I agree Jonathan. I've been a fan of application whitelisting since the Bit9 days but its hard to get organizations to shift their "paradigm" from the old DAT file AV mindset. My thinking has actually moved toward virtualizing desktops with something like XenDesktop so that users just have thin, or zero clients on their desk. In fact all they need is a keyboard, mouse and monitor with the thinclient built-in. AV is almost a non-issue in that situation because once a user's session is over their machine gets destroyed and a new one provisioned for the next time they log in. Also cool is having to patch just the "golden image" from which vm's get generated, not every endpoint in the enterprise. Funny how that model harkens back to the old mainframe days where all compute was served from the glass room and endpoints just had screen-scrapes to work with.
Actually Sanctuary Application control was one of the Whitelisting leaders when it was acquired by Lumension who also then acquired CoreTrace for the Bounce products excellent memory protection which then put it in front of the Bit9 and SolidCore software as hackers started to use memory injection and reflection attacks to get around app whitelisting that is unless they could steal the public PKI key like they did to Bit9. Virtual endpoints with non persistent images seems like the answer but the end user experience isn't always great.
Yep, a lot of customers are going down the virtual route but this still leaves room for whitelisting on those machines.
Especially as the images are exposed to harsh conditions like being streamed over Starbucks WiFi or dirty hotel WiFi connections. In addition this creates a big hole for Device Control, many environments are configured to allow USB drive mapping, local hard drive mapping and forget about local printers being mapped into the virtual sessions automatically from the users home computer, library system or whatever device they use to access the virtual session.
Data leaks from these situations have only increased even when not being performed by a malicious user, and they accidentally print to the wrong printer or save a doc to the local hard drive where dropbox is auto syncing files from all folders and now corporate data exists inside the cloud.
This same vector can be used to attack those images of machines, a targeted email to the end user have a local executable sitting on the desktop when it is mapped into the Citrix or Virtual machine autoplay or even worse loaded into a driver as keyboard or HID attached device that cannot be blocked for fear of the user not being able to interact with the machine. Trivial to worm your way into the session, and even though the session is fresh and Un-compromised as long as the host device is compromised the session will continue to be fair game and exploitable.
AV a waste of time in these situations but a more hardened Application Control policy can ensure those images remain clean.
When combined with Device Control it creates an excellent layer of defence against attacks.
Excellent comments Brett. Thanks very much!