Is Whitelisting the Answer To the Rise In Data Breaches?

MojoKid writes "It doesn't take a rocket scientist to figure out that cyber criminals are quickly getting more sophisticated than current security, intrusion detection and prevention technology can defend against. And you have to wonder if the computer security industry as a whole is willing to take the disruptive measures required to address the issue head-on. One way to tackle the surging data breach epidemic is with a technology called "whitelisting." It's not going to sound too sexy to the average end user and frankly, even CIOs may find it unfashionable but in short, whitelisting is a method of locking-down a machine such that only trusted executables, DLLs and other necessary system and application components are allowed to run – everything else is denied. A few start-up security companies are beginning to appear in this space. The idea is to start with a known, clean system installation and then lock it down in that state so absolutely nothing can be changed. If you follow system security, regardless of your opinion on the concept of whitelisting, it's pretty clear the traditional conventions of AV, anti-malware, intrusion detection and prevention are no longer working."

NetBSD can do this already

http://netbsd.org/docs/guide/en/chap-veriexec.html
Veriexec is NetBSD's file integrity subsystem. It's kernel based, hence can provide some protection even in the case of a root compromise.Veriexec works by loading a specification file, also called the signatures file, to the kernel. This file contains information about files Veriexec should monitor, as well as their digital fingerprint (along with the hashing algorithm used to produce this fingerprint).