Re-Imaging Devices vs. White Listing. Can it be both?

Today's malware is increasingly hard to clean up. It seems those persistent attackers we hear so much about leave behind a lot of persistent malware. Regardless of your malware clean-up processes, there remains a high likelihood of re-infection. In many cases the only way to rid a device from the kinds of malicious code we see is to re-image the device. Basically just start over again. Hopefully all the user data is backed-up and salvageable, so the only cost is time. A lot of time. But that's really the only way to ensure you won't see the same malware over and over again.

Some of the big name analyst firms are recommending you take this concept of re-imaging one step further. Neil MacDonald of Gartner talks about cycling server workloads to ensure attackers don't gain a foothold on critical servers. I'm not a big fan of another three letter acronym to describe the process, so I'll pass on mentioning that - but Neil's point is a good one. You can't trust your servers; you can't trust your desktops. You stay alive by not trusting anything since malware is likely lurking on a portion of your devices. Cycling the devices and reinstalling the key (trusted) software, making sure you start from a clean slate every so often is a good practice.

But is that the only option we have? What if we work a bit harder to ensure malware doesn't end up on devices in the first place. Yeah, a bit idealistic border on heresy, eh? It’s possible with a technology like application white listing (AWL). Remember, AWL takes a "positive" security model to your devices. You authorize certain executables (your white list), and nothing else can run on the device. It's a default deny approach to running software on devices. Stuff that can be blocked includes malicious code, root kits, and all sorts of other things you just don't want running on your devices.

Of course, challenges remain with whitelisting technology. It definitely impacts the user experience and a lot of organizations don't have the internal mojo to break the user's ability to run applications they want, when they want. The vendors in the space are addressing some of these issues by providing a "grace period" of sorts to allow the user to run an unauthorized application until it can be approved. Yet that impacts the security model, which may be a necessary evil.

There are certain use cases where whitelisting makes a lot of sense. Let's take the example of a fixed function device, like a kiosk. Do you care that a user can't install an application on a kiosk? Nope. Nothing good can come from a user installing software on an open kiosk. Same goes for servers. Most servers are built with a function in mind, and if that function changes, those changes should be part of a workflow with checks and balances ensuring a properly authorized change. Even if you can't culturally pull off AWL on endpoint devices, there are places you certainly can use the technology to reduce your attack surface.

Let's get back to the topic of re-imaging vs. application whitelisting. To be clear, I don't view this as an either/or proposition. Why not do both? Sure you are limiting the likelihood that you'll get malware if you deploy AWL. But you CAN'T eliminate all possibility of infection. This idea that AWL can stop an advanced persistent attacker is nonsense. AWL can stop many of the attack vectors the APT attacker has used to-date, but to think that any control will stop a well-funded, very skilled attacker is naive.

I'm on board with the idea that every so often you should re-image your devices based on a gold standard configuration and set of authorized applications. Is it every day? Every week? Every month? The more the better, but that's an operational decision. The point is we don't see re-imaging and AWL as mutually exclusive. When you are dealing with the kinds of attackers we see nowadays, you'll need every control you can get.

And that means layering as many defenses as you can. The more the merrier, right?