Yesterday, U.S. Federal Reserve Governor Daniel Tarullo noted that “uniform disclosure” requirements were needed for banking institutions, so that their customers were made aware precisely when a data breach occurs. Millions of Target and Neiman Marcus customers were affected this past holiday shopping season and I’m not sure if you caught this one in late December but American Express had a data breach as well. System security and data integrity – don’t leave home without it. But wait, it gets worse.
If the name of the late, great hacker and security evangelist Barnaby Jack doesn’t ring a bell with you, go watch his demonstration on “Jackpotting” an ATM machine. If you want a full system vulnerability lesson, his presentation at the 2010 Black Hat conference should be mandatory viewing. You might be surprised to learn that the large majority (upwards of 80 percent) of point of sales machines at retailers and even ATM machines run the Windows operating system, and many times older versions of it in fact. Talk about a “target-rich” environment – no pun intended of course.
It doesn’t take a rocket scientist to figure out that cyber criminals are quickly getting more sophisticated than current security, intrusion detection and prevention technology can defend against. And honestly, I have to wonder if collectively we all care enough to really dig into the problem, or if the computer security industry as a whole is willing to take the disruptive measures required to address the issue head-on. One way to tackle the surging data breach epidemic is with a technology called “whitelisting.”
There are a few start-up companies in this space and I recently had the chance to sit down with Walter Siryk, CEO of Savant Protection a Hudson, New Hampshire-based company that has developed an automated application whitelisting product called Savant Enforcer. It’s not going to sound too sexy to the average end user and frankly, even CIOs may find it unfashionable but in short, whitelisting is a method of locking-down a machine such that only trusted executables, DLLs and other necessary system and application components are allowed to run – everything else is denied. The idea is to start with a known, clean system installation and then lock it down in that state so absolutely nothing can be changed. If an employee or anyone else plugs in a USB memory stick, for example, that might have malware on it, access to the stick is denied. If an employee clicks a phishing link in an email or on the web, whatever payload is targeted to the machine gets denied access. In what Savant calls “Lock-Down Mode,” nothing gets in and only the software image, as it exists on the machine and provisioned by your IT administrator, is allowed to run.
It’s a simple concept really but proper implementation of the technology is key. Savant’s Siryk notes that part of Savant’s secret sauce is that it is designed to implement individual, encrypted whitelists for each and every end point machine in a network. A whitelist on an end point can be managed by an authorized admin but if a machine is ever compromised, that compromise doesn’t propagate through the network and spread to other machines. For example, you can allow updates for Adobe products on one machine as the product allows for “filter sets” of trusted software. However, there is no global whitelist that can be compromised by an exploit that manages to get through as a result of allowing that one machine access to some weak or compromised software package. Further, Rene Thibault, VP of Sales at Savant notes that part of the reason the Target data breach was so tricky for them to track down, was because the malware package kept renaming itself. With Savant’s product, nothing on the system is allowed to be renamed or changed in anyway, so malware containment is much more effective and easier to locate. In addition, Savant Enforcer’s management system logs any and all changes that are made to systems on the network, authorized or otherwise.
Savant’s Siryk notes that “PCI Compliance isn’t enough. It’s becoming just a checkbox item. We need to start thinking deny by default. Whitelisting should be a part of your total security solution.”
Savant’s initial target markets are those of industrial controls, managed service providers, point of sale applications and the enterprise – though I could easily see a product like this as a valuable tool to protect my less-than-technically-savvy family member’s machines from getting all screwed up with malware, requiring me to bail them out every few months.
If you follow system security, regardless of your opinion on the concept of whitelisting, it’s pretty clear the traditional conventions of AV, anti-malware, intrusion detection and prevention are no longer working. It’s time to get serious about security and stop settling for the level of protection we have now because it’s simply just not enough.