The Nevada sun has set on the first day of Black Hat briefings. Exhibitors, IT security professionals, and gamblers alike have one thing on their minds: ROI. At the Bit9 booth in Las Vegas, there is record turnout. The record attendance at Black Hat may be partly due to the elevated attention paid to enterprise computer (in)security by the media of late. I see few other vendors that have a similarly credible story regarding mitigating advanced threats against the endpoint, and I like to think this has affected the substantial interest we see at our booth.

I’ll report on some of the highlights of the Black Hat talks I attended in a later post, but I feel the need to clarify some terminology. I’m a bit of a stickler for precision in terminology and it’s important that folks in the industry understand and adhere to convention in their use of industry terms; or risk diluting the terms, losing their credibility, or both. In particular, I find that there’s a lot of misuse of the term “whitelisting”.

One booth I visited was for another vendor which shall remain nameless, claiming to have some aspect of whitelisting in their product. The term “application whitelisting” is not used by many vendors other than Bit9, so I was curious as to what this vendor meant when they used the term. I’ll paraphrase their answer: “any application which is not determined to be bad is remembered as being ok, and therefore whitelisted”.

This, friends, is great example of poor terminology in practice. By this definition, any application encountered that is not on the “blacklist” is on the “whitelist” – thus making the term “whitelist” utterly redundant. Application whitelisting is supposed to mean an intentionally generated list of allowed software – a “default deny” position, which enhances security by dealing with software that is newly introduced into the system on a case-by-case basis, rather than trying to run scanners and heuristics to determine if the software is “bad” and allowing that software to run if it passes the heuristics du jour. That’s a losing game – always has been, always will be. Trying to defeat the Turing-complete logic of that argument is akin to trying to invent a perpetual motion machine.

It is a challenge for folks evaluating IT security solutions when the vocabulary pool is polluted like this. I don’t begrudge other vendors making their pitch for solving some part of the IT security problem, but let’s get the terminology right and not claim too much credit. Be precise: say what you mean, and mean what you say.

Leave a Reply