Today I walked the exhibit hall at the RSA conference and spoke to numerous endpoint security vendors to ask them how they were dealing with new or unknown malware. While the specific answer varied depending on the vendor, all of the answers revolved around a similar strategy. According to the vendors at the booth’s the use of next generation endpoint security products were somehow now better at detecting malware. This was now magically possible because of technologies such as artificial intelligence, machine learning, or the latest algorithm.
Technologies such as AI and machine learning certainly can add an extra layer of security and could potentially reduce the risk of a malware infection. But in the never-ending rat race between security vendors and bad actors, anti-virus vendors make us no more secure than they did in 2017 when WannaCry burst onto the scene and crippled some of the world’s largest organizations (of which all had anti-virus tools and next generation endpoint products in operation).
The question therefore is why do businesses believe that a better or next-generation antivirus or endpoint threat detection system can do any better than it has for the last decade? Logically that assertion makes no sense. Even if one does the “math” on the problem then by with the reality that malware is now so transformational and evolving it renders any approach to identifying it via typical approaches useless, or at best marginally effective.
The method that makes the most sense and addresses the heart of the issue for malware is the use of application whitelisting. Essentially using this approach, we start from a position that nothing is trusted from startup unless it is proven and validated as safe. All applications are denied operation until they are approved or validated as needed for the execution of business focused objectives. This approach is already in place and has been noted as being so effective, it has now been mandated as part of the I.T. modernization act for government agencies.
The concept is simple. Start with an allowed list of what applications are permitted to run in your organization, and block everything else. This approach also aligns with today’s Zero Trust concepts and strategies and inherently mandates that applications are forced to be untrusted by default. This approach not only secures a business from known and unknown malware, but it also protects systems and infrastructure from other applications such as remote access tools that could expose a business to data theft through third party connections.
The problem in the past has been that most businesses have struggled with what to put on the whitelist. Most computers run somewhere between twenty to thirty thousand executables, dll’s, and script files as part of their basic function. For many businesses, the realities around cataloging those applications for hundreds or thousands of computers is unthinkable. Finally, this issue is worsened by the fact the list must be kept up to date with the regular operating system and application updates for the system to function normally.
We have categorically solved the problem that application whitelisting presents. ThreatLocker provides the tools to make application whitelisting simple. Our system uses a fast and effective way to build a tailored application whitelist and makes updating it easy. Coupled with the technology, our 24-hour Security Operations Center ensures that updates to critical business software will not be blocked by the white-list.