CoreTrace releases Bouncer 4.0 and redefines whitelisting

by Steve Ragan - Sep 9 2008, 18:59

Yesterday at the DEMOfall 08 technology conference, CoreTrace released version 4.0 of Bouncer, its whitelisting application. The new addition to Bouncer is a process called 'Trusted Change', which removes the old standards of whitelisting and ensures that the computer will run what it is supposed to run... nothing more and nothing less.

Before the launch at DEMOfall, I sat and talked with Toney (CEO of CoreTrace), JT (VP of Marketing), and Wes (Product Manager). These three are passionate about their products, and it showed when they explained the good and the bad. The conversation started with them explaining why blacklisting applications are the way of the past.

In short, with so many applications these days that can come into a network, managing a single blacklist on a granular level is impossible. IT will end up spending more time on blacklist management and less time on actual issues within the company -- whereas whitelisting will simply allow the IT manager to list what is allowed, and everything else is blocked.

However, more than just assigning applications that are allowed, the new Trusted Change abilities CoreTrace has released will give you all the advantages of whitelisting without the need to fight end users and even your own IT staff.

Now, without coming off as a person drinking the CoreTrace Kool-Aid, remember this: whitelisting is not for every IT shop. There are advantages and disadvantages.

One of the largest downsides is that often whitelisting starts with a bang and IT loves it, then it stops working. The reason it stops, and is deemed useless, is that the applications that are already in the whitelisted database are not the applications users are installing.

With millions of applications online, the problems faced with blacklisting extend into whitelisting as well, that is no single whitelist will cover everything. Another issue is, as mentioned, users hate it. Everyone in the company has various levels of computer experience, all of them know what they want and will install it one way or another.

Ever have a laptop shipped in for repair from a traveling sales executive, loaded with spyware and toolbars, iTunes and games? Add to this that Mr. Executive -- a computer guru -- explains that nothing he did messed up the laptop. Forget the fact that he switched off managed OS and AV updates because someone gave him admin access, or that he installed several other things that were, in his opinion, cool; his laptop is slow and doesn’t work right, thus it is the IT department’s fault.

In this situation whitelisting can help, but offering control and balance has been the downfall of the whitelisting industry for a while. This is where Trusted Change comes into play.

During my talk with CoreTrace, I tried to understand how Trusted Change was any different than traditional whitelisting methods. After a while, most of the whitelist 'solutions' tend to overlap. What is different, I asked them, in what CoreTrace is offering over simply locking down the systems and users? As it turns out, my question was close to the same ones the company used when developing Trusted Source.

The difference is that, with Trusted Source, IT still uses a whitelist, only now they can define who, what, and where. Bouncer 4.0, out of the box, will allow IT to define 'trust' from the initial deployment. This means they can assign trust to a user or group -- in the case of Mr. Executive remove trust -- assign trust to an application, network resources, and more.

With this you can grant single users control over what they can install and give them freedom, while still preventing applications that would cause your company to fail compliance audits. You can assign trust to network shares and all the things in this share to everyone. Assign trust to signed applications from various vendors and companies, or allow those on the road access to update drivers and install software without the need to give them complete 'admin' control.

What this has removed is the need for IT to sit and approve each and every application that's not in the existing whitelist database. There is no waiting, as IT will assign approval on-the-fly and, because of how it is deployed, most if not all of the common applications and users are already approved, no matter what they are doing.

The trick is to set the policy up ahead of time and, after a week or so of monitoring, tweak it. When you make changes, they are instant, so there is no need to repeat the same step time and time again.

There are six steps to deployment. Most of the work starts with a Wizard that does the legwork for you. Inside the Bouncer console, use the wizard to define what is trusted. Trust can be almost anything from applications to users. After that you will deploy the client to the end-user systems. The Bouncer Console is mostly drag and drop for policy and whitelist creation, so after the client is deployed you can start creating a custom whitelist designed for each end user system or a group of them. The last three steps are mostly centered on enforcement and tweaking. You will enforce the rules you have created, and check the reports on configuration issues or security issues. After some minor tweaks, you are done.

The security aspect is comprehensive. Moving back to Mr. Executive, lets say he does install some toolbars and, without knowing, Malware too. What happens is that the Malware will make changes to the system, untrusted changes, that Bouncer picks up on and simply stops, if not block outright. While not a replacement for traditional desktop security and AV protections, the extra hardening of the system processes stops most of the Malware cold.

This was seen in a live example at this year's Defcon conference. Bouncer tested all the virus samples from the Race to Zero contest, stopping every one of them. There were no infections reported by contest organizers on systems that used CoreTrace offerings. As I have mentioned before, layers are good. 

So should you rush out and buy CoreTrace? No, not at all. As I said, whitelisting is not for every IT shop on the block. What you should do is watch the online demo for Bouncer or research the whitelisting market and check a few vendors out.

There is a good deal of promise in whitelisting, but you need to make sure it will fit your company’s needs before you pitch it to management.

Around the Web