People have been debating the trade-off between cost and effectiveness in security technologies since the dawn of the Internet. One such debate occurred in the SearchSecurity article Schneier-Ranum Face-Off on White-Listing and Blacklisting. Marcus Ranum is the chief of security for Tenable Security and a recognized innovator in firewall and intrusion detection system technologies. He leads this debate with “security effectiveness.” He suggests blacklisting technologies have failed to keep up with the malware explosion. White listing, he insists, addresses this problem, and enterprises should accept the cost of managing a white list.

Bruce Schneier is chief security technology officer of BT Global Services and a recognized computer security technology expert, cryptographer and writer. He leads this debate with “controlling cost and complexity.” He argues that in various implementations, maintaining a blacklist is easier when the blacklist is small, compared to a huge white list.

In our opinion, both methods can be effective if applied correctly to the right context. Rather than applying a one-size-fits-all solution, the method depends on what you are trying to achieve.


Blacklisting can work effectively against non-targeted and large-scale attacks where real-time intelligence is available. Let’s take financial malware, for example. It is notoriously famous for bypassing antivirus, signature-based detection. Some solutions, like IBM Security Trusteer Rapport, use behavioral blacklisting to effectively stop those threats.

Malware developers can adjust their software to evade detection, however. A blacklisting-based control can then use real-time intelligence to detect the change across many endpoints, deploy a counter-measure through the cloud and break the attack before it can gather any steam. Because the cost of adapting the control is lower than the cost of adapting the malware, the hackers are at a major disadvantage.

This isn’t true for targeted attacks in the enterprise world. In this case, a single attack on a large enterprise can be developed over a long period of time, using zero-day exploits to evade detection, delivering advanced malware to a few endpoints and exfiltrating data using encrypted channels. In this case, blacklisting technologies cannot provide an effective solution and the targeted nature of the attack means that timely intelligence is simply not available.

White Listing

White listing makes very few assumptions about the nature of the threat because it focuses on the list of known good application files; however, managing this list is a daunting task. Imagine what is required to vet new application files introduced by employees’ downloads and installs or through updates. And there’s an ongoing concern that you could accidentally white list malware files (yes, this can happen).

Beyond additional work for the IT department, white listing places severe restrictions on knowledge workers’ productivity that goes against current trends in BYOD and IT consumerization. Does this mean that you must accept the cost of white listing if you truly want to reduce the risk of targeted attacks? Innovation should focus on using a white-listing approach that can work for large enterprises.

Tailoring White-Listing

Maybe it isn’t necessary to white-list every single good file in the universe. Employees’ endpoints are often compromised by zero-day exploits that deliver malware to the file system and execute it. If we can stop the exploitation of vulnerable Internet-facing apps (Web browsers; Adobe Reader, Acrobat and Flash; Microsoft Office and Java) by white-listing the legitimate ways they can access the file system or other processes, we can protect users when they go to the wrong Web sites and open up the wrong documents. This reduces the attack surface considerably.

If users are lured to directly install malware on the endpoint, the malware must communicate with its C&C server and the attackers to exfiltrate data. What if we could control which applications talk to the Internet and how they do it (directly or via other processes) using a tightly managed white list? It could be a great way to detect endpoint compromise before the damage is done and evasion tactics are used to fool network controls. The innovation cycle for protecting users from targeted attacks is accelerating. Solving this security challenge in a way that large enterprises can actually deploy is the Holy Grail of security.

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read