By Hunter Donahue
“Application whitelisting is the practice of specifying an index of approved software applications or executable files that are permitted to be present and active on a computer system” as defined by SearchSecurity. Essentially, permission to execute any application not specified in the “whitelist” is blocked. It works in contrast to blacklisting, in which you block specific apps from running. Both whitelisting and blacklisting serve to protect enterprises from malicious applications such as malware from executing on endpoints.
Reasons to Adopt Application Whitelisting:
According to data from PurpleSec, 230,000 new malware samples are produced every day — and this will only continue to grow. With this ever-expansive list of malicious activity, it’s difficult to block each type or variant through the common process of blacklisting. Whitelisting provides a proactive approach to blocking new and emerging threats, potentially even “zero-day” threats, and raises the cost to adversaries and reducing potential risk to your enterprise.
In addition to preventing endpoints from executing insecure or unauthorized applications, application whitelisting supports a host of other benefits that work to improve the security posture of your enterprise.
1.Balance Resource Demand
Managing the resources utilized by employees can be a difficult task, especially when some applications are prone to network slow down. Application whitelisting provides the ability to better control this demand on resources within your enterprise. When a system can only run whitelisted applications, system crashes and slowed speeds are less prevalent, as the frequent cause of crashes and slowdowns are an increased demand on resources. Bottom line – less applications for your IT team to support with installation, patching and troubleshooting.
2.Better Utilize Your Existing Tech
If your enterprise is Microsoft-based, you’re ahead of the pack in terms of the available options for application whitelisting. Windows Defender Application Control (WDAC), Software Restriction Policies (SRP), and AppLocker are all native in enterprise-level Windows deployments and offer many of the capabilities necessary to create a robust Application Whitelisting program.
For Linux systems, there are options such as fapolicyd for that can provide a free and open-source approach. Many application whitelisting solutions can allow apps to run by utilizing a reputation source instead of having a definitive black or whitelist.
3.Application Resource Monitoring
Another added benefit is that application whitelisting solutions also have the ability to monitor some other types of application-related files, such as scripts, browser extensions, libraries, configuration files, and macros.
Types of Application Whitelisting
Application whitelisting extends beyond specific applications to allow or block. For example, file and folder attributes is another form of whitelisting you should consider. Attribute-associated application whitelisting picks a specific variable, such as file size, filename, file location etc. to be allowed/disallowed within your environment for specific users. Choosing attributes is largely a matter of achieving a balance between security, organizational efficiency, and user experience. Simpler attributes such as file path, filename, and file size should not be used by themselves unless strict access controls are in place to restrict file activity. This comes with other added benefits to improve user experience. A combination of digital signature/publisher and cryptographic hash techniques generally provides the most accurate and comprehensive application whitelisting capability, but this puts a larger burden on the organization and is harder to maintain in larger environments.
Whitelist Generation and Maintenance
The number of executables necessary to run everyday operations is surprisingly significant, which is why generating your whitelist takes some time and attention. To create the list, it’s best to combine both a vendor pre-approved list of necessary applications/functions in an environment, and a company baseline of applications generated from a clean host.
The U.S. National Institute of Standards and Technology (NIST) provides a detailed approach to implementing application whitelisting. We’ve summarized the guidelines below, but the full breakdown can be found here: NIST’s guidelines.
1. Plan - The first phase involves identifying current and future needs for application whitelisting; specifying requirements for performance, functionality, and security; and developing necessary policies.
2. Design - The second phase involves all facets of designing the application whitelisting solution. Examples include architectural considerations, whitelist management, cryptography policy, and security aspects of the solution itself.
3. Test - The next phase involves implementing and testing a prototype of the designed solution in a lab or test environment. The primary goals of the testing are to evaluate the functionality, management, performance, and security of the solution.
4. Deploy - Once the testing is completed and all issues are resolved, the next phase includes the gradual deployment of the application whitelisting technology throughout the enterprise.
5. Manage - After the solution has been deployed, it is managed throughout its lifecycle. Management includes solution maintenance and support for operational issues. The lifecycle process is repeated when enhancements or significant changes need to be incorporated into the solution.
Application whitelisting isn’t perfect, but it’s a powerful tool that adds a proactive layer in the protection of your enterprise. On top of these security benefits, application whitelisting helps enhance and optimize your enterprises IT controls. By developing a thorough plan, utilizing best practices, and committing to managing your solution, application whitelisting can play a central role in your organization’s success while significantly improving the organization security posture.