I mentioned there were two notable items (from our very objective perspective) at Blackhat/DefCon.
I wrote on one already. Here is the other based on this blog from the Symantec website:
On the opening day of BlackHat 2008, Symantec commissioned an anonymous survey among the attendees to learn about contemporary views on security related topics, such as vulnerability research, future threats and trends, and what types of challenges we as security professionals will collectively face in the coming year.
Almost a third (34%) of respondents said that they implemented some form of whitelisting within their organization (39% said no, and 26% actually didn’t know!). Note that whitelisting may not necessarily apply to all systems, but could be restricted to specific machines. For example, most respondents look to whitelisting to protect more “static” high-availability machines like servers (40%), gateways (31%), and desktops (32%) rather than more dynamic environments like laptops (26%) and wireless devices (29%). Symantec has been stressing for quite some time that we are on the cusp of a critical inflection point where the number of unique malicious code instances is surpassing the number of legitimate code instances. This trend necessitates considering a new approach to providing security; namely, rather than blocking out the bad, we should consider just allowing in the good. Naturally there are a host of challenges in this area, but given our tremendous reach and deep insight, we believe that there are some highly promising approaches to facilitating whitelisting – and this area is one that I’m personally both very excited about and also actively involved with.
As indicated SYMC did an anonymous survey querying on the subject of whitelist. While that in itself is not a surprise, the results were interesting.
Besides what we would consider a pretty high “yes” rate to the question of “Have you deployed some form of whitelisting” (34% said yes), the underlying comments reveal a pretty sophisticated view of the initial and important use cases for whitelisting.
Now, one assumes that the people surveyed are most likely enterprise (commercial and government) users, but it is very interesting to note the pretty even distribution of end target platform use for whitelist (40% server/31% gateway/32% desktop) with the inference that these are the more “static” devices.
This is interesting (and does check with our field experience BTW) in that we would guess the delineation is being made on what the enterprise users deem as the “managed devices”.
So what is “managed device”? In our view in is an IT element and has some form of best practice controls in play all the way from software stack development, QA, user acceptance tests (UAT) and deployment. Generally a managed device would (ideally) have one “point of management” for updates and maintenance. Laptops and other devices in many organizations lack these important software release/management best practices.
One also might assume that the whitelist method being applied to these managed devices have something to do with IT process enforcement and compliance, likely driven by ITIL, PCI or some other best practice and/or regulation.
Given the relatively high “yes” to whitelist answer (in that whitelist enabled methods are still somewhat nascent) one might further guess that technologies in use might be a combination of “home grown” , first-generation, well known open-source and commercial methods like Tripwire (good for you Tripwire!).
It seems to us that as understanding and acceptance of these methods increases, the use cases and the respective appreciation for the value-add of IT controls based on image management, enabled by whitelist, will only improve (after all we have a contribution margin of new yes’s of 65% (the no’s and don’t knows).
This represents a great opportunity for the suppliers to explore, better understand, and deliver next-gen methods for enhance positive IT controls! (at least that is what WE are doing)
In our view this survey reveals some very important data points. We can blog on the virtues of new “whitelist” methods until the cows come home, but the only important questions at the end of the day are:
“Are customers ready for these new methods?” (and the answer appears to indicate YES) and;
“What are they willing to pay” (and the answer is TBD based on use case and value delivered) and;
“Who will be the de facto standard vendor(s)?” (great question….!)
Anyway, thanks for the survey Symantec welcome (again) to the discussion!