Patchlink took my advice - sort of. I suggested changing their name to SecureLink after acquiring SecureWave and STAT, but they chose Lumension Security instead.
Their tagline, “Putting Security in a Positive Light”, is a reference to their endorsement of the positive security model they inherited from SecureWave’s Sanctuary, their “application and device control” solution. Basically, rather than using security software on the endpoint to stop the bad stuff, you use software to only allow a list of good stuff to operate. Simple right? Good idea right? Why isn’t this approach more popular? Because it is difficult to make a comprehensive list of every different variant of software that an organization wants to allow. I would venture to guess it is just as difficult as trying to keep up with the nasties out there, since there aren’t many vendors touting the positive security model.
Still, the positive security model makes much more sense in my mind. You make your whitelist of acceptable applications and then you are done. At the same time, I can’t imagine many people ditching their AV-HIPS/HIDS-Firewall-Anti-Spyware,-Anti-Spam bundle because they have Lumension’s Sanctuary or Bit 9’s Parity.
3 responses so far ↓
1 Rob // Sep 11, 2007 at 1:03 am
Hi Jon,
I’ve seen this approach used a couple of times before, Vormetric being one that I worked very closely with, and I’m afraid it’s just too much security. Whereas it can be a great solution on servers, it’s just not practical on desktop machines because of the loss of flexibility. Even on servers you have issues with change controls which have to be addressed. Disabling a security feature to add security is not optimal. Also, back in the 70s, Fred Cohen tried a similar approach (I chatted to him about it recently), which didn’t catch on in the mainstream. The military use it, but they need very tight security and little change.
2 Jon Robinson // Sep 11, 2007 at 6:22 am
“too much security”. That’s probably the best explanation on why it isn’t more popular. The pain of maintaining it is far greater than the benefits for most people.
3 Brian Gladstein // Oct 10, 2007 at 11:27 am
Disclaimer up front: I work for Bit9… but I thought this line of postings has been very interesting and I’m hearing more and more about people concerned with the maintenance overhead of whitelisting. It’s important to me because this is an area where we’ve invested a lot of engineering and research talent - to make a whitelisting model that is flexible and not “too much security.”
If readers are interested, I have a posting on my blog that discusses some of these things - like software identification to discover and assess all the new software on the PC, and software approval automation that ties your whitelist to existing business processes for deploying software. Check out the article entitled “Whitelist-Based Desktop Lockdown: Never Say Never” at http://bit9.com/blog/home/tabid/15398/bid/2355/Whitelist-Based-Desktop-Lockdown-Never-Say-Never.aspx
Leave a Comment