Convergence of Whitelisting and Image Management

Solidcore (now part of McAfee) had an interesting evolution. We started off as a security company to prevent “bad” stuff from running on the machine. The methodology we evolved to stop the bad stuff was to keep a list of all good stuff and then make sure tha the updates to this list were “authorized”. Over the years this methodology in the security world came to be known as whitelisting. Where only things in the good (or “white”) list can run.

Well it turns out that a similar thing was happening in the provisioning/patching world in the enterprise. If you look at vendors like Microsoft SMS, HP Radia, Opsware,  Bladelogic (so both desktop and server side),  they came up with technology to create gold images or builds, find out what on the machine was different from what was recoded in the system. They did for completely operational reasons without necessarily thinking about security.  If you look at their dashboards they show which systems are “all good”, which systems have “unkown” stuff which is not part of the standard images.  While this was not called “whitelisting” it effectively is a whitelist where the whitelist is maintained at the level of images and packages, rather than individual files.

Luckily for Solidcore some of out customers, namely a gentleman called Lynn Trent @ GM and Randy Barr @ Webex (Cisco) saw this and realized its impact way before the industry did or we did.

So our product evolved to take ideas from both worlds and today this has become really powerful concept. Essentially if you put on the operations hat solidcore tells you what has changed and can compare it to your change process or your image process to point out anamolies. If you put on the security hat it only allows the things which are part of your whitelist (from an imaging world or from a security world) to run. Thus we sometimes use the term “integrity” to describe what we do.

We help maintain the on-disk integrity (change control) and the run-time integrity (security) of a system. This paradigm is revolutionary, but new to most companies. But we are begining to see a lot of adoption of this in the Enterprise. Once you explain it people get it.

Now you can also see how we began competing with Tripwire for PCI. Tripwire essentially solves the FIM (file intetgrity monitoring) problem for PCI as it scans and tells you what files have changed (this is very similar to what most provisioning products do). If you were to make it simple: Tripwire monitors if your on-disk integrtiy has been violated. Solidcore detects whether your on-disk integrity has been violated, it can also prevent it from being violated and lastly it uses this information to ensure via whitelisting that your run-time integrity (what can run) is not violated. That is a very powerful combination and once customers see it in action they can see the vision.

This has been a run away success in environments where the image management and security traditionally have been one role, for example retail. Typically store management falls under one person.  Also in large enterprises where the CISO and the VP Operations are peers and have good communication, this paradigm is easily adopted.

As part of McAfee we now have the opportunity to share this with a much larger set of people and also do some other very interesting integrations with EPO (will write another article on that).  I believe that this will change how enterprises view end-point security in the next decade.