Educause Security Discussion
mailing list archives
Bit9 and other whitelisting history
From: Gene Spafford <spaf () CERIAS PURDUE EDU>
Date: Tue, 16 Jul 2013 13:10:42 -0400
Many years ago, I designed a white-listing system that I knew would make a difference in system protection. It was
designed to "fill in the gaps" left by my design of Tripwire. I architected it to address the risks at every level of
Wyatt Starnes, the then-CEO of Tripwire, was really excited about the idea, and started some low-level development in
the late 90s. Wyatt left the company, and after a few years downtime, bought the rights to the idea and I helped him
start a new company around it: SignaCert.
SignaCert has patents on several of the techniques it uses. One of the key elements of my design was to connect with
various companies producing software -- including Microsoft and Red Hat -- to get agreements on whitelist "harvesting."
Wyatt labored hard and long on this, and got a lot of buy-in from dozens of major players (including the ones
Where Bit9 and others (including some of the community harvesting done by antivirus vendors) depends on collecting
specimens "in the wild" to build their data sets, SignaCert collected the at the vendors, from the golden masters of
not only the releases, but of all the possible combinations of patch application. Thus, the signatures had extremely
high trust. Plus, the SignaCert approach took multiple different kinds of cryptographic hashes to ensure long-term
viability (inherited from my philosophy with Tripwire).
I will also note that Wyatt and I stressed internal security of the entire dataset and software chain, to ensure the
highest trust. We knew that if any of that was compromised, so was the entire trust chain. NB the contamination of
Bit9's database via certificate compromise a few months back.
Wyatt worked tirelessly with various industry leaders and government folk, including NIST, to get the idea more widely
adopted. Instead, several other vendors began to include similar ideas in their products (the core idea of
whitelisting is very old and public).
Ultimately, the timing was bad and sales didn't quite ramp as quickly as they wanted so the backers got cold feet;
SignaCert was sold at a loss to Harris Corp., where it continues to be operated as a subsidiary. If you visit
www.signacert.com you will see that it is still being marketed and developed, and it is SCAP certified. They have
various compliance management features built in, it seems.
Wyatt stayed with SignaCert for some time, and continued to try to ensure it was on a good trajectory. He retired
about 2 years ago -- well-deserved, but undoubtedly a little frustrated that we hadn't been able to make the timing
work a little better.
Neither Wyatt nor I are now involved with the company in any way; I never made anything off the system (I was hoping to
pay my daughter's college education, but...so much for dreams). I can't see that either of us is mentioned anywhere
on the WWW site.
I can't say anything about the current quality of the product because after Wyatt left, no one there has ever been in
touch with me. However, if you are on the market for such things, you might check it out. It has an excellent