Black Cat, White Cat

Deng Xiaoping, might be the most important leader of the post war era. One of the most famous sayings attributed to him is that it does not matter if the cat is black or white as long as catches mice. This pragmatic ideology allowed Deng to incorporate market economy into an autocratic socialist system to create a most successful, though admittedly troubled, society.

Deng’s lesson is valid everywhere: we can argue about ideology forever, but true value is measured by results. The saying is also symbolically relevant to information security as we tend to divide security controls into two major groups: black listing and white listing, which represent two opposite risk mitigation philosophies.

Black listing, sometimes called negative security or “open by default”, focuses on catching the bad guys by detecting attacks.  Security controls such as Intrusion Prevention Systems and Anti-Virus software use various methods to do so. The most common method to detect attacks matching signatures against network traffic or files. Other methods include rules which detect conditions that cannot be expressed in a pattern and abnormal behavior detection.

White listing on the other hand allows only known good activity. Other terms associated with the concept are positive security and “closed by default” and policy enforcement. White listing is commonly embedded in systems and the obvious example is the authentication and authorization mechanism found in virtually every information system. Dedicated security controls which use white listing either ensures the build-in policy enforcement is used correctly or provide a second enforcement layer. The former include configuration and vulnerability assessment tools while the latter include firewalls.

So which one is better? As Deng said, the proof is in the pudding. Saying that, measuring effectiveness of a security control is hard and the two methods differs significantly in our ability to evaluate them. While the functionality of white listing solutions is often straight forward, black listing tools are compelling because they outsource the security expertise to the vendor. This makes them cheaper to operate but essentially “black magic” to the user.  As a result one has to rely on external sources and indicators to evaluate the effectiveness of such tools. One method to evaluate them would be assessing the vendor’s security research. The size of the research department, quantity and frequency of delivery and industry thought leadership can all serve as indicators for the quality of security research. Another method for evaluating the security provided by black listing tools would be using benchmarks done by specialized labs such as NSS and ICSA. Such benchmarks have their cons which deserve a separate discussion, including the fact they are paid for by the vendors, but are better than ignorance.

Another aspect of the gap between black listing and white listing tools is that while in many cases two tools of the same family overlap, having both intrusion detection and policy enforcement solutions enhance security as they tend to catch different mice. When it comes to two tools employing the same methodology, one has to analyze the details to understand if both are required and if not which is preferable. A good example would be intrusion prevention systems and web applications firewalls, which essentially overlap in many common use cases.