Last month I ran across the CoreTrace booth at the ISA Expo. Ever since that happenstance introduction, their name and the concept behind their Bouncer product keep popping up in conversations, news feeds, and even Google advertising — mostly in the context of solving SCADA security and compliance issues. Control system server and workstation security has become my passion here lately, so I suppose it’s time to weigh in on the issue of application whitelisting.
I read Marcus Ranum’s “Six Dumbest Ideas in Computer Security” several years back (see dumb idea #2) and it piqued my interest in enumerating the known good (whitelisting) versus enumerating the known bad (signature-based solutions). We’ve even used the terminology a bit when describing the Bandolier security audit files since we are auditing for a secure configuration (known good), as opposed to the traditional Nessus function of identifying vulnerabilities (known bad).
A compelling idea, but there are always concerns about the headache of managing a whitelisting product. Based on what I saw at the ISA Expo, some of these concerns may have been addressed. I don’t have enough exposure to other products like bit9 to know if this is a trend across the various solutions, but CoreTrace seems to have made some advances and they made Network World’s list of “10 IT security companies to watch“.
Digital Bond alum, Matt Franz, questions whether whitelisting is as lame as this blog post (in his opinion) makes it out to be. At least in its modern iteration, let’s hope it is not.
There are sub-issues that we’ll save for later discussion but here’s the point I want to make for now: if the control system application vendors support and adopt application whitelisting, it may have a chance. I had a conversation with one of the major control system vendors who is looking to integrate and support the CoreTrace product. And then I saw this Wonderware partnership. Not sure if two instances are enough to constitute a trend, but I will definitely be watching to see what happens.