PC World; June 22, 2006. (http://www.pcworld.com/article/126083/the_10_biggest_security_risks_you_dont_know_about.html) — Erik Larkin (5) Erik Larkin; Coming: A Change in Tactics in Malware Battle; PC World; June 23, 2008. PC World (http://www.pcworld.com/article/147374/coming_a_change_in_tactics_in_malware_battle.html) Application Whitelisting: A New Security Paradigm 2
BOUNCER by CoreTrace™ Beware of any endpoint security solution claiming to be a v2.0 solution that merely exchanges one list for another. While a whitelist-based solution is superior to a blacklist-based solution “ Companies are wasting money because it is proactive vs. reactive, a true Endpoint Security v2.0 solution uses a whitelist on security of fingerprints customized for each endpoint; thereby, limiting the entries to programs processes— installed on each endpoint vs. a centralized database of all programs. Additionally, a true such as applying Endpoint Security v2.0 solution automatically generates the customized whitelist for each patches and using endpoint in a controlled environment to ensure that it is not compromised. Further, a true antivirus software— Endpoint Security v2.0 solution provides an efficient whitelist updating capability that does not which just do not place a burden on the IT administrative staff. work, according The specious solution that has merely exchanged one list for another is only a 90°-shifted to Cisco’s chief solution, and it has only reached v1.1—or rather, the whitelist is a behemoth one-size-fits-all- security officer let’s-hope-the-list-isn’t-hacked centralized database of all authorized programs that somehow John Stewart… has to be mapped to each specific endpoint. the malware industry is moving Walk away from these going-in-the-right-direction-but-didn’t-quite-make-it v1.1 half-solutions or faster than the else the weight of this solution and attendant administrative burden and security risks will come security industry, crashing down on your CPUs and valuable IT staff. making it impossible for BOuncer’S endpOint Security v2.0 users to remain secure…“If patching (180°‑Shifted whiteliSting) and antivirus is where I spend my Cybercriminals are well armed, well skilled, and well motivated, so how can an organization money, and I’m still protect itself? Fortunately, despite the prolific cyberattack vectors, tools, and strategies, the getting infected and majority of cyberattacks can be stopped dead in their tracks if the right approach is taken I still have to clean defending the IT network—that is, BOUNCER’s Endpoint Security v2.0. BOUNCER takes a up computers and revolutionary 180°-shifted approach to endpoint security providing a unique Endpoint Security I still need to v2.0 solution that defeats today’s, tomorrow’s, next year’s…known and unknown threats— reload them and finally, efficiently, effectively, BOUNCER stops the madness. still have to recover the user’s data and To be considered a true Endpoint Security v2.0 solution, the security features shown in Table 1 I still have to must be present. Endpoint Security v2.0 is proactive, whitelist-based, provides enforcement reinstall it, the from within the kernel, and it is predicated on the following three core tenets: entire cost equation „ Control what you know. of that is a waste.” “It’s completely „ Control at the lowest possible level. wasted money”… “There are too many „ Control transparently. companies in the BOUNCER leverages Endpoint Security v2.0’s three core tenets to provide the capabilities world that actually listed below for PCs, servers, and embedded systems. believe infection is just a cost of „ Preventing unauthorized programs and processes from running. doing business and „ Preventing rootkit establishment. are getting used to doing it— „ Stopping code injected via buffer overflow from running and stopping further memory as opposed to corruption. stopping it „ Preventing system configuration modification by staff members, malicious insiders, and completely. malicious outsiders. That’s dangerous” …“I’m sick of „ Securing the endpoint transparently to end users. blacklisted stuff. „ Providing ease-of-use to the operational staff.(6) I’ve got to go for whitelisted stuff— I know what that is because I put it there.”(6) — Liam Tung (6) Liam Tung; Antivirus is completely wasted money?; ZDNet Australia; May 21, 2008. ZDNet Australia (http://www.zdnetasia.com/news/security/0,39044215,62041561,00.htm) Application Whitelisting: A New Security Paradigm 3
BOUNCER by CoreTrace™ Table 1. Endpoint Security v2.0: Security Features “ Time: The second Tuesday of every control month, 10:00 a.m. From the PST. Like clockwork, control loWeSt control Microsoft releases Security FeatureS What you KnoW PoSSible level tranSParently a group of security h Only authorized programs allowed to execute  patches. And like clockwork, that h Authorized programs fingerprinted to create a unique three‑factor integrity check release sets in motion a flurry h File digest (SHA‑1 hash)  of events from h File location (pathname) h File size businesses, security vendors, h Whitelist of fingerprints customized for the media and each endpoint—entries limited   even hackers… to programs installed on an endpoint an entire industry h Automatically generates customized has grown up whitelist in a controlled environment   around h Ease‑of‑use whitelist updating procedure   Patch Tuesday. Businesses race to h Digital certificates used for authentication  quickly determine h Enforcement from within the kernel  which are the most critical for their h Entry points to the OS securely wrapped  users and which h Prevents direct kernel memory might inadvertently read and write from user space  cause more h Monitors and reacts to memory problems than they modification  solve. Security firms rapidly implement h Provides a complete IPsec infrastructure  fixes to their own systems and push them out to users… and hackers work to reverse‑engineer CORE TENET #1—CONTROl WhAT YOU KNOW the patches to Control what you know—what else can you control? Blacklists are pursuing the flawed strategy discover and use of trying to control that which is unknowable, and, as a result, are locked in a zero-day-threat race the vulnerabilities they can never win and being paid well for it. Conversely, controlling what you know—that is, to their own controlling the authorized applications used by an endpoint so that you can be indifferent to the advantage… rest—is the principle that underpins BOUNCER’s whitelisting strategy that defeats cybercrime. Some people derisively call this BOUNCER creates a whitelist of authorized programs (i.e., a list of fingerprints) that it uses Exploit Wednesday to recognize (i.e., identify and validate) an authorized program as it loads. Each authorized …A typical program’s fingerprint is comprised of the triple play of the following integrity checks: file digest Microsoft patch (SHA-1 hash), file location (pathname), and file size. updates only a When an unauthorized program tries to load (e.g., a virus from an e-mail attachment, a program couple of DLL files, copied on an endpoint by an authorized user, or a program copied on an endpoint through which is helpful a vulnerability), BOUNCER simply does not allow it to execute, thereby defeating the vast to the bad guys majority of threats, including preventing Trojans from overwriting authorized files. because they can compare the The greatest strength of BOUNCER’s technology is that it protects unpatched vulnerabilities two binary files from exploitation, effectively neutralizing zero-day threats. If a vulnerability is unpatched and and find the exploited, the malicious program or injected code is stopped anyway, so zero-day threats one difference become a thing of the past and there is time to test all patches before they are deployed—if between they are deployed at all.(7) the two, which is the vulnerability.(7) (7) Karen D. Schwartz; How Microsoft’s Patch Tuesday Affects Business Processes and Security; cio.com; July 9, 2008. — Karen D. Schwartz (http://www.cio.com/article/428363/How_Microsoft_s_Patch_Tuesday_Affects_Business_Processes_and_ cio.com Security?page=1&) Application Whitelisting: A New Security Paradigm 4
BOUNCER by CoreTrace™ “ BOUNCER’s leveraging of control what you know results in significant IT cost savings. IT departments that use BOUNCER can say goodbye to the following and say hello to a little Attacks targeting sanity: applications, „ Zero-day threats. software, and services were „ Malware, Trojans, viruses/worms, bots, keyloggers, adware, and spyware. by far the most common technique, „ Reactive security patching (patch for features you need on your schedule and have time representing to fully test patches). 39 percent of all „ Chronic signature updating. hacking activity leading to data „ Technology stacks, pattern matching, and behavioral heuristics (including the impact of compromise. false positives and prolonged learning periods typical of behavioral solutions). This follows a trend in recent years CORE TENET #2—CONTROl AT ThE lOWEST POSSiBlE lEvEl of attacks moving up the stack. Most sophisticated attacks are targeted at the kernel; therefore, that is where the battle Far from passé, lies (only security software that functions in the kernel can reliably deliver the controls that operating system, IT requires). platform, and server‑level attacks BOUNCER loads into the kernel very early and performs the following functions: accounted for a „ Allocates resources only to authorized applications. sizable portion of breaches. „ Locks down the process table and keeps track of pointers. Eighteen percent BOUNCER leverages control at the lowest possible level to prevent rootkit establishment; of hacks exploited stop injected code (for example, via buffer overflow) from running (even in authorized a specific known programs); prevent system configuration modification by staff members and malicious insiders vulnerability and outsiders; and prevent direct kernel memory read and write from user space. while 5 percent exploited unknown „ BOUNCER prevents rootkit establishment. A cybercriminal’s goal is to obtain and retain vulnerabilities for control of the endpoints that they gain access to for as long as possible to maximize their which a patch was profit margins. Once access to an endpoint is gained, cybercriminals install a rootkit to take not available at the control of an endpoint and to retain control so they can load the software needed to carry time of the attack. out their schemes at their convenience. Evidence of re‑entry As soon as the operating system (OS) boots, a BOUNCER process runs within the kernel via backdoors, and oversees all activities of every other process that runs. If a rootkit attempts to establish which enable itself within a BOUNCER-secured kernel, this zero-day threat has zero time-to-live— prolonged access BOUNCER will recognize it as unauthorized and it will be DOA. to and control of compromised Many rootkits are also Trojans masquerading as legitimate OS files. Sometimes, the systems, was found malicious code is embedded in a legitimate OS file that still functions normally. Because in 15 percent of BOUNCER’s whitelist is based on a fingerprint comprised of a triple play of integrity hacking‑related checks—file digest (SHA-1 hash), file location (pathname), and file size—Trojans are breaches. The revealed as unauthorized and are not permitted to run. attractiveness of Once established, rootkits are very difficult to detect because they use the administrator this to criminals capability that the rootkit provides to cover up traces of their activities (hiding themselves desiring large from endpoint utilities that list files and provide information about running processes), and quantities of to hide other programs they plant on the endpoint. Some rootkits are known and may be information is detected by a scanning program; however, this defense does not work for a newly written obvious.(8) rootkit. Typically, established rootkits are detected by a file comparison between a suspect — Wade H. Baker, endpoint and a clean endpoint with full administrator rights. This is difficult to organize and C. David Hylender, carry out while an endpoint is running. If a rootkit is established on an endpoint (i.e., prior and J. Andrew Valentine Verizon Business RISK Team to being protected by BOUNCER), to completely eradicate the rootkit, the best practice is to reimage the endpoint with a known clean image. The better practice is to use BOUNCER to prevent rootkit establishment.(8) (8) Wade H. Baker, C. David Hylender, and J. Andrew Valentine; 2008 Data Breach Investigations Report; Verizon Business RISK Team; June 11, 2008. (http://www.verizonbusiness.com/resources/security/databreachreport.pdf) Application Whitelisting: A New Security Paradigm 5
BOUNCER by CoreTrace™ „ BOUNCER stops injected code (for example, via buffer overflow) from running (even in authorized programs). Injected code (for example, via buffer overflow) is not loaded through normal file access means; therefore, defeating this threat requires “ In fact there is no need at all for monitoring the code image in memory to detect changes and, when detected, to terminate AV once you have the process. whitelisting… Because BOUNCER has control at the lowest possible level, it is capable of defeating we’ll never stop the buffer overflows; furthermore, because BOUNCER’s whitelisting technology has created a global virus plague controlled environment, even if the injected code manages to run for a few seconds, it will until AV becomes not be able to run any new programs, and it is only able to access whatever the program it defunct… injected itself into was able to access. Given BOUNCER’s unique approach to whitelisting, Actually there are buffer overflows can be stopped—even in applications that are on the whitelist. a whole series of network issues „ BOUNCER prevents system configuration modification by staff members and that require the malicious insiders and outsiders. Endpoint users unknowingly, and in the case of a management of a malicious insider, knowingly, weaken and sometimes corrupt an endpoint’s security list of valid configuration by installing rogue applications (i.e., legitimate but unauthorized programs). executables BOUNCER’s self-protection mechanisms that prevent such system configuration including modifications include the following: software license ¾ BOUNCER runs in the OS kernel and cannot be tampered with by the end user, even management, if the end user has administrator, or root, access on the endpoint. software usage auditing, ¾ BOUNCER’s whitelist is encrypted. software BOUNCER helps to keep an endpoint compliant by maintaining its desired state throughout provisioning and its lifecycle with the following measures: so on. AV technology ¾ BOUNCER’s whitelisting technology ensures that an endpoint’s performance will not never had much degrade due to typical configuration drift or cyberattack. to say about this issue. To be honest ¾ BOUNCER can periodically scan the endpoint and remove unauthorized programs it was always copied onto the system (i.e., all programs that are not on the whitelist). The system PC software in spirit logs the deleted files providing a record of activity on each protected endpoint. and AV companies „ BOUNCER prevents direct kernel memory read and write from user space. BOUNCER tended not to think securely wraps entry points to the OS by intercepting system calls from user space and of their technology packets coming from the network card which are processed according to file policy or as part of an network filter rules, respectively. end‑to‑end security solution…So even if AV technology was CORE TENET #3—CONTROl TRANSPARENTlY capable of stopping BOUNCER leverages control transparently to secure the endpoint transparently to end users, viruses effectively, and to provide ease-of-use to operational staff. which it isn’t, it would have no Endpoint Security v1.0 blacklists are bloated (typically containing millions of entries per contribution to make endpoint) and are plagued by exponential and constant growth due to the rampant proliferation to the management of malware. Blacklists require a large footprint in memory and on the hard drive, and negatively of executables. impact the CPU—blacklist scans have a significant negative performance impact noticeable to Whitelisting end users. software does BOUNCER’s Endpoint Security v2.0 whitelist is lean (typically containing only a few thousand because, aside from entries per endpoint) and it is immune to the effects and onslaughts of cybercrime. BOUNCER’s stopping all malware whitelist requires a very small footprint in memory and on the hard drive, and has a negligible stone dead, it can impact on the CPU—BOUNCER is transparent to end users. prevent the use of old versions of BOUNCER allows IT departments to set up an endpoint and know that it is configuration-drift software or software free and secure—no need to continually update signature files or reactively patch the endpoint. that violates BOUNCER affords the piece of mind that an endpoint is running exactly as intended—without corporate policy.(9) rogue applications and safe from malicious code.(9) — Robin Bloor The Register (9) Robin Bloor; The decline of antivirus and the rise of whitelisting; The Register; June 27, 2007; (http://www.theregister.co.uk/2007/06/27/whitelisting_v_antivirus/) Application Whitelisting: A New Security Paradigm 6
BOUNCER by CoreTrace™ Summary Sometimes a shift in perspective is all that is necessary to solve a seemingly intractable problem. The shift from Endpoint Security v1.0’s ineffective, flawed blacklisting solutions to whitelisting “ Blacklisting— where vendors solutions is inevitable. The demise of blacklisting solutions is merely a matter of time; however, compile lists of the implementation of true endpoint security via application whitelisting is a matter of degrees— known malware— BOUNCER’s Endpoint Security v2.0 180°-shifted approach to be exact.(10) has become technically unfeasible… When you’re doubling the amount of malware you’re getting on a daily basis, eventually a blacklisting model ultimately could run out of architectural scalability… As blacklisting becomes increasingly difficult… Whitelisting looks like it has an architectural promise that could be very strong.(10) — Liam Tungn ZDNet Australia (10) Liam Tung; McAfee CEO: Adware is killing antivirus blacklisting; ZDNet Australia; June 16, 2008. (http://www.zdnetasia.com/news/security/0,39044215,62042651,00.htm) Application Whitelisting: A New Security Paradigm 7
BOUNCER by CoreTrace™ “ Antivirus products can actually open the door aBOut cOretrace to attackers, enabling them CoreTrace delivers a revolutionary approach to endpoint security with BOUNCER by to penetrate CoreTrace™: the most tamperproof, scalable, and comprehensive kernel-level application company networks whitelisting solution. Since BOUNCER only allows authorized applications to execute, it defeats and load sophisticated malware attacks, including rootkits and zero-day threats, and it neutralizes destructive code. memory-based exploits like buffer overflows. With BOUNCER, companies can stop paying for Security specialists annual signature updates and start patching applications on their schedule.(11) …claim to have discovered approximately 800 vulnerabilities in antivirus products during the past few months… every virus scanner currently on the market has several highly critical flaws which could pave the way for denial‑of‑service attacks and enable the infiltration of destructive code past the security solution into the network…‘parsing’ is one of the main causes of this problem…the more parsing that takes place, the higher the recognition rate and the degree of protection from destructive software, but at the same time the larger the attack surface which makes the antivirus product itself a target… Systematic industrial espionage, along with the interruption of all email © 2008 CoreTrace Corporation. All rights reserved. communication, CoreTrace and BOUNCER by CoreTrace are among the trademarks are two of and registered trademarks of the company in the United States and other the possible countries. All other trademarks are the property of their respective owners. consequences.(11) — Clement James (11) Clement James; Antivirus tools ‘pave way’ for malware; SC Magazine; June 30, 2008. SC Magazine (http://www.securecomputing.net.au/News/115604,antivirus-tools-pave-way-for-malware.aspx) Application Whitelisting: A New Security Paradigm 8

More Related Content

PDF
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
michelemanzotti
 
PDF
Security model-of-sip-d2-05 at kishore
AT Kishore
 
PPTX
Trend Micro - 13martie2012
Agora Group
 
PPTX
SCIT Labs - intrusion tolerant systems
Zsolt Nemeth
 
PDF
Moving target-defense
Zsolt Nemeth
 
PDF
Datos personales y riesgos digitales
Juan Carlos Carrillo
 
PDF
Seguridad por oscuridad (paper)
Arturo Cruz
 
PDF
CoreTrace Whitepaper: Protecting PCI Systems And Data
CoreTrace Corporation
 
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
michelemanzotti
 
Security model-of-sip-d2-05 at kishore
AT Kishore
 
Trend Micro - 13martie2012
Agora Group
 
SCIT Labs - intrusion tolerant systems
Zsolt Nemeth
 
Moving target-defense
Zsolt Nemeth
 
Datos personales y riesgos digitales
Juan Carlos Carrillo
 
Seguridad por oscuridad (paper)
Arturo Cruz
 
CoreTrace Whitepaper: Protecting PCI Systems And Data
CoreTrace Corporation
 

Similar to CoreTrace Whitepaper: Application Whitelisting -- A New Security Paradigm (20)

PDF
CoreTrace Whitepaper: Combating Buffer Overflows And Rootkits
CoreTrace Corporation
 
PDF
Total Defense Product Information
Zeeshan Humayun
 
PPTX
Presentation1.pptx
PawachMetharattanara
 
PPTX
Evento 15 aprile
Lan & Wan Solutions
 
PDF
CoreTrace Whitepaper: BOUNCER by CoreTrace ROI Analysis
CoreTrace Corporation
 
PDF
SOLUCIONES CHECKPOINT - Redes y Comunicaciones
pesoan
 
PDF
Moti Sagey CPX keynote _Are All security products created equal
Moti Sagey מוטי שגיא
 
PPTX
Insecurity in security products v1.5
DaveEdwards12
 
PDF
Next Generation Endpoint Prtection Buyers Guide
Jeremiah Grossman
 
PPTX
Presales-Present_GravityZone Products_June2023.pptx
PawachMetharattanara
 
PPTX
Presales-Present_GravityZone Products_June2023.pptx
PawachMetharattanara
 
PPTX
Agile Chennai 18-19 July 2025 Ideathon | Crypton- an AI driven, Quantum Resis...
AgileNetwork
 
PPTX
DefCamp 2013 - Are we there yet?
DefCamp
 
PDF
Network cloaking sansv2_
CMR WORLD TECH
 
PDF
Cyber security courses in Kerala , kochi
amallblitz0
 
PDF
Cyber security course in kerala | C|PENT | Blitz Academy
ananthakrishnansblit
 
PDF
SentinelOne Buyers Guide
Exclusive Networks ME
 
PPTX
How to detect, assess, prioritize, and remediate vulnerabilities using SanerNow?
SecPod
 
PPTX
Check Point Infinity
Alexander Kravchenko
 
DOCX
Security architecture proposal template
Moti Sagey מוטי שגיא
 
CoreTrace Whitepaper: Combating Buffer Overflows And Rootkits
CoreTrace Corporation
 
Total Defense Product Information
Zeeshan Humayun
 
Presentation1.pptx
PawachMetharattanara
 
Evento 15 aprile
Lan & Wan Solutions
 
CoreTrace Whitepaper: BOUNCER by CoreTrace ROI Analysis
CoreTrace Corporation
 
SOLUCIONES CHECKPOINT - Redes y Comunicaciones
pesoan
 
Moti Sagey CPX keynote _Are All security products created equal
Moti Sagey מוטי שגיא
 
Insecurity in security products v1.5
DaveEdwards12
 
Next Generation Endpoint Prtection Buyers Guide
Jeremiah Grossman
 
Presales-Present_GravityZone Products_June2023.pptx
PawachMetharattanara
 
Presales-Present_GravityZone Products_June2023.pptx
PawachMetharattanara
 
Agile Chennai 18-19 July 2025 Ideathon | Crypton- an AI driven, Quantum Resis...
AgileNetwork
 
DefCamp 2013 - Are we there yet?
DefCamp
 
Network cloaking sansv2_
CMR WORLD TECH
 
Cyber security courses in Kerala , kochi
amallblitz0
 
Cyber security course in kerala | C|PENT | Blitz Academy
ananthakrishnansblit
 
SentinelOne Buyers Guide
Exclusive Networks ME
 
How to detect, assess, prioritize, and remediate vulnerabilities using SanerNow?
SecPod
 
Check Point Infinity
Alexander Kravchenko
 
Security architecture proposal template
Moti Sagey מוטי שגיא
 
Ad

More from CoreTrace Corporation (7)

PDF
Moskowitz Whitepaper Microsoft App Locker And Beyond
CoreTrace Corporation
 
PDF
CoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Corporation
 
PDF
CoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Corporation
 
PDF
NetSpi Whitepaper: Hardening Critical Systems At Electrical Utilities
CoreTrace Corporation
 
PDF
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
CoreTrace Corporation
 
PDF
Core Trace PCI DSS Compliance
CoreTrace Corporation
 
PDF
Malicious Software Prevention for NERC CIP-007 Compliance:
CoreTrace Corporation
 
Moskowitz Whitepaper Microsoft App Locker And Beyond
CoreTrace Corporation
 
CoreTrace Whitepaper: Whitelisting And Control Systems
CoreTrace Corporation
 
CoreTrace Whitepaper: Application Whitelisting And Energy Systems
CoreTrace Corporation
 
NetSpi Whitepaper: Hardening Critical Systems At Electrical Utilities
CoreTrace Corporation
 
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
CoreTrace Corporation
 
Core Trace PCI DSS Compliance
CoreTrace Corporation
 
Malicious Software Prevention for NERC CIP-007 Compliance:
CoreTrace Corporation
 
Ad

Recently uploaded (20)

PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Cloud computing and distributed systems.
kkkkkhan
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
MYSQL Presentation for SQL database connectivity
Swati270511
 

CoreTrace Whitepaper: Application Whitelisting -- A New Security Paradigm

  • 1. applicatiOn whiteliSting: a new Security paradigm True Endpoint Security— A Matter of 180° With a defense‑in‑depth strategy in place complete with an Endpoint Security v1.0 (i.e., blacklisting) antivirus solution, personal firewall, and up-to-date security patches— endpoint security is covered, right? It shouldn’t matter that the web is the preferred malware attack vector and that in 1Q08 a new infected webpage was discovered every five seconds. It shouldn’t matter, but unfortunately, it still does because Endpoint Security v1.0 is about as useful as a restraining order—seemingly proactive and affording a false sense of security; all very nice until this essentially reactive strategy that surrenders control to the criminal offers no protection when it counts. Endpoint Security v1.0’s failures are well‑documented in the headlines: data breaches, identity theft, cyberextortion, etc. It should have been game over for this flawed strategy long ago, but in the absence of a superior alternative, Endpoint Security v1.0 was allowed to play out. Fortunately, application whitelisting is now available to provide superior endpoint security; however, application whitelisting solutions are not created equally. True endpoint security is a matter of degrees—180° to be exact. BOUNCER by CoreTrace™ with its unique v2.0 revolutionary 180°‑shifted approach provides true endpoint security from within the kernel. cOntentS 1 Overview 1 endpOint Security v1.0 (BlackliSting) 2 endpOint Security v1.1 (90°‑Shifted whiteliSting) 3 BOuncer’S endpOint Security v2.0 (180°‑Shifted whiteliSting) Core Tenet #1—Control What You Know Core Tenet #2—Control at the lowest Possible level Core Tenet #3—Control Transparently 7 Summary Ju ly 20 08 CoreTrace Corporation 6500 River Place Blvd., Building II, Suite 105, Austin, TX 78730 512‑592‑4100 | sales@coretrace.com | www.coretrace.com
  • 2. BOUNCER by CoreTrace™ Overview “ To keep up with the criminals, antivirus With a defense-in-depth strategy in place complete with an Endpoint Security v1.0 (i.e., blacklisting) antivirus solution, personal firewall, and up-to-date security patches— companies plan endpoint security is covered, right? It shouldn’t matter that the web is the preferred malware a major shift in attack vector and that in 1Q 2008, a new infected webpage was discovered every 5 seconds for approach, called an average of more than 15,000 per day (79% of these were legitimate websites); 3 times more ‘whitelisting’. As a than in 2007.(1) It shouldn’t matter, but unfortunately, it still does because Endpoint Security vast flood of new v1.0 is about as useful as a restraining order—seemingly proactive and affording a false sense malware threatens of security; all very nice until this essentially reactive strategy that surrenders control to the to overwhelm criminal offers no protection when it counts. antivirus software, security companies Endpoint Security v1.0’s failures are well-documented in the headlines: data breaches, identity have begun theft, cyberextortion, etc. Blacklisting, the perpetual one-step-behind solution, tries to identify changing how their malware and keep it out by using a reactive approach (it is dependent on timely signature programs protect updates); therefore, it is simply unable to defeat zero-day threats. In effect, blacklisting PCs. To avoid being surrenders control to the cybercriminals, handing them the first-strike advantage. Cybercriminals left in the dust by know that with Endpoint Security v1.0, control of an endpoint is only a malware variant away— the crooks, today, tomorrow, forever. It should have been game over for this flawed strategy long ago, but companies plan to in the absence of a superior alternative, Endpoint Security v1.0 was allowed to play out. turn the tables on them by allowing Fortunately, a new security paradigm—application whitelisting that only allows authorized only known good code to execute—is available to provide superior endpoint security over traditional blacklisting programs to run. solutions; however, application whitelisting solutions are not created equally. True endpoint The technique, security is a matter of degrees—180° to be exact. BOUNCER by CoreTrace™ with its unique known as v2.0 revolutionary 180°-shifted approach to endpoint security fills the security gap that is the whitelisting, could bane of v1.0 solutions and provides true endpoint security from within the kernel. help protect your computer…whitelist endpOint Security v1.0 (BlackliSting) security may be a tool for techies In the early days of the Internet, organizations helped keep their end users, assets, and today. But soon it’ll information protected by implementing antivirus solutions as a part of their defense-in-depth be de rigeur in the strategies. The premise of these solutions is simple: a security vendor detects a malicious battle against threat and creates a signature of that threat; the signature is pulled onto the endpoints of malware.(2) end users that have paid for protection (the timing being dependent on the update setting — Erik Larkin on each endpoint); a scan is run and all files on the endpoint are compared against the new PC World signature to detect the presence of the threat (the speed of which is directly correlated with the number of files on the endpoint); and if the threat is found, the antivirus program detects it and cleans it off the endpoint (if possible). “ In terms of deliberate action Endpoint Security v1.0 blacklist solutions work best when the threats being detected are against information infrequent and readily apparent. The Internet’s early threats fit that requirement. Viruses, the systems, hacking Internet equivalent of graffiti, came out infrequently and with great fanfare since their authors and malcode were driven by ego in a quest to be infamous—they wanted the program to be detected after proved to be the causing widespread damage. Today, most malicious threats are driven by profit-seeking attack method cybercriminals that strike quickly and oftentimes invisibly. Blacklist solutions do not provide true of choice among endpoint security due to the following weaknesses: cybercriminals… Ninety percent of „ Zero‑Day Threats—The Achilles’ heel of blacklist solutions is the zero-day threat—it is known impossible for a signature to be created for a threat that has just been released. With blacklist vulnerabilities solutions, endpoints and end users will be impacted until the blacklist is updated.(2)(3) exploited by these attacks had patches available for at least (1) Sophos; Security Threat Report; Sophos.com; Q1 2008. six months prior to (http://www.sophos.com/pressoffice/news/articles/2008/04/secrep08q1.html) the breach.(3) (2) Erik Larkin; Coming: A Change in Tactics in Malware Battle; PC World; June 23, 2008. (http://www.pcworld.com/article/147374/coming_a_change_in_tactics_in_malware_battle.html) — Wade H. Baker, C. David Hylender, (3) Wade H. Baker, C. David Hylender, and J. Andrew Valentine; 2008 Data Breach Investigations Report; and J. Andrew Valentine Verizon Business RISK Team; June 11, 2008. Verizon Business RISK Team (http://www.verizonbusiness.com/resources/security/databreachreport.pdf) Application Whitelisting: A New Security Paradigm 1
  • 3. BOUNCER by CoreTrace™ „ Targeted Attacks—Whether Trojan horses specifically designed to stealthily steal or bots that send spam or conduct paid-for denial of service (DoS) attacks, the vast majority of targeted threats will never be distributed widely enough to warrant their own signatures. Since their motivation is financial, cybercriminals have every incentive to remain below the “ I always patch my system and run radar. regular scans with updated antivirus „ Variants—The rapid retargeting of the same fundamental attack, but in a slightly different and antispyware way presents a significant problem for security vendors that rely on signature files or scanners. But while blacklist databases. The blacklist approach, one in which a unique signature is created for researching this new threat variant, is simply inadequate to keep up with threats when breaking a signature story, I got hit by a is as simple as loading a new webpage. Trojan…that was too The rapid expansion of the number of variants of malicious code and the number of new for my antivirus ways that malicious code can get onto an endpoint has created a problem for any program to catch. security vendor that concerns itself with looking for things that are bad. Regardless of Whether it’s a new whether a security technology is looking for bad files, bad behaviors, or bad executables variant on a familiar the keeping-the-bad-guys-out approach cannot work with rapidly changing malware or foe…or a completely attacks that are so targeted that they will never be widespread enough to have a signature new type of attack, created. today’s threats can leave even „ Rogue Applications—Unauthorized, but legitimate, applications can impact an endpoint’s the most security performance and availability, but they will never be detected by blacklist solutions that are conscious among us designed to prevent malware. vulnerable.(4) Endpoint Security v1.0 with its multiple layers of reactive antivirus and blacklisting databases, — Andrew Brandt security patches, and personal firewalls (all of which slow performance and add significant cost PC World to network operations) can’t defeat today’s threats (i.e., zero-day threats from malware, rootkits, and buffer overflows)—let alone tomorrow’s. endpOint Security v1.1 (90°‑Shifted whiteliSting) Fortunately, the majority of cyberattacks can be defeated if the right approach is taken defending the IT network—that is BOUNCER’s Endpoint Security v2.0 whose revolutionary 180°-shifted approach starts by turning v1.0 blacklisting on its head and proceeds from there. Note the phrase, starts by turning v1.0 blacklisting on its head and proceeds from there. Endpoint Security v2.0 strategy is to only allow authorized code to execute (i.e., whitelisting), “ so even if malware gains access to a system, it cannot execute and is neutralized— that’s the short answer. For security reasons, the details in the execution of that strategy Nobody has a are as important as adopting the strategy. full list of all good software… Endpoint Security v2.0 is predicated on three core tenets: control what you know, control at the displaying a lowest possible level, and control transparently. To be considered a true Endpoint Security v2.0 pop‑up that asks solution, the security features shown in Table 1 must be present. you to decide BOUNCER does not maintain a database of size and digest information created from vendors’ whether an original media to compare to the whitelist it creates from an endpoint. While this approach may unknown app is produce some sense of security for known file matches, it clearly doesn’t address unknown or okay to run undocumented ones. Updates to existing applications are constantly released and all of those ensures that would have to be entered into the database. Many organizations have legacy or internally you’ll eventually developed applications and others run software that would not be a part of the database. With make the wrong this model, the whitelist database would suffer from the same shortcomings found in the blacklist call and break antivirus model—antivirus vendors simply cannot keep it current. More importantly, the whitelist your software or database approach is subject to database corruption by the possible inclusion of Trojanized even your system… files in the database that would in essence become authorized software.(4)(5) And then there’s the big question: Who maintains the list?(5) (4) Andrew Brandt; The 10 Biggest Security Risks You Don’t Know About; PC World; June 22, 2006. (http://www.pcworld.com/article/126083/the_10_biggest_security_risks_you_dont_know_about.html) — Erik Larkin (5) Erik Larkin; Coming: A Change in Tactics in Malware Battle; PC World; June 23, 2008. PC World (http://www.pcworld.com/article/147374/coming_a_change_in_tactics_in_malware_battle.html) Application Whitelisting: A New Security Paradigm 2
  • 4. BOUNCER by CoreTrace™ Beware of any endpoint security solution claiming to be a v2.0 solution that merely exchanges one list for another. While a whitelist-based solution is superior to a blacklist-based solution “ Companies are wasting money because it is proactive vs. reactive, a true Endpoint Security v2.0 solution uses a whitelist on security of fingerprints customized for each endpoint; thereby, limiting the entries to programs processes— installed on each endpoint vs. a centralized database of all programs. Additionally, a true such as applying Endpoint Security v2.0 solution automatically generates the customized whitelist for each patches and using endpoint in a controlled environment to ensure that it is not compromised. Further, a true antivirus software— Endpoint Security v2.0 solution provides an efficient whitelist updating capability that does not which just do not place a burden on the IT administrative staff. work, according The specious solution that has merely exchanged one list for another is only a 90°-shifted to Cisco’s chief solution, and it has only reached v1.1—or rather, the whitelist is a behemoth one-size-fits-all- security officer let’s-hope-the-list-isn’t-hacked centralized database of all authorized programs that somehow John Stewart… has to be mapped to each specific endpoint. the malware industry is moving Walk away from these going-in-the-right-direction-but-didn’t-quite-make-it v1.1 half-solutions or faster than the else the weight of this solution and attendant administrative burden and security risks will come security industry, crashing down on your CPUs and valuable IT staff. making it impossible for BOuncer’S endpOint Security v2.0 users to remain secure…“If patching (180°‑Shifted whiteliSting) and antivirus is where I spend my Cybercriminals are well armed, well skilled, and well motivated, so how can an organization money, and I’m still protect itself? Fortunately, despite the prolific cyberattack vectors, tools, and strategies, the getting infected and majority of cyberattacks can be stopped dead in their tracks if the right approach is taken I still have to clean defending the IT network—that is, BOUNCER’s Endpoint Security v2.0. BOUNCER takes a up computers and revolutionary 180°-shifted approach to endpoint security providing a unique Endpoint Security I still need to v2.0 solution that defeats today’s, tomorrow’s, next year’s…known and unknown threats— reload them and finally, efficiently, effectively, BOUNCER stops the madness. still have to recover the user’s data and To be considered a true Endpoint Security v2.0 solution, the security features shown in Table 1 I still have to must be present. Endpoint Security v2.0 is proactive, whitelist-based, provides enforcement reinstall it, the from within the kernel, and it is predicated on the following three core tenets: entire cost equation „ Control what you know. of that is a waste.” “It’s completely „ Control at the lowest possible level. wasted money”… “There are too many „ Control transparently. companies in the BOUNCER leverages Endpoint Security v2.0’s three core tenets to provide the capabilities world that actually listed below for PCs, servers, and embedded systems. believe infection is just a cost of „ Preventing unauthorized programs and processes from running. doing business and „ Preventing rootkit establishment. are getting used to doing it— „ Stopping code injected via buffer overflow from running and stopping further memory as opposed to corruption. stopping it „ Preventing system configuration modification by staff members, malicious insiders, and completely. malicious outsiders. That’s dangerous” …“I’m sick of „ Securing the endpoint transparently to end users. blacklisted stuff. „ Providing ease-of-use to the operational staff.(6) I’ve got to go for whitelisted stuff— I know what that is because I put it there.”(6) — Liam Tung (6) Liam Tung; Antivirus is completely wasted money?; ZDNet Australia; May 21, 2008. ZDNet Australia (http://www.zdnetasia.com/news/security/0,39044215,62041561,00.htm) Application Whitelisting: A New Security Paradigm 3
  • 5. BOUNCER by CoreTrace™ Table 1. Endpoint Security v2.0: Security Features “ Time: The second Tuesday of every control month, 10:00 a.m. From the PST. Like clockwork, control loWeSt control Microsoft releases Security FeatureS What you KnoW PoSSible level tranSParently a group of security h Only authorized programs allowed to execute  patches. And like clockwork, that h Authorized programs fingerprinted to create a unique three‑factor integrity check release sets in motion a flurry h File digest (SHA‑1 hash)  of events from h File location (pathname) h File size businesses, security vendors, h Whitelist of fingerprints customized for the media and each endpoint—entries limited   even hackers… to programs installed on an endpoint an entire industry h Automatically generates customized has grown up whitelist in a controlled environment   around h Ease‑of‑use whitelist updating procedure   Patch Tuesday. Businesses race to h Digital certificates used for authentication  quickly determine h Enforcement from within the kernel  which are the most critical for their h Entry points to the OS securely wrapped  users and which h Prevents direct kernel memory might inadvertently read and write from user space  cause more h Monitors and reacts to memory problems than they modification  solve. Security firms rapidly implement h Provides a complete IPsec infrastructure  fixes to their own systems and push them out to users… and hackers work to reverse‑engineer CORE TENET #1—CONTROl WhAT YOU KNOW the patches to Control what you know—what else can you control? Blacklists are pursuing the flawed strategy discover and use of trying to control that which is unknowable, and, as a result, are locked in a zero-day-threat race the vulnerabilities they can never win and being paid well for it. Conversely, controlling what you know—that is, to their own controlling the authorized applications used by an endpoint so that you can be indifferent to the advantage… rest—is the principle that underpins BOUNCER’s whitelisting strategy that defeats cybercrime. Some people derisively call this BOUNCER creates a whitelist of authorized programs (i.e., a list of fingerprints) that it uses Exploit Wednesday to recognize (i.e., identify and validate) an authorized program as it loads. Each authorized …A typical program’s fingerprint is comprised of the triple play of the following integrity checks: file digest Microsoft patch (SHA-1 hash), file location (pathname), and file size. updates only a When an unauthorized program tries to load (e.g., a virus from an e-mail attachment, a program couple of DLL files, copied on an endpoint by an authorized user, or a program copied on an endpoint through which is helpful a vulnerability), BOUNCER simply does not allow it to execute, thereby defeating the vast to the bad guys majority of threats, including preventing Trojans from overwriting authorized files. because they can compare the The greatest strength of BOUNCER’s technology is that it protects unpatched vulnerabilities two binary files from exploitation, effectively neutralizing zero-day threats. If a vulnerability is unpatched and and find the exploited, the malicious program or injected code is stopped anyway, so zero-day threats one difference become a thing of the past and there is time to test all patches before they are deployed—if between they are deployed at all.(7) the two, which is the vulnerability.(7) (7) Karen D. Schwartz; How Microsoft’s Patch Tuesday Affects Business Processes and Security; cio.com; July 9, 2008. — Karen D. Schwartz (http://www.cio.com/article/428363/How_Microsoft_s_Patch_Tuesday_Affects_Business_Processes_and_ cio.com Security?page=1&) Application Whitelisting: A New Security Paradigm 4
  • 6. BOUNCER by CoreTrace™ “ BOUNCER’s leveraging of control what you know results in significant IT cost savings. IT departments that use BOUNCER can say goodbye to the following and say hello to a little Attacks targeting sanity: applications, „ Zero-day threats. software, and services were „ Malware, Trojans, viruses/worms, bots, keyloggers, adware, and spyware. by far the most common technique, „ Reactive security patching (patch for features you need on your schedule and have time representing to fully test patches). 39 percent of all „ Chronic signature updating. hacking activity leading to data „ Technology stacks, pattern matching, and behavioral heuristics (including the impact of compromise. false positives and prolonged learning periods typical of behavioral solutions). This follows a trend in recent years CORE TENET #2—CONTROl AT ThE lOWEST POSSiBlE lEvEl of attacks moving up the stack. Most sophisticated attacks are targeted at the kernel; therefore, that is where the battle Far from passé, lies (only security software that functions in the kernel can reliably deliver the controls that operating system, IT requires). platform, and server‑level attacks BOUNCER loads into the kernel very early and performs the following functions: accounted for a „ Allocates resources only to authorized applications. sizable portion of breaches. „ Locks down the process table and keeps track of pointers. Eighteen percent BOUNCER leverages control at the lowest possible level to prevent rootkit establishment; of hacks exploited stop injected code (for example, via buffer overflow) from running (even in authorized a specific known programs); prevent system configuration modification by staff members and malicious insiders vulnerability and outsiders; and prevent direct kernel memory read and write from user space. while 5 percent exploited unknown „ BOUNCER prevents rootkit establishment. A cybercriminal’s goal is to obtain and retain vulnerabilities for control of the endpoints that they gain access to for as long as possible to maximize their which a patch was profit margins. Once access to an endpoint is gained, cybercriminals install a rootkit to take not available at the control of an endpoint and to retain control so they can load the software needed to carry time of the attack. out their schemes at their convenience. Evidence of re‑entry As soon as the operating system (OS) boots, a BOUNCER process runs within the kernel via backdoors, and oversees all activities of every other process that runs. If a rootkit attempts to establish which enable itself within a BOUNCER-secured kernel, this zero-day threat has zero time-to-live— prolonged access BOUNCER will recognize it as unauthorized and it will be DOA. to and control of compromised Many rootkits are also Trojans masquerading as legitimate OS files. Sometimes, the systems, was found malicious code is embedded in a legitimate OS file that still functions normally. Because in 15 percent of BOUNCER’s whitelist is based on a fingerprint comprised of a triple play of integrity hacking‑related checks—file digest (SHA-1 hash), file location (pathname), and file size—Trojans are breaches. The revealed as unauthorized and are not permitted to run. attractiveness of Once established, rootkits are very difficult to detect because they use the administrator this to criminals capability that the rootkit provides to cover up traces of their activities (hiding themselves desiring large from endpoint utilities that list files and provide information about running processes), and quantities of to hide other programs they plant on the endpoint. Some rootkits are known and may be information is detected by a scanning program; however, this defense does not work for a newly written obvious.(8) rootkit. Typically, established rootkits are detected by a file comparison between a suspect — Wade H. Baker, endpoint and a clean endpoint with full administrator rights. This is difficult to organize and C. David Hylender, carry out while an endpoint is running. If a rootkit is established on an endpoint (i.e., prior and J. Andrew Valentine Verizon Business RISK Team to being protected by BOUNCER), to completely eradicate the rootkit, the best practice is to reimage the endpoint with a known clean image. The better practice is to use BOUNCER to prevent rootkit establishment.(8) (8) Wade H. Baker, C. David Hylender, and J. Andrew Valentine; 2008 Data Breach Investigations Report; Verizon Business RISK Team; June 11, 2008. (http://www.verizonbusiness.com/resources/security/databreachreport.pdf) Application Whitelisting: A New Security Paradigm 5
  • 7. BOUNCER by CoreTrace™ „ BOUNCER stops injected code (for example, via buffer overflow) from running (even in authorized programs). Injected code (for example, via buffer overflow) is not loaded through normal file access means; therefore, defeating this threat requires “ In fact there is no need at all for monitoring the code image in memory to detect changes and, when detected, to terminate AV once you have the process. whitelisting… Because BOUNCER has control at the lowest possible level, it is capable of defeating we’ll never stop the buffer overflows; furthermore, because BOUNCER’s whitelisting technology has created a global virus plague controlled environment, even if the injected code manages to run for a few seconds, it will until AV becomes not be able to run any new programs, and it is only able to access whatever the program it defunct… injected itself into was able to access. Given BOUNCER’s unique approach to whitelisting, Actually there are buffer overflows can be stopped—even in applications that are on the whitelist. a whole series of network issues „ BOUNCER prevents system configuration modification by staff members and that require the malicious insiders and outsiders. Endpoint users unknowingly, and in the case of a management of a malicious insider, knowingly, weaken and sometimes corrupt an endpoint’s security list of valid configuration by installing rogue applications (i.e., legitimate but unauthorized programs). executables BOUNCER’s self-protection mechanisms that prevent such system configuration including modifications include the following: software license ¾ BOUNCER runs in the OS kernel and cannot be tampered with by the end user, even management, if the end user has administrator, or root, access on the endpoint. software usage auditing, ¾ BOUNCER’s whitelist is encrypted. software BOUNCER helps to keep an endpoint compliant by maintaining its desired state throughout provisioning and its lifecycle with the following measures: so on. AV technology ¾ BOUNCER’s whitelisting technology ensures that an endpoint’s performance will not never had much degrade due to typical configuration drift or cyberattack. to say about this issue. To be honest ¾ BOUNCER can periodically scan the endpoint and remove unauthorized programs it was always copied onto the system (i.e., all programs that are not on the whitelist). The system PC software in spirit logs the deleted files providing a record of activity on each protected endpoint. and AV companies „ BOUNCER prevents direct kernel memory read and write from user space. BOUNCER tended not to think securely wraps entry points to the OS by intercepting system calls from user space and of their technology packets coming from the network card which are processed according to file policy or as part of an network filter rules, respectively. end‑to‑end security solution…So even if AV technology was CORE TENET #3—CONTROl TRANSPARENTlY capable of stopping BOUNCER leverages control transparently to secure the endpoint transparently to end users, viruses effectively, and to provide ease-of-use to operational staff. which it isn’t, it would have no Endpoint Security v1.0 blacklists are bloated (typically containing millions of entries per contribution to make endpoint) and are plagued by exponential and constant growth due to the rampant proliferation to the management of malware. Blacklists require a large footprint in memory and on the hard drive, and negatively of executables. impact the CPU—blacklist scans have a significant negative performance impact noticeable to Whitelisting end users. software does BOUNCER’s Endpoint Security v2.0 whitelist is lean (typically containing only a few thousand because, aside from entries per endpoint) and it is immune to the effects and onslaughts of cybercrime. BOUNCER’s stopping all malware whitelist requires a very small footprint in memory and on the hard drive, and has a negligible stone dead, it can impact on the CPU—BOUNCER is transparent to end users. prevent the use of old versions of BOUNCER allows IT departments to set up an endpoint and know that it is configuration-drift software or software free and secure—no need to continually update signature files or reactively patch the endpoint. that violates BOUNCER affords the piece of mind that an endpoint is running exactly as intended—without corporate policy.(9) rogue applications and safe from malicious code.(9) — Robin Bloor The Register (9) Robin Bloor; The decline of antivirus and the rise of whitelisting; The Register; June 27, 2007; (http://www.theregister.co.uk/2007/06/27/whitelisting_v_antivirus/) Application Whitelisting: A New Security Paradigm 6
  • 8. BOUNCER by CoreTrace™ Summary Sometimes a shift in perspective is all that is necessary to solve a seemingly intractable problem. The shift from Endpoint Security v1.0’s ineffective, flawed blacklisting solutions to whitelisting “ Blacklisting— where vendors solutions is inevitable. The demise of blacklisting solutions is merely a matter of time; however, compile lists of the implementation of true endpoint security via application whitelisting is a matter of degrees— known malware— BOUNCER’s Endpoint Security v2.0 180°-shifted approach to be exact.(10) has become technically unfeasible… When you’re doubling the amount of malware you’re getting on a daily basis, eventually a blacklisting model ultimately could run out of architectural scalability… As blacklisting becomes increasingly difficult… Whitelisting looks like it has an architectural promise that could be very strong.(10) — Liam Tungn ZDNet Australia (10) Liam Tung; McAfee CEO: Adware is killing antivirus blacklisting; ZDNet Australia; June 16, 2008. (http://www.zdnetasia.com/news/security/0,39044215,62042651,00.htm) Application Whitelisting: A New Security Paradigm 7
  • 9. BOUNCER by CoreTrace™ “ Antivirus products can actually open the door aBOut cOretrace to attackers, enabling them CoreTrace delivers a revolutionary approach to endpoint security with BOUNCER by to penetrate CoreTrace™: the most tamperproof, scalable, and comprehensive kernel-level application company networks whitelisting solution. Since BOUNCER only allows authorized applications to execute, it defeats and load sophisticated malware attacks, including rootkits and zero-day threats, and it neutralizes destructive code. memory-based exploits like buffer overflows. With BOUNCER, companies can stop paying for Security specialists annual signature updates and start patching applications on their schedule.(11) …claim to have discovered approximately 800 vulnerabilities in antivirus products during the past few months… every virus scanner currently on the market has several highly critical flaws which could pave the way for denial‑of‑service attacks and enable the infiltration of destructive code past the security solution into the network…‘parsing’ is one of the main causes of this problem…the more parsing that takes place, the higher the recognition rate and the degree of protection from destructive software, but at the same time the larger the attack surface which makes the antivirus product itself a target… Systematic industrial espionage, along with the interruption of all email © 2008 CoreTrace Corporation. All rights reserved. communication, CoreTrace and BOUNCER by CoreTrace are among the trademarks are two of and registered trademarks of the company in the United States and other the possible countries. All other trademarks are the property of their respective owners. consequences.(11) — Clement James (11) Clement James; Antivirus tools ‘pave way’ for malware; SC Magazine; June 30, 2008. SC Magazine (http://www.securecomputing.net.au/News/115604,antivirus-tools-pave-way-for-malware.aspx) Application Whitelisting: A New Security Paradigm 8