The idea behind Default Deny is very simple and logical. However, until now this approach was focused exclusively on a very narrow target audience. This was primarily because of the technical challenges arising on the road toward developing a solution that would be appropriate for broad use, and without a number of critical limitations.
Using Default Deny mode entails a shift in priorities when selecting security policies — moving away from user freedom and convenience toward accomplishing the main goal of any data security system: minimizing the risk of data leakages and/or the loss of any critical business data.
However, the early forms of strict application control system caused major function limitations that made the use of this arrangement nearly impossible. Maintaining a quality Default Deny mode requires additional functions, or else a corporate network may not be able to operate as needed.
When transitioning to the Default Deny mode, a sysadmin will need to tackle a number of tasks. In order to make the process easier, Application Control — as the main component that will be managing a corporate network’s applications — must first undergo some substantial changes.
So, the use of Default Deny mode is possible and practical only after the following functions are put into place:
We will now address the Whitelist Security Approach component in more detail. WSA is a dynamic database of clean files (a Dynamic Whitelist). Interest in Dynamic Whitelists stems from both technical and organizational aspects, without which it would not be possible to achieve the Whitelist’s maximum effect.
So, what is a Dynamic Whitelist? It is essentially a knowledge base about all of the different types of legitimate software programs. From a technical point of view, a Dynamic Whitelist is an enormous database of “clean” software that can be continuously updated with different types of files, including new installation files, and — most importantly — information about these objects. The quality and completeness of the data in these types of expert-level data resources depends on their suppliers. Leading security software developers are the ones compiling Dynamic Whitelists.
A Dynamic Whitelist is a necessary component for three of the seven tasks that need to be accomplished to make Default Deny work (see the table above). Clearly, the quality of the solution provided by a vendor will have a direct correlation to the quality of the database in that solution.
To accomplish the tasks above, the Whitelist should contain:
What other requirements are there for Dynamic Whitelists aside from data?
First and foremost, a Dynamic Whitelist should be dynamic, as its name implies. Each day, multiple new legitimate applications and updates for existing applications are released. That means that security software developers have to respond immediately to any changes in the software world, and promptly update their knowledge bases. In order to do that, they must also regularly and promptly add entries to their databases of clean software programs from the many sources from different parts of the world. These updates must take place automatically, since the volumes of data are enormous (terabytes of data every day). For this purpose, suppliers of Dynamic Whitelists send so-called ‘crawlers’ out onto the Internet — crawlers act as search agents that monitor new software and, when needed, download new applications.
To keep databases up to date, it is also important to develop technological partnerships among vendors and major manufacturers and distributors, i.e., independent software vendors. The goal of these partnerships is to obtain, process, and analyze (classify and categorize) new software before it is publicly released in order to minimize any false positives or instances where a security solution and a partner’s software are incompatible.
Another possible source of data for keeping databases up to date is a global data network created by a vendor based on user communities. This type of data network offers a major competitive edge — it helps track metadata about the software launched on user computers, and it adds data on the emergence of new apps and different software updates to the knowledge base.
Kaspersky Lab uses all of these components to replenish its Dynamic Whitelist. Kaspersky Lab currently works with several hundred international partners and tens of millions of participants in the Kaspersky Security Network global data network, in addition to an extensive network of automated search agents. Combined, these components provide continuous updating of Kaspersky Lab’s dynamic knowledge bases, with an average of over one million new files per day.
The quality of Kaspersky Lab’s Dynamic Whitelist was proven in an independent test conducted by West Coast Labs. The study showed that Kaspersky Lab’s database contains data on 94% of all clean software released around the world.
It is necessary to carefully control all of the programs entered into the Dynamic Whitelist, and most importantly to keep its reputation up to date. A program classified as ‘clean’ today can, after more careful analysis, turn out to be a carrier of threatening malicious code tomorrow.
Note that regularly scanning the Dynamic Whitelist is no small task. In addition to automated data processing and analysis, it also requires a team of specialists capable of analyzing program code with potential logical collisions and issuing a final verdict. Small companies and developers of “free” antivirus products cannot afford these types of dedicated antivirus labs. Furthermore, the specifics involved in processing malicious and clean software are different. Ideally, a company will not just have a dedicated antivirus lab but also a specialized Whitelisting lab where experts track incoming data flows, study intellectual systems, and respond promptly to emergencies (Kaspersky Lab has such a dedicated Whitelisting Lab).
Corporate network admins are faced with complex, often repetitive tasks to support numerous, multi-purpose workstations. The Whitelist Security Approach (i.e., Default Deny mode) guarantees a much higher security level for corporate networks. Furthermore, running a network on Default Deny mode, with its strict system restrictions, requires that the products involved in the system are capable of large-scale task automation to facilitate system administration.
Let us take a look at how the transition from theory to practice is made using Kaspersky Lab’s Endpoint Security solutions as an example, following the program step-by-step through its life cycle, from software inventory to corporate network maintenance (after product installation).
Whitelist Security Approach was first used in Kaspersky Endpoint Security for Windows 8 in 2011. In 2013, Kaspersky Endpoint Security for Windows 10 offers even more functionality, including in the area of Application Control.
Stages in the Default Deny life cycle
Software inventory results for a specific directory
Kaspersky Lab’s category catalog
In order to define the critically important OS components and drivers, Kaspersky Endpoint Security includes a special category of OS files called Golden Image. This category includes all of the requisite components for Win XP, Vista, Win7, Win8 (32 and 64) and over 15 localizations for each (over 100 versions and localizations). All an administrator has to do is add files into the Golden Image category from the local Whitelist database, and the Default Deny configuration is ready.
Furthermore, Kaspersky Endpoint Security 10 also features multi-vector categorization — in other words, one application can be in several categories at once.
Option for user file categorization
It is at this stage that the use of unlicensed or non-essential software can be restricted. For example, it is possible to block the use of any software for which the company does not hold the requisite licenses, or block instant messaging programs like Skype, for example. It is also possible to block the use of specific versions of software, such as blocking all browsers except for a specific version of Internet Explorer.
An example of a message automatically sent to a system administrator in the event that an application is blocked
Over the last year, independent test labs have started working more with Application Control. Right away, two companies verified the effectiveness of Application Control technology for protection against targeted attacks and managing unauthorized software.
In early 2012, West Coast Labs published a report on the results of the industry’s first independent test, where Kaspersky Lab’s technology ranked first.
Later, Dennis Labs also conducted a comparative study, and in early 2013 released the results. Once again, Kaspersky Lab was ranked among the best.
The increased number and, most importantly, the complexity of threats means that antivirus software developers have to search out new solutions to provide corporate networks with effective protection. Whitelist Security Approach is a new method that allows only trusted, whitelisted programs to launch and run. As a result, a malicious program cannot simply launch on a system. This approach provides protection against complex and unknown threats, including targeted attacks.
Whitelist Security Approach (WSA) is a new development in Application Control that complements the Default Deny mode and Dynamic Whitelist technologies.
Using the heightened-security Default Deny mode means introducing additional functions. Application Control should include several simple mechanisms, such as inventory, categorization, configuration (Application Management), flexible local whitelist policy management, and the ability to use a cloud-based Dynamic Whitelist, capable of responding immediately to regular changes in the software world. Furthermore, functions such as testing and support in a Test Mode are important for making the transition to Default Deny mode properly.
Whitelist Security Approach helps system administrators accomplish a number of tasks:
Application Control and Default Deny mode together are powerful, convenient tools that simplify a system administrator’s job when it comes to managing corporate network workstations and keeping them secure.
At Kaspersky Lab, we believe that the Whitelist Security Approach is a key tool in the corporate network security of the future. At the same time, we believe there is no panacea or one single technology capable of protecting computers against all threats. That is why the best choice for corporate networks is the use of a powerful endpoint product that combines a variety of protection technologies. Only multi-level system security and control can provide the highest possible level of protection for corporate networks.