Application Security Whitelisting: Keep the Bad Guys Out - Let the Good Guys In
In this exclusive interview sponsored by Lumension Security, Brent Rickles, SVP of First National Bank of Bosque County, Texas, discusses:
TOM FIELD: Hi, this is Tom Field, Editorial Director of Information Security Media Group. I'm here today on behalf of Lumension Security. The topic is securing financial data and systems through application whitelisting, and we are talking today with Brent Rickles, Senior Vice President, First National Bank of Bosque County in Texas. Brent, thanks so much for joining me today.
BRENT RICKLES: You're welcome. Glad to be here.
FIELD: Brent, to start out, just tell us a little bit about your institution and the security issues that you traditionally face with applications and with the web.
RICKLES: We are a $95 million dollars in assets size bank. We are located in Central Texas near Waco. We have four locations, about 40 employees, and so we have servers and PC's spread out over those four locations, and we, of course, are always concerned about protection from malware, rogue websites, viruses or any type of things like that coming in through email or just being picked up at various places. We are concerned about people bringing them in on USB devices or on software they may have picked up somewhere else. So we just look at all types of areas and just try and be proactive and be as secure as we can.
FIELD: So I know that you use Lumension Security Solutions now, but what protective measures did you use previously?
RICKLES: We used to use a desktop antivirus software, and we still use antivirus on our email server, and we have a web filter.
FIELD: Okay, but clearly these weren't doing the job for you. So what attracted you to this concept of what they call whitelisting, and specifically to Lumension Security's End Point Protection Solution?
RICKLES: We were a little frustrated with desktop antivirus because it tends to be very processor intensive -- there is a lot to managing it, and it is a reactive technology; and we were hoping to find something better. Antivirus technology has been around a long time, and it does a good job on certain areas, and in certain areas it is not as good as we would like it to be. You know, you are always dealing with the unknown, you are always wondering if you are patched up correctly, you are always wondering if you are maybe missing the zero day virus, and so we went looking for a solution that would be more proactive in nature than antivirus technology, and that is where we ran across whitelisting and Lumension to add to our protection. And one of the things that we liked about it was it was a very proactive product.
You build a whitelist, a database of applications that can run on your network, it works very well and you are managing then a known universe. These are programs that I said are okay to run on our network, they are programs the bank has approved, the programs fit; that's a very small universe of applications. I know what is in that universe, I can manage it, I can put it on the whitelist in that database -- versus antivirus, where you are trying to manage an unknown universe and you can never ever know what is out there and you can never build a complete database because it is never complete because that is just the way that it works.
The guys that write malware are always very busy at making slight permutations in their products and changing things and morphing it, and they have gotten very good lately about being able to do that very quickly. So that universe will continue to expand at a rapid rate, whereas the universe of programs that are known to us that we want to run is only expanding at a small rate.
FIELD: Okay so Brent, this concept of whitelisting isn't so much about keeping out all the bad guys you don't' know, but it is about letting in the good guys you do know, so to speak?
RICKLES: Exactly. You say this is a program that is allowed to run on my network and it checks the database through any program, an executable or a DLL and says is this an approved program, and then if it is it can run.
FIELD: Now, theoretically that would speak to not just malicious things that might come in over the internet, but things that your employees might sort of innocently be trying to introduce too. Isn't that right?
RICKLES: That's right. You know, anybody that brings in a screensaver that they run or just wanted to run a particular application or they think that this is a neat thing to download from the web, all those kinds of things are blocked, and it doesn't matter if it is good, bad -- it makes no judgment on the type of program it is. The only judgment it makes is, is it an approved program or not? So you can even set the entertainment, the games and things in Microsoft Windows and say that is not an approved program. There's nothing harmful about the program, but if you've decided that I don't want those to run on my network, you can keep them off the whitelist and they won't run. So it gives you a lit of flexibility in managing what will run on your network, what is authorized.
By the same token, you also have to make sure that when you do patch something that you add it to the database first, or for installing a new program, that it is added to the database first. Otherwise, you may have administrative rights on the computer and you install the program, but when you try and run it, it won't run. And even the set-up files have to be authorized to run so you can't get completely through a set up file. Or if you replace -- you know if Microsoft replaces word.exe with a new version in a patch and you haven't authorized a new version, it won't run because it doesn't make a list by word.exe -- it makes a hash of the file and it is the hash that is in the database, and the hash is what the software looks at in determining what can run and what can't. So you can't just, you know, somebody can't just spoof word.exe and drop it onto my network and it will run because it won't match the security hash the program has in place.
FIELD: So Brent, a couple of questions here. One is when did you first deploy the Solution, and since then, what kind of results have you seen and how do you quantify those results?
RICKLES:: We've been using the software about four years now, I believe, and I can look at log files. The program has an excellent log file utility, and you can look at log files and see what is running on the program, and you can look and see what's been denied. You can tell it 'I want to see everything that has happened today,' and it will show you everything. or you can tell it only to show you what has been denied. There are a lot of different ways you can look at it and you can say what has been denied often this week, so you can see what is going on in your network.
So you can see if there are malware programs that are trying to get in, or programs that an employee has brought in that is trying to run and it wasn't, or you can see, you know, just everything that is going on; and so we can look at that. And we haven't had any problems is how we quantify that. It has seen issues that we've had to deal with. We haven't had any fires we had to put out. It has just worked very well for us.
FIELD: Brent, do you see any difference in sort of the behavior of sort of the rank and file employees now that there is this level of security is on the system?
RICKLES: We've done a pretty good job of teaching people about what they should and shouldn't do, but yeah, there's always somebody that is pushing the envelope a little bit, and not necessarily intentionally. They just don't think about it. But most people know the drill, and they understand and they like it. It gives them a feeling of protection, and it gives them a feeling of knowing that everything is taken care of and that the bank is taking steps to protect their computer, and they don't have to worry that if they do something unintentionally that they are not going to corrupt the bank network and that like that.
They like knowing that it gives them a safety net. Because there are a lot of people that will try and trick you into running a program, or you might run across a website that may be infested with malware that you didn't know about, and that just gives you a little extra feeling of security to know that there is something in place that will keep that from going on.
FIELD: Now in terms of regulatory compliance, what issues do you feel you have addressed with this solution, and I'd be curious what type of reaction you get from your examiners?
RICKLES: Of course, it gives us good protection from malware, and that is something that the examiners want to know that you have something in place to do that. We also -- through the database you can separate your users into groups just like you would in the Microsoft Windows active directory or something like that, you can break them into groups and you can say this group can run this program, and this group can run that program, and these other groups can't. So the audit staff can run a program that only the audit staff needs to run, and it also has the ability to monitor and restrict USB devices so you can completely prohibit USB devices, you can only allow certain USB type devices, and you can set the system up to monitor and log any files that are transferred. So that gives you protection from any files leaving the bank that are not authorized, and even those that are authorized you have a record of, and you know what was transferred and you can see what was done.
And examiners really like the program. They like the idea, they like the restriction and the extra bump-up, and they can see the advantages to that, and they can see how that is giving us extra control over our network, and we are being very proactive about what we do and how we guard the network. The examiners like you to be proactive. They like you to be taking those steps in whatever area you are doing it, they like to see that you are trying to stay in front of problems and get ahead of things.
FIELD: Brent, last question for you. In terms of some of the challenges that banking and security leaders like yourself face, including securing and protecting sensitive information and systems from targeted threats, at the same time enhancing network bandwidth and user productivity -- looking at these sort of sea of challenges, what advice would you offer to other banking and security leaders facing these?
RICKLES: Well, I would certainly recommend that they take a look at Lumension Security's End Point Protection Solution. It has really worked well for us. I feel like we've gotten a lot of benefits out of it. I think it offers a lot of security, and it would solve a lot of problems for people. I think you also have to look at having multiple layers of protection and having the types of products in place that can protect you from as many different things as possible.
Everybody likes "set it and forget it" technology, but that doesn't really exist in this area. You have to be proactive about what you are doing, you have to know what is going on in your network, and you need products that can help you do that. This a product we have been very successful with, and it has helped us in that regard.
FIELD: Excellent. Brent, thank you so much for your time and for your insight today.
RICKLES: You're welcome.
FIELD: Again, we've been talking with Brent Rickles, Senior Vice President of First National Bank of Bosque County in Texas. The topic has been securing financial data and systems through application whitelisting, and for more information on this topic you can visit www.lumension.com. Again, on behalf of Information Security Media Group and Lumension Security, I'm Tom Field. Thank you very much.