When Do Whitelists Become Useless for Security?

01.29.15

Dan Ennis CEO

WhiteList-Tennis-Player-2

At what point do whitelists rules become so burdensome that they are, for all practical purposes, useless?

To get a handle on the problem, start with what is often referred to as Miller’s Law, named for the Princeton psychologist who proposed it. In their working memory, Miller famously wrote, humans can process seven objects plus or minus two. Countless experiments have confirmed the so-called magic number; when lists exceed nine entries, mistakes grow exponentially.

And in business, especially where data security is concerned, mistakes can have catastrophic consequences.

 

Whitelists ascendant

It’s fair to say that in the past few years, enterprise access-control systems have moved away from a blacklisting philosophy to one focused on whitelisting. There are exceptions, of course, but most midsize to large organizations have embraced whitelisting for its superior effectiveness: It is more secure and more accurate than blacklisting,. As demonstrated by Heartbleed and Shellshock, large-scale, the-sky-is-falling exploits have simply become part of today’s business environment; blacklisting cannot keep up.

But analysts agree that the blacklist does have one notable advantage over its counterpart: manageability. It is hands-down more convenient to install, administer, and update than whitelisting.

 

‘Overwhelming’

As anybody who’s ever created an email whitelist will attest, this process is never as simple as it may first appear. In their 2014 report “Web Application Firewalls Are Worth the Investment for Enterprises” Gartner raises a flag stating that organizations who do not invest enough energy in their WAF deployment, often face disappointing results.

Overall – the most common adjective we hear when discussing whitelists with security and IT professionals is “overwhelming.”

Keeping Miller’s Law in mind, consider the areas in which whitelists might be created in a typical enterprise:

  • Network equipment.
  • Groups (to determine which personnel can access which resources).
  • Contractors, consultants, and other third parties.

Now cross-reference that list with the array of ongoing projects and initiatives in any business. Marketing execs testify that a modest campaign might require days of website whitelisting efforts. Rules must be written, analyzed, tested, revised. Conflicts with older rules must be resolved. And all this takes place in the crucible of the modern business environment, in which time is more precious than ever.

Moreover, the drag on turnaround time isn’t even the worst aspect of overly complex whitelisting schemes. Inevitably, even the most conscientious security operators grow (in their own word) overwhelmed. It becomes functionally impossible to know what the enterprise is protected from, where it’s vulnerable, and how the myriad whitelist rules interact with one another.

Which creates breach opportunities—precisely what all those rules were supposed to curtail.

 

Easing the burden

IT and security professionals need relief from the onerous, doomed complexity of enterprise-wide whitelisting. Over here at Sentrix we are promoting a Cloud-DMZ approach as an alternative security architecture.

Following this line of thought, my suggested approach is to use modified whitelistingwith a high degree of automation. Here, automated analysis and mapping of the to-be-protected web applications allow for decoupling of the business-logic components (login, registration…).  These business logic elements average less than 0.7% of an overall web property and can have whitelist rules applied to them.  However, due to the predictable nature of the remaining presentation layer aspects (99.3%), it is possible to serve them from the cloud without accessing the actual web systems… mitigating the attack surface without the need for any security validation to be assigned.

Instead of inspecting all traffic this architecture now allows security operations to focus only on business-logic components, for which a much smaller, focused, and potentially automated whitelist validation policy can be used. Now, manageability is dramatically improved because security resources are freed to spend time refining and tightening this limited and highly focused whitelist.

I am convinced that whitelisting as we know it today is critically flawed and cannot be the primary means of security. However the transformed whitelisting approach detailed here holds the promise of being less burdensome to implement and manage while delivering the level of security desperately required in the face of modern attacks.

I hope that my suggested approach resonates with you – happy to hear your thoughts!

 

blog-post-logo