everyone pretty much accepts that AV blacklisting fails. modern behavioral AV appears to be hit and miss. imo, whitelisting is the way to go.
a while back i thought it'd be interesting to leverage the features of rootkits into a defensive security device. the crux of it was to have a rootkit that examined every program prior to execution or during execution, and if it isn't an approved and signed app, it can't run.
whitelisting is a challenge on a couple of levels:
- how do you stay up to date with releases, patches, etc
- how can you decide programs aren't malicious?
- surely more...?
staying up to date will require some dedicated cycles or service for evaluating new apps, accepting requests for missing apps, etc. i've been thinking that there might be value in starting an OSS community project to identify and sign non-malicious apps.
that leads into how do you decide an app isn't malicious? the basic idea i had was for a service to run software on VMs for a period of time, and examine the traits of the software and how it has updated, impacted, and utilized the system. using AIDE HIDS style examination of the filesystem changes, watch for network traffic, watch for changes to the OS in memory, etc. you may even be able to write an algorithm to try to take a human analyst out of the picture, but it'd probably be tricky.
if you do this, one other concern is malware which sleeps for a time-delay before becoming overtly malicious. maybe you could do static analysis on the executable and enumerate all the functionality. or you could run it in a vm over time, and instead of reporting something as secure/insecure, maybe you give it a security rating based on the length of time it's been analyzed (say in a VM out in the cloud in some SaaS AV whitelisting business model). the customer gets a portal which lets them see the trust rating of given apps, and can assume the risk of running any given app in their environment.
i found out that a company called fireeye does some really interesting heuristic AV work which does a similar HIDS type analysis of executables. i was pretty impressed with their presentation, if only from the standpoint of doing AV out of the box, but i haven't had a chance to see the product in action yet.
anyway, some people get down on whitelisting because it's too difficult to admin, and isn't perfect, etc etc. personally, looking at enterprise endpoint management, the tradeoffs make sense to me. an imperfect whitelisting solution which has administrative overhead should pay for itself in reduced malware cleanup, os reloads, incidents, etc.
since windows is a reality in enterprise environments, i'm looking forward to spending some time with AppLocker in Windows 7 to see if there's a chance to roll out a whitelisted set of apps along with the OS in the coming future... seems like a huge chance for a security win, if the project can be designed and implemented properly....
that's all, for now...
No comments:
Post a Comment