PORTLAND, Ore.—As cyber security threats diversify, the most advanced solutions are upending the detection paradigm—from removing malicious software to installing only trusted software in the first place. Once considered too cumbersome for everyday use by IT departments, trust-based security—called application control—is now ready for mainstream IT departments, cloud deployments and virtualized environments, according to security software provider Bit9 Inc.
"Our customers believe that traditional defenses like blacklisting and scanning for malware are insufficient," said Brian Hazzard, vice president of product management at Bit9 (Waltham, Mass.). "The solution is to take trust-based security mainstream, which we hope to do by reducing administrative overhead, optimizing for virtualization, and making it scalable—from as few as 100 users to as many as 250,000 users on a single Bit9 server."
[Get a 10% discount on ARM TechCon 2012 conference passes by using promo code EDIT. Click here to learn about the show and register.]
Instead of paying a service to scan incoming files for malware, customers use Bit9 to assess whether programs are trustworthy—the opposite of traditional cyber security solutions based on blacklisting known-malicious software, then scanning incoming files for matching signatures.
Traditional virus scanners fail to spot new threats and require constant updates to keep pace, and as a consequence allow malware to steal data, record audio, track keystrokes, take screenshots, and monitor network traffic until they are detected. Trust-based cyber security systems, on the other hand, turn detection on-its-head by whitelisting trustworthy software and maintaining strict application control—only allowing trusted programs to execute.
Bit9's software dashboard. The database of known good apps can be access with Bit9's Parity Knowledge Service, which evaluates whether software is trustworthy.
Bit9, which has about 1,000 corporate customers maintaining application control over about one million user devices, claims version 7.0 of its trust-based security suite is the first to integrate application control across enterprise servers, desktop computers and laptops whether they are in-house, cloud-based or virtualized. Bit9 security software handles incident response, forensics, detection and protection either in-house or as a service.
So there's been this concept of signed code: executables are signed by their creator, who vouches for their safety, and the OS checks that the creator is who they claim they are and that the executable has not been modified. Microsoft implemented this because they had a horrible problem with third party software and drivers; they required it for drivers for years, but didn't make it mandatory for user executables. Bit9 could use this infrastructure by re-signing the executables they deem to be safe; I suspect that they instead built their own implementation. Unfortunately the article doesn't mention which platforms are covered: I assume Wintel and PCs, but they could also be targeting smartphones.
Signed code is coming our way: the new EFI BIOS requires signing of BIOS images, and of the boot loader---this is required by the new Windows 8 hardware spec from Microsoft. I am apprehensive whether this is a good idea all the way through: it essentially gives the control over what software one can install and use to the signing entities. I hope that all such schemes allow self-signing of home-made executables.
I like the idea of trust-based security. But at some point I still have to be able to say that I trust a program.
Under something like Bit9's solution, if I find a new piece of software (say open source) do I have to wait until someone on their end can whitelist it before I can run it?
As for self-signed, all they would have to do is establish a way for clients to get temporary certificates that their system would allow.
Still, it all comes down to who has the final say in what is trusted: me, my OS, my hardware, or my security software.