AMP: Determining the value of whitelists, sandboxes, isolation, and active forensics

The most challenging thing about evaluating anti-malware solutions is the variety of architectures that can be employed to address the problem. Let’s look at three product categories and see how they might provide value to an organization:

1. Application Control / Whitelisting Solutions. Whitelisting solutions change the security approach from one that allows software to install/run unless otherwise specified on a “blacklist” (“default allow”) to one that requires explicit permissions on a “whitelist” for software to be executed (“default deny”).

Clearly, the goal of whitelisting is to reduce the number of malware infections by preventing unidentified software from running thus saving the aforementioned recovery costs. Given the common predisposition for organizations to consider infections separately from incidents, whitelisting solutions also are intended to reduce the likelihood of a bigger incident.

The tradeoff for whitelisting solutions is determining whether costs associated with false positives – legitimate software that is kept from running – will offset these additional benefits. Generally speaking, the more dynamic and decentralized an organization is, the larger the problem. Nowadays, whitelisting solutions have varying ways to deal with this known issue.

2. Sandboxes and Virtual Machines. Perhaps the most varied set of solutions addressing malware these days are the sandboxes and virtual machines. Some sanboxes – primarily on the network – are designed simply to provide an out-of-band (and sometimes near-real-time) environment to execute suspicious software and determine whether it is malware. As with whitelisting, the goal is to identify more malware more quickly, thereby reducing costs.

Other solutions – focused on the endpoint – actually isolate the production operating environment to reduce recovery costs by reducing the downtime associated with re-imaging a solution, and/or reduce the impact by containing malware in an environment separate from other production resources.

There are some tradeoffs in the sandbox/virtual arena depending on the architecture. Network solutions may not see as much traffic in highly mobile environments. Endpoint solutions have performance considerations and/or architectural dependencies to consider.

3. Active Forensics. Recently, a number of solutions have arisen to offer a near-real-time approach to forensics. By recording system calls and/or scanning system state looking for anomalies, their goal is to identify malware infections within shorter time periods than existing methods can.

Active forensics solutions look to reduce the costs of recovery by providing detailed information on changes that were made by malware so a responder can recover more quickly. In addition, the solutions provide comprehensive information so that recovery may be possible without re-imaging. In environments where users can install their own software, this could significantly reduce end-user productivity losses associated with recovery techniques. In addition, active forensics attempt to reduce the time-to-discovery such that further exploit and escalation chances are reduced.

The tradeoff with active forensics is determining whether the detailed information is enough to ensure completeness of recovery so that recovery without re-imaging is a possibility. On the risk side, enterprises must determine whether the new insight provided will lead to a fast enough response time to offset the cost of the solution.

Each of these product categories (as well as others) have a value proposition that may provide benefits to organizations looking to augment their antimalware protection programs. The key is for companies to understand exactly what benefits they provide and decide for themselves which particular type of solution, if any, is likely to have the largest benefit.

Pete Lindstrom is Principal and VP of Research for Spire Security, LLC, a research and advisory firm. Learn more about Advanced Malware Protection by “Drinking from the Firehose” in New York City on 9/17/13. Details at www.regonline.com/AMPFirehoseNYC. Complimentary access for those who qualify. Contact petelind@spiresecurity.com for details.