Written By Roark Pollock And Presented By Charles Leaver
Similar to any form of security, the world of IT security is one of establishing and implementing a set of allow/disallow rules – or more formally entitled, policies on security. And, merely stated, allow/disallow rules can be expressed as a ‘whitelist’ or a ‘blacklist’.
In the past, a lot of guidelines were blacklist in nature. The good ‘ole days were when we trusted almost everyone to behave well, and when they did this, it would be rather simple to recognize bad behavior or abnormalities. So, we would only have to compose a few blacklist guidelines. For example, “don’t permit anyone into the network originating from an IP address in say, Russia”. That was kind of the very same thing as your grandparents never ever locking the doors to your house on the farm, because they were aware of everyone within a twenty mile radius.
Then the world altered. Behaving well became an exception, and bad actors/habits became legion. Obviously, it occurred gradually – and in phases – dating to the beginning of the true ‘Web’ back in the early 1990’s. Keep in mind script kiddies unlawfully accessing public and secure sites, simply to prove to their high school pals that they were able to?
Fast forward to the modern-day age. Everything is on-line. And if it has value, someone on earth is trying to take or harm it – constantly. And they have plenty of tools that they can use. In 2017, 250,000 new malware versions were presented – daily. We used to trust desktop and network anti-virus solutions to include brand-new blacklist signatures – every week – to counter the bad guys utilizing malicious strings of code for their bidding. However at over 90 million new malware versions per year, blacklist strategies alone won’t suffice.
Network whitelisting innovations have been an essential form of protection for on premises network security – and with most companies rapidly moving their work to the cloud, the exact same mechanisms will be needed there as well.
Let’s take a closer look at both methods.
What is Blacklisting?
A blacklist lines out known malicious or suspicious “entities” that shouldn’t be enabled access, or execution rights, in a system or network. Entities consist of bad software applications (malware) including viruses, Trojans, worms, spyware, and keystroke loggers. Entities likewise include any user, application, process, IP address, or organization understood to pose a threat to a business.
The essential word above is “known”. With 250,000 brand-new variants appearing daily, the number that are out there we have no idea about – at least until much later in time, which could be days, weeks, or even years?
So, exactly what is whitelisting? Well, as you may have guessed, it is the reverse of blacklisting. Whitelisting begins from a point of view that nearly everything is bad. And, if that is true, it ought to be more efficient just to define and permit “great entities” into the network. An easy example would be “all workers in the financial department that are director level or higher are permitted to access our financial reporting application on server X.” By extension, everyone else is locked out.
Whitelisting is often referred to as a “no trust” method – deny all, and allow just specific entities access based upon a set of ‘good’ characteristics related to user and device identity, behavior, location, time, etc
Whitelisting is widely accepted for high risk security environments, where stringent rules are more important than user freedom. It is also highly valued in environments where companies are bound by rigorous regulatory compliance.
Black, White, or Both?
Initially, few would suggest blacklisting is absolutely a thing of the past. Certainly at the endpoint device level, it is relatively simple to set up and preserve and somewhat efficient – specifically if it is kept up to date by third-party threat intelligence providers. However, in and of itself, will it suffice?
Second, depending upon your security background or experience, you’re most likely thinking, “Whitelisting could never work for us. Our organization applications are simply too diverse and complicated. The time, effort, and resources required to assemble, monitor, and update whitelists at an enterprise level would be untenable.”
Fortunately, this isn’t actually an either-or option. It’s possible to take a “finest of both worlds” stance – blacklisting for malware and intrusion detection, operating together with whitelisting for system and network access at large.
Ziften and Cloud Whitelisting
The key to whitelisting comes down to ease of execution – specifically for cloud-based work. And ease of implementation ends up being a function of scope. Consider whitelisting in 2 ways – application and network. The former can be a quagmire. The latter is far easier to execute and preserve – if you have the right visibility within your cloud deployments.
This is where Ziften can help.
With Ziften, it becomes easy to:
– Identify and develop visibility within all cloud servers and virtual machines
– Gain continuous visibility into devices and their port use activity
– See east-west traffic streams, consisting of detailed tracking into protocols in use over specific port sets
– Transform ‘seeing’ exactly what’s happening into a discernable selection of whitelists, complete with exact procedure and port mappings
– Establish near real time notifications on any anomalous or suspicious resource or service activations