Saturday, September 22, 2007

look who's talking about whitelists now

thanks to an email from james manning i got to see a company called signacert congratulating themselves for being part of the future of security technology...

you see, signacert produces what could be classified as a whitelist type of technology and symantec's canadian VP and GM, michael murphy, was quoted in the media as saying that whitelisting is the future of security technology...

now before i go further i'll make an obligatory disclaimer (because people have gotten the wrong idea in the past) that i am not anti-whitelist, i use whitelisting techniques, i think they can be a worthy addition to a security strategy, but unlike the hypesters i don't sweep their limitations under the carpet...

when a representative from a company as well known and respected as symantec says the type of technology your company happens to produce is the future of security, i suppose it's only natural to want to congratulate yourselves for being on the vanguard - but don't be so quick to pat yourselves on the back that you choose to highlight the words of someone saying foolish things as you'll only wind up looking foolish yourselves...

you see, michael murphy made a grievous error in his representation of scale leading to media statements like this:
The number of malicious software attacks, including viruses, Trojans, worms and spam, is rising exponentially, dwarfing the number of new benevolent programs being developed, making it increasingly difficult for security firms to keep up.
and this:
With more than 600,000 attacks catalogued – 212,000 of them added since January of this year – “we’re approaching a tipping point,” where there just won’t be room in antivirus databases for all of them, Murphy said. But legitimate applications are about the same in number as they were when only about 15,000 attacks had been documented.
that the signacert blogger wyatt compounded by characterizing the blacklist problem as infinite and the whitelist problem as finite... you cannot favourably compare the scale of the set of all known good programs to that of the set of all known bad programs unless your only intention is to say 'my database is bigger'... the set of good programs is orders of magnitude larger and growing faster than the set of bad programs, a fact that researchers from at least one whitelist vendor apparently concede...

if you're going to use the argument of scale against traditional blacklists then you cannot present a centralized whitelist as a viable alternative... the only conventional whitelist whose scale is more manageable than traditional blacklists is the one where the user him/herself decides what goes on the list (with all the potential for wrong decisions and the security implications thereof)... with whitelists you can have a manageable scale OR accuracy enough to protect users from their own bad decisions, but you can't have both...

this is something i would kinda hope the folks at signacert would already know, and i definitely expected the folks at symantec would know this - but the again, considering their CEO made the ridiculous claim that the problem of worms and viruses was solved, perhaps i should have known better to expect that from them... that or i should just know better than to listen to people in non-technical positions talking about technical things...

3 comments:

Wyatt said...

Kurt,

Clearly there is a tug of war here that will likely go on for a long time. With that said I want to clarify a few things relative to your comments:

My blog was directly quoting, and generally agreeing with the comments by the Symantec Canadian team. The devil is in the details.

If you carefully read my post I do NOT claim that a centralized white list repository is the answer (as you suggest). Or that white list is scalable, manageable or useful to solve consumer-based needs anytime soon.

In fact we don't think it is.

Nor do I say "anti-virus is dead" like other "gray list" vendors - including the one that you have linked thru the Robin Bloor post.

Rather I clearly note that it is about defense in depth; i.e. Black list methods, supplemented by well implemented customer and domain specific image management SUPPORTED BY white list data provide can provide significant customer benefits.

When taken from an enterprise best practices point of view, customers need to run specific and well tested software "bills of materials - BOM's" for their software stacks.

Control of these BOM's must reside WITH the customer WITHIN their domain. Not with any external white list vendor. I believe that well derived and assembled exteral white lists can feed these internal BOM's saving the user a valuable time and effort.

When managed this way, standard images - and their respective OS, application packages and software elements (item PLUS measurements) - for specific customers and for specific applications are, in fact, finite.

Consider this: When we monitor the physical access of people to controlled facilities, the security guards DON'T generally depend on looking at the list of people the SHOULDN'T gain access...this would be impossible to manage and leave vulnerablilies galore. Employees "badge in" as their access has already been vetted and authorized. Doesn't it make sense to begin to manage IT this way too?

So this in NOT and either/or argument. It is working together to better solve our customers real problems...which are well beyond security.

From the supply side we must enable greater levels of operation excellence in managing complex IT.

I'll grant you that my comments in the blog were self-serving. But I suggest you do a bit more homework before dismissing my comments as the ramblings of a "non-technical" executive...

Wyatt.

kurt wismer said...

"My blog was directly quoting, and generally agreeing with the comments by the Symantec Canadian team."

and my blog was directly quoting and generally disagreeing with the comments by the 'symantec canadian team'... you agreed with their mischaracterization of the scales of the respective problems...

"If you carefully read my post I do NOT claim that a centralized white list repository is the answer"

and if you carefully read my post i do NOT criticize you for making any such claim, only for agreeing with their foolish scale statements...

i concede that you were in fact much more reasonable in the conclusions you were drawing than many others have been, however one of the facts you were starting from (the relative scales) was false, and that is what my post was about...

"Consider this: When we monitor the physical access of people to controlled facilities, the security guards DON'T generally depend on looking at the list of people the SHOULDN'T gain access...this would be impossible to manage and leave vulnerablilies galore. Employees "badge in" as their access has already been vetted and authorized. Doesn't it make sense to begin to manage IT this way too?"

it depends... the fact of the matter is different circumstances give you lists with different sizes... yes, for a private area where the list of authorized individuals is small relative to it's complement then you would use a whitelist... in an airport, on the other hand, where the list of good people is substantially larger than the list of bad people then a blacklist becomes more appropriate... assuming accuracy of either list can be considered equal, it's always more manageable to use the smaller list... the same holds true in IT...

"I'll grant you that my comments in the blog were self-serving."

i have no problem with that, i just thought you should have found a better whitelist spokesperson to highlight/quote so as not to tarnish your own image with their foolishness...

"But I suggest you do a bit more homework before dismissing my comments as the ramblings of a "non-technical" executive..."

what we have here is a failure to communicate... i was referring to the symantec folks on that one...

i'm surprised, considering how much focus i put into what symantec was saying and how little i focused on your own blog post (you're really just what lead me to them), that you thought the lion's share of my criticisms were directed at signacert...

Wyatt said...

Fair enough Kurt. I didn't mean to over-react. I think we agree on much of this - including the Symantec spokespersons "over simplification" (ok - wrong :-) statements of where black list are (or aren't).

And on the point of "physical" analogies, Yes - airports (like home PC users) are "noisy places". But note that we do a form of individual trust authentication with Federally issued ID's matched to air tickets, etc. We actually do a very bad job to date on physical black listing.

Sorry again for my over-reaction....Yes, your blog really is triggered by the Symantec message mainly, not ours.

I will continue to be outspoken on these issues as I think they are important. I hope you continue to do the same.

Respectfully,

Wyatt.