Application control, sometimes called application white listing, gives you granular control of which applications are permitted to run on each of your systems. Not only can this replace your A/V solution, it can keep rogue users and license issues in check as well.
How does application control work?
The concept is relatively straightforward. You identify which application you want each of your users to be able to run and the software takes care of enforcing that policy. One of the nice things about application control software is that you usually get far more customization capability than A/V. For example with many A/V solutions I may be forced to completely disable A/V in order to run an application listed as malicious in the signature database (say I’m an Auditor that needs to do port scanning or password cracking). With application control, I can usually get as granular as writing policies on a per user, per system, per location level (for example the Auditor can only run the port scanner from a specific system when its attached to one specific network segment). This is cool because unlike A/V I don’t have to disable the software, thus exposing myself to risk, just to simply do my job.
What to look for in application control software
There’s a couple of things you need to look at when evaluating an application control product. First, you need to look at how files are identified. Are they simply looking at file names stored in a specific location, or are they running multiple hash algorithms to authenticate the file is in fact properly identified? You also want to look at what’s involved with approving files for use and how the system deals with patches.
For example, one of my favorite products is Parity from Bit9 Software. They start by referencing a file database with over 6 billion entries and counting. While that might seem like overkill, think of how many file are involved if you just want to approve Microsoft Office for use and include all versions and all patch levels. All of a sudden 6 billion entries does not seem that far-fetched.
Unfortunately a file database is not going to be enough. You need some way to approve custom scripts and executables, as well as deal with real time patch files. For example Adobe checks for patches whenever a user launches the application. If they happen to do this right at the exact minute a patch is released, the patch file info will not yet be propagated into the file database. What Parity does is permit you to approve software based on it being digitally signed. For example we can create an exception that says, “If the file is not in the database but has been digitally signed by us or Adobe, it’s OK for use”.
Protecting Supervisory Control And Data Acquisition (SCADA) Networks
This is a very cool solution for control networks. For example those networks running the grid, municipal services, military stuff, etc., which are not suppose to be connected to the Internet. The lack of connectivity creates a catch-22. You’ve disconnected from the Internet to help protect the network but how do you update your A/V signatures with no Internet access? With Parity this is a non-issue. You simply digitally sign all software required on the control network, write a rules saying only digitally signed software can be executed, and you are done. No signatures or updates to worry about, just re-sign new software as you wish to deploy it on the network.
Parity has some other cool features as well like the ability to track file execution or the ability to control which removable drives can be used (by model, by user and by level of access). I’m starting to feel like a sales person however, so I’ll leave it to the reader if they want to learn more. 
The dirty little secret
So why is it we are not seeing A/V vendors dump their signatures and jump on the application control bandwagon? I do not work for an A/V vendor so I can only speculate. I do however own stock in a few of them and will say that as soon as I see this trend occur I’m selling my stock. Think of it this way, where is the true cost in your A/V solution? Is it in the initial purchase price of the client, or is it in the monthly/annual subscription fee you pay for signatures? Companies loooove reoccurring revenue streams because they mean predictable income with zero sales effort. Stockholders (like myself) love reoccurring revenue streams because “higher income + less up front costs = higher profit”. Note in the last example I discussed protecting a network without the need for signature updates. If users went this route it would have a serious financial impact on each A/V vendor’s bottom line.
The bad stuff
Now some caveats. You would probably want to use the file database if available, even if this means paying for a different subscription service. Digitally signing everything is fine on a network where the applications are infrequently changed (like SCADA) but in a typical corporate environment your job title would turn into “the Admin who’s always signing software”.
Also, application control simply regulates which applications are run on the system. Its not very helpful if an approved application gets whacked via a buffer overflow or the like. So patching is still a must and you will probably want to run a Host-based Intrusion Protection System (HIPS) to be completely locked down. Still, with application control you end up with a far more secure posture than sticking with that old carburetor A/V software.
Related posts:
