Snapshot valid images that represent the environment best. Then collect exceptions. If you can, forward any exceptions to their owners or shareholders to see if they can explain why a new executable suddenly started running. If they can't — often the case — forward them to someone who can investigate more. Fine-tune detections as needed.
Can this be done in the real world?
Yes, it's already being done in thousands of companies large and small. In particular I've recently had experience with a large company that has more than 400,000 computers, and none of the users even realizes it's been enabled. In this company, the security operations center reviews the reports each morning, looking for new executables that have:
- Been installed in sensitive protected areas (such as System32)
- Cropped up in rash of new, unexpected installs
- Surfaced in unexpected installs on critical systems
- Strange execution times (such as after everyone has gone home)
The reports take some getting used to, as no one knows what to expect before the report is generated for the first time. No one really understands what their system's legitimate baseline is, and perhaps that's one of the best side benefits. Often, before setting up this type of auditing program, no one really has a good idea of what's running or being newly installed. Whitelist auditing provides that in spades.
Sign up for CIO Asia eNewsletters.