Is Blacklisting Still Viable? – Chuck Leaver

Written By Roark Pollock And Presented By Chuck Leaver

 

Introduction

Similar to any kind of security, the world of IT security is concerned with developing and implementing a set of allow/disallow rules – or more formally titled, security policies. And, merely stated, allow/disallow rules can be expressed as a ‘whitelist’ or a ‘blacklist’.

In the distant past, most rules were blacklist in nature. The good ‘ole days were when we trusted practically everyone to act well, and when they did this, it would be quite easy to recognize bad behavior or anomalies. So, we would just need to write a couple of blacklist rules. For instance, “do not permit anybody into the network originating from an IP address in say, Russia”. That was kind of the same thing as your grandparents never ever locking the doors to the house on the farm, considering that they knew everybody within a twenty mile radius.

Then the world altered. Behaving well became an exception, and bad actors/behavior became legion. Of course, it happened gradually – and in stages – dating to the beginning of the true ‘Internet’ back in the early 90’s. Remember script kids unlawfully accessing public and secure websites, just to show to their high school friends that they could?

Fast forward to the contemporary age. Everything is on-line. And if it has value, someone on earth is trying to steal or harm it – constantly. And they have plenty of tools at their disposal. In 2017, 250,000 brand-new malware versions were introduced – each day. We used to count on desktop and network anti virus solutions to include brand-new blacklist signatures – on a weekly basis – to counter the bad guys using destructive strings of code for their bidding. But at over 90 million brand-new malware variants per year, blacklist strategies alone won’t cut it.

Network whitelisting technologies have actually been a key form of protection for on-premises network security – and with a lot of organizations rapidly moving workloads to the cloud, the very same mechanisms will be needed there also.

Let’s take a more detailed look at both approaches.

Blacklisting

A blacklist lines out understood malicious or suspicious “entities” that should not be permitted access, or execution rights, in a network or system. Entities consist of bad software (malware) consisting of infections, Trojans, worms, spyware, and keystroke loggers. Entities likewise include any user, application, procedure, IP address, or organization known to present a threat to a business.

The critical word above is “known”. With 250,000 brand-new variants appearing each day, the number that are out there we do not know about – at least till much later on in time, which may be days, weeks, or even years?

Whitelisting

So, exactly what is whitelisting? Well, as you might have guessed, it is the reverse of blacklisting. Whitelisting starts from a perspective that almost all things are bad. And, if that holds true, it ought to be more efficient simply to define and permit “excellent entities” into the network. A basic example would be “all employees in the finance department that are director level or higher are allowed to access our financial reporting application on server X.” By extension, everyone else is denied access.

Whitelisting is typically referred to as a “zero trust” method – reject all, and allow just certain entities access based upon a set of ‘excellent’ properties associated with user and device identity, behavior, location, time, and so on

Whitelisting is widely accepted for high-risk security environments, where stringent rules are more important than user flexibility. It is also extremely valued in environments where organizations are bound by stringent regulatory compliance.

Black, White, or Both?

Initially, few would tell you that blacklisting is totally aged out. Definitely at the endpoint device level, it remains fairly easy to install and maintain and somewhat effective – especially if it is kept current by third-party danger intelligence providers. But, on its own, will it suffice?

Second, depending on your security background or experience, you’re likely thinking, “Whitelisting would never ever work for us. Our company applications are just too varied and complex. The time, effort, and resources required to put together, monitor, and upgrade whitelists at a business level would be untenable.”

Luckily, this isn’t actually an either-or option. It’s possible to take a “best of both worlds” attitude – blacklisting for malware and intrusion detection, operating along with whitelisting for system and network access at large.

Cloud Whitelisting with Ziften

The secret to whitelisting comes down to simplicity of application – specifically for cloud-based workloads. And ease of implementation becomes a function of scope. Think about whitelisting in two ways – application and network. The previous can be a quagmire. The latter is far easier to carry out and keep – if you have the best visibility within your cloud environment.

This is where Ziften comes in.

With Ziften, it becomes easy to:

– Identify and develop visibility within all cloud servers and virtual machines

– Gain constant visibility into devices and their port use activity

– See east west traffic streams, including in-depth tracking into protocols in use over specific port pairs

– Transform ‘seeing’ what’s happening into a discernable variety of whitelists, finished off with exact procedure and port mappings

– Establish near real-time alerting on any anomalous or suspicious resource or service activations

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>