Much has been said on the topic of the convergence of IT Security and IT Operations. We all see the trend - or steady march now - towards an integrated business function where security is built into every process and aspect of how information technology is managed at a company.
The security industry welcomes this because, let's face it, it's a fight to get people to pay attention to security. System admins too often view security as an afterthought, and one that is rarely prioritized the way it ought to be.
But what few people in the security industry seem to realize is that IT security has become too complex for most administrators on the operational side. Malicious software has become so hard to detect - and malicious behavior is so hard to distinguish from legitimate behavior - that the amount of attention a typical admin must pay to overseeing security audit trails and policies is overwhelming.
Let's look more at the situation on the desktop. Think of how many layers of security now exist on a PC: antivirus, antispyware, personal firewall, HIPS, popup-blockers, URL filtering... the list goes on. Each of these tools has its own security policy, its own set of audits and reports, its own management interface. And as IT security organizations succeed in pushing these tools onto enterprise desktops, it is the IT operations group that has to deal with it all.
Even where agents and consoles are integrated or combined, each technology has its own unique philosophy - meaning that the policies require specialization to properly implement. And after all, it is the implementation of the policy that determines how well the underlying assets are protected. A nuclear power plant can have all the right precautionary procedures in place, but if the workers refuse to follow them... meltdown.
So what is the real effect on an IT organization and its security effectiveness? If security is too complex to manage, IT admins either set policies too loosely (so what's the point of the security layer) or they make too many configuration errors (which often eliminates security benefits). Plus, the specialization required to operate these tools means additional training, additional headcount, or similar impact on cost and operation. This trend is sadly only getting worse.
That's where whitelisting comes in. Whitelisting represents a complete reversal in thinking. The skillset required to identify a "good" or "authorized" piece of software is far more common in existing IT organizations. Customer like that - it's easy for them to implement, it sets a higher security baseline, and significantly reduces the threat surface they need to devote attention to.
There has been a lot of discussion lately about whitelisting as a security technology. Several experts appear to be questioning its effectiveness against emerging threats (a point I am happy to argue, by the way). They claim that whitelisting simply can not substitute for the many researchers who devote their lives to identifying malicious software.
But I put the question back to the industry: if the technology we create to identify malicious software is too complex for people to use - have we really done our jobs? Have we successfully crossed from the theoretical to the practical? Are we really protecting people? Personally, I don't think so. That's what whitelisting represents for me - and for many of our customers - the most practical way to converge desktop security and operations.