alphaspirit - Fotolia

Get started Bring yourself up to speed with our introductory content.

How a hybrid whitelisting-blacklisting approach can help enterprises

Allowing known good applications and data isn't enough for enterprises. Beth Musumeci explains why a hybrid whitelisting-blacklisting approach is the best option for security.

The data speaks for itself -- large scale breaches continue to occur at record levels. The AV-TEST Institute, an...

international, independent service provider that detects the latest malware, registers over 390,000 new strains of malicious code every day. Cyberspace has become the Wild West, where databases are being pilfered and sold on the dark web at a frequency never seen before. We can't possibly blacklist this number of known bad threats on a daily basis. We also can't whitelist every allowed known good application. Managed security services providers struggle to be successful in the defense against bad actors because most of the tools and techniques have been focused on known bad, which is becoming impossible to keep up with. The stark reality is that we are losing the battle. We need a new hero, and a hybrid whitelisting-blacklisting approach may be the answer.

Many of today's security products are built on blacklisting capabilities. Blacklisting allows everything like emails, IP addresses, URLs and domain names but blocks only the items that are specified on the blacklist. The best way to think of a blacklist is as a block list. If you know something is bad, you add it to the blacklist, and it won't execute.

The problem is, how can you block things that you don't know are bad? Typically, malware has to infect something for it to be identified, analyzed and added to the blacklist. We also can't out-signature the problem. Signature-based devices and software compare files and look for known bad signatures based on host or network traffic during an incident. A system's success is only as good as its database of signatures. We can't create signatures fast enough to keep up with the rate of new malware samples being generated daily.

Even with heuristic and behavior detection added to blacklisting capabilities, we are still losing the battle. Intellectual property continues to be vulnerable. Personal data is vulnerable. Healthcare records, financial data and voter records in the millions are vulnerable. Blacklisting is simply not enough to protect companies and their employees.

To fill the gap, whitelisting is often done. Whitelisting only allows execution of network or application data that is exclusively on the whitelist. Think of a whitelist as an allow list. Only the items listed in the whitelist are allowed to execute or run. The early days of application whitelisting saw the technology get a bad rap; early adopters found it cumbersome to implement and difficult to maintain. Also, the expertise required to deploy and manage the whitelisting solution caused pain points in many organizations. With old whitelisting, the risks of omitting a known good were simply too big. However, some of today's products and services include sandboxing technology that helps explore malware in a controlled environment. The risks were simply too big, and whitelisting of old didn't have the support it needed to become a viable solution to the problem.

Companies should not solely blacklist or solely whitelist. Instead, organizations should implement both. An ideal solution is a hybrid whitelisting-blacklisting approach that combines the best of both options. Using data whitelisting helps accomplish looking for known good applications, while blacklisting helps look for known bad applications and code. As we see more hybrid whitelisting-blacklisting solutions come online with the maturity and the support model to be effective, we will see a change in perspective on whitelisting and MSSPs with an effective model to make a greater impact.

Whitelisting is a critical component of a stronger cybersecurity approach for the future, giving enterprises a fighting chance against what seems like an insurmountable problem. Until we can ensure the solvency of the data in our environment and allow only known good to execute, we will be fighting against the odds. A hybrid whitelisting-blacklisting approach is a good thing because if ever we needed a hero, that time is now.

About the author: Beth Musumeci is senior vice president of commercial cybersecurity and advisory services for ICF, a global consulting and technology services provider headquartered in Fairfax, Va. Prior to joining ICF, she served as general manager of Computer Sciences Corporation's global commercial cybersecurity practice.

Next Steps

Get the latest information on how to prevent privilege creep

Read more on best practices for information security risk management

Find out about the most important features of today's endpoint security tools

This was last published in November 2016

Dig Deeper on Network Access Control technologies