Someone needs to tell me where the downside is with products like CoreTrace Bouncer. I’ve tried to be skeptical of application whitelisting but the more I see, the more I like it. Recently I had the opportunity to see Bouncer demonstrated on a Yokogowa Centum DCS. I’ve seen lab demo’s before but this was the first time I had seen it in the context of control system servers. My overall impression: this is an elegant and effective solution to some of the security challenges we face with Windows servers and workstations in control systems.
Perhaps the simplest definition for application whitelisting is that you allow the known good programs to run and nothing else. Blacklisting, on the other hand, is the traditional approach where you allow everything to run and then identify known bad things using anti-malware software. The trouble with blacklisting is that the list is moving and ever-expanding. For some additional perspective on this, see #2 in Marcus Ranum’s “The Six Dumbest Ideas in Computer Security”. One of my favorite quotes from that article:
Why is “Enumerating Badness” a dumb idea? It’s a dumb idea because sometime around 1992 the amount of Badness in the Internet began to vastly outweigh the amount of Goodness.
Whitelisting skepticism has always centered around management and performance. How do I allow people to do their job and is having to check the whitelist every time I click on myprogram.exe going to slow things down? With Bouncer, there are a number of ways to allow people or programs to make changes by designating them as trusted entities. This is critical in enterprise networks but because of the deterministic nature of most control systems, I think it’s less of an issue. As far as performance, the magic is that the core whitelisting part of Bouncer loads in the kernel. It’s not, for example, modifying the actual ACLs of hundreds of binaries in the system – it controls their execution from a lower level.
So let’s break it down: we have Windows machines in control environments that are difficult to patch. Delivery of AV signatures, not to mention the overhead of running AV to begin with, is also painful. Finally, the long life cycle of these systems means we’re dealing with old OS versions in many cases. Introduce Bouncer, a solution that defeats malware to the point that patching may be irrelevant and it works with Windows versions back to NT 4.0. CoreTrace admits they didn’t go out targeting our market but it’s easy to see why over half their new clients this year are utilities and other organizations trying to solve control system security issues.
If you have NERC CIP responsibility, some light bulbs are probably going off about now. Can I deploy a product like Bouncer and not have to do AV updates and patches? The CEO of Encari (Matthew Luallen) and the Midwest-ISO chairman (Paul Feldman) make a case for meeting “both the spirit and letter of the law” in this whitepaper: Malicious Software Prevention for NERC CIP-007 Compliance. The case is pretty clear for anti-malware. For patching it may at least buy you some time as a compensating control. The Luallen/Felman paper says this regarding CIP-007 R3:
By preventing the execution of malware — including those that are deposited via vulnerabilities that haven’t been patched or via memory-based attacks like DLL injections — application whitelisting is a compensating control until the PCS vendor approved security patches are installed during regular maintenance windows.
Incidentally, the Emerson Process Management group put their vote in for whitelisting by including Bouncer as the anti-malware component of their Ovation Security Center product.
Between doubts about the effectiveness of anti-virus and the current security and compliance challenges faced in control systems, there are some compelling reasons to have a look at application whitelisting.
(Full Disclosure: CoreTrace has been an advertiser on the Digital Bond site)