Businesses have blindly joined in the reactive post-and-patch game of AV updates and application vulnerability patching, without fully understanding that it will inevitably lead them to a never-ending spiral of security updates. This would seem not to be the most effective way of keeping your endpoints free from infiltration, and yet the industry as a whole has stumbled onward, quite happily playing this reactive game for some time.
Notwithstanding this, there is a rather serious flaw in this plan that cannot be ignored – malware writers always have been, and will continue to be, one step ahead. Malware development is a funded operation, a business looking to reap the rewards in the data contained behind the very holes we seek to plug, and it will not stop as long as there is an opportunity for criminals to profit.
So what is going to happen to us if we carry on this downward spiral? The answer would be to a not too distant future when we have no choice but to lock everything down in a bid to stop all unauthorised code that enters our networks – creating an environment in which there is a “zero tolerance” attitude and in which malware cannot prosper. Such zero tolerance treatment may be the only effective means of combating the epidemic of fully-funded malware operations. No malicious code can run, no data can leak, no compliance issues, no problem.
Until, that is, someone wants to do something! The other side of zero tolerance is the less appealing one of zero flexibility. Can you imagine receiving a call from a sales guy in the field who is trying to close a sale but unable to download his pre-prepared presentation from a USB device? Or, being asked by a board executive to enable the download of a stock index ticker so she can keep up-to-date with the company share price? Would you be happy to be the IT manager responsible for telling those people that under the zero tolerance IT strategy they could not execute those actions? No, and nor would I.
The fact is that the first stages of zero tolerance have been upon us for sometime. All of us that use a computer in the workplace are being restricted today in ways that weren’t an issue even just a few years ago. So where will this end? Will zero tolerance be our future negative reality to replace the existing one? From the cleaner to the CEO, every user is a potential weakness and every weakness is a potential outbreak. It is a sad fact that we have reached this inevitable conclusion but to guarantee endpoint integrity it would seem we have no choice but to batten down the hatches, bare the consequences and enter the zero zone.
So why isn’t someone offering a better solution to the problem? Well, it is certainly overdue and time we changed our strategy of handling threats. The time has now come to adopt a proactive security policy and relieve ourselves of the negative cycle we are in. Wouldn’t that be great? Cut out time spent with nagging users calling you to clean infected machines and vendors pestering you to update your operating systems with the latest fix.
Sounds too good to be true, doesn’t it? But it’s really not.
I believe the answer to the zero tolerance conundrum is a combination of trusted ownership and application authorization. Trusted ownership involves leveraging existing administrator ownership of applications and using this established mechanism to determine the applications that can be used by employees. Further, I suggest augmenting this ownership checking with an application approval capability, enabling users to authorize application use that can then be monitored and audited.