"Blacklisting--chasing the threat--is not working," says Lumension Security's Steve Antone, vice-president of Federal solutions. "The end of the line is coming for this strategy—it requires so much overhead, tens of thousands of scripts, to chase down threats."
Antone spoke to Windows IT Pro magazine recently about the move in the security industry toward whitelisting; Lumension's security configuration management solution; and the Federal mandate for government agencies to standardize desktop configuration.
"99 percent of companies have antivirus, yet 52 percent \[of those\] have problems \[with viruses\]," he says. "Companies like Symantec and McAfee are buying app and device control products and patch management products and claim they're going to integrate them but haven't yet. They have niche products aimed at the vulnerability management side but they're not integrated into one interface."
"You have to implement technology that lets you see what apps you have. You need a way of just listening and seeing what is being used and how it's being used—to say 'Here's a known good.' Our strategy is not a reactive approach," Antone says. "We're not an 'anti' model. We're whitelisting."
Formerly known as PatchLink, Lumension acquired the STAT vulnerability management product line last year from Harris Corporation, then acquired the endpoint security company SecureWave. The coupling of technologies resulted in Lumension's PatchLink Security Configuration Management (SCM), which offers out-of-the-box regulatory and best-practices templates to ensure systems and applications are properly configured. The solution integrates with Lumension's existing PatchLink Scan and PatchLink Update.
Integrating whitelisting functionality with vulnerability management technology allows for a comprehensive approach, Antone says. "Our tool looks at the network from the agent perspective, and another tool of ours looks across the entire network and we tie those things back together. If you have just an agent on a machine, you don't get the full picture."
NASA and the Veterans Administration used PatchLink SCM to get the "full picture" as they worked to meet the requirement of the standardized desktop configuration. The Office of Management and Budget (OMB) is requiring all Federal agencies to standardize desktop configuration to one model, the Federal Desktop Core Configuration (FDCC). February 1, 2008 was the deadline for agencies to show that all desktops had been standardized or to report on progress toward that goal. "I've heard that 25 percent of Federal agencies met the February 1 deadline to the letter, if that," Antone says.
The FDCC offers several challenges, he says. "First, it requires educating agencies on what the mandate really means and allocating funding to meet its requirements. It also requires getting in there and understanding their environment—how many waivers am I going to need based on different departments' missions?
"The OMB knows that one configuration is unrealistic—you'll have exceptions: The Air Force is down to six configurations but there are tens of thousands of configurations within a civilian agency—with civilian agencies, it's unrealistic to have one configuration. Even in our company we have 20 to 30 configurations," Antone adds, even though the differences between configurations might be slight.
The National Institute of Standards and Technology (NIST) holds a repository of information relating to the FDCC. "We learned from the NIST conference \[on the FDCC \] that there was a debate," Antone says. "'If the attacker knows the configuration of the box and it's the same throughout the organization, isn't the attacker going to be able to \[much more easily\] attack \[the organization\]?' It was an academic question. Others said, 'Look, we'll have more efficiencies.' At the end of the day, it comes down to protecting the endpoint. I think the cost savings and efficiency gain \[of standardized desktops\] far outweighs the security risks of having everything the same."
"NIST has already had these guides for configuration but always left it up to interpretation. Now they've invented a protocol to make the guidance machine-readable and vendors can go out and see 'Here is the XML script that checks thus and such.' " PatchLink SCA provides a comprehensive list of NIST’s Security Content Automation Protocol (SCAP) policies with hundreds of defined checks so organizations can evaluate their security and determine what must be fixed to meet FDCC standards.
Think you won't have to worry about such things because you don't work for a Federal agency? Think again. "It will trickle over to the private sector," Antone says. He cites financial organizations that need to comply with the Payment Card Industry (PCI) Data Security Standard (DSS). PatchLink SCM can help companies meet PCI-DSS requirements as well. For more information about PatchLink SCM, go to Lumension.com. To learn more about FDCC and SCAP, go to nvd.nist.gov/scap.cfm.
