Enterprise security and resource management are of utmost importance for any organisation these days. Application whitelisting is a proactive threat mitigation technique that allows pre-authorised programs or software to run while all the others are blocked by default.
Benefits of Application Whitelisting
Along with security controls, application whitelisting also provides the added benefit of providing resource management within a network. Since only whitelisted applications can run, system crashes and lags are considerably reduced even if the demand for network resources scales up. This technology was originally developed to prevent the usage of unauthorised or unlicensed software. However, with the advent of cyber threats, unauthorised downloads, malware, adware, and malicious email attachments, this technology has demonstrated its efficacy in the prevention of security attacks and unauthorised file executions as well. Last but not the least, it also keeps an inventory of applications and versions installed on your network.
How Application Whitelisting Works
In stark contrast with traditional blacklisting used by most antiviruses where certain applications are fully blocked, application whitelisting places control over which programs can run on a given machine or network in the hands of the administrators. Any program that wishes to run is then matched against a whitelist and is only permitted to run if found to be in that whitelist. Another mechanism which is known as “hashing” is also used at times to ensure the program’s integrity as it adds another layer of security by checking whether the program is what it is projecting to be.
Things to Consider Before Whitelisting an Application
Before venturing into whitelisting applications, proper security controls should be in place for approvals since all applications can have vulnerabilities that can render the whitelisting efforts worthless. Now the question is, what kind of threats can be faced by applications if they are whitelisted? A great example would be older whitelisted applications. Older applications might need constant patching or have other vulnerabilities that can easily be exploited by threat actors e.g. remote code execution or stealing of hashes to gain access.
To make sure you are doing whitelisting efficiently, a proper structure should be in place. Let us say a third-party vendor has a SAAS app that needs to be introduced to your network. Instead of simply whitelisting it, proper security processes should be followed first. Application whitelisting is a two-fold process where any application that needs to enter a whitelist is first tested by the Governance, Risk & Compliance (GRC) strategy of your organisation to ensure it is following the required standards for running. GRC strategies are gatekeepers of these standards and processes and ensure they are implemented correctly. Once an application is approved by the GRC, it is then tested by the operations team to make sure it is compatible with the system being used in your organisation. As an example, if the application being tested was only built for the Windows 2007 platform but is brought into a Windows 10 environment, then it would certainly cause crashes in the endpoints or exhibit bizarre behaviour like system reboots or blue screen of death. Therefore, it is safe to say that testing the application before whitelisting is paramount. If you have a Development environment, you can safely introduce the app there, test it, and then move it to production. Once it passes the testing and transitions to the production phase, it is time to start implementing application whitelisting.
How to Implement Application Whitelisting
Here are the basic steps to take for implementing application whitelisting on your network infrastructure:
- Create a baseline
The very first and crucial step is to scan your network and resources to set up a baseline for what applications will need to be allowed on your network. Factors like people and teams responsible for implementing whitelisting, the software that will be used for distributing policies, and the amount of time and money required for conducting the implementation should be taken into consideration. While assessing the devices in your network, consider addressing the higher risk devices first such as the ones that access your internet servers directly. On the other hand, when looking at your applications, try adding all the low-risk applications into the initial whitelist first.
- Ensure good end-point security
There are two ways of identifying applications. You can either use the software publisher’s signature or implement a cryptographic file hash. Most application whitelisting tools do allow you to base your whitelisting policies around these identifiers. Another less effective method is to identify applications by using registry keys that they create or the folders they are located in. The main issue with building a whitelisting policy with registry keys is that not all executable code utilises the registry. Most PowerShell scripts, for example, do not create registry entries.
- Determine the fate of unauthorised applications and scan the system
It is good to determine beforehand whether to completely block the execution of unauthorised applications or to simply flag them and monitor safely. It is also a good idea to scan the system for malware before implementing and installing a whitelist.
- Test policies before implementing them
Before sending your whitelist to enforce mode, it is important to conduct rounds of testing. Always remember that the default rule should be a “deny” by default, otherwise your whitelist will be deemed ineffective. You can also conduct positive and negative testing. Positive tests mean applications are permitted and blacklisted files are denied. Negative tests, on the other hand, mean files that are not whitelisted will be allowed through.
- Review your policies regularly
Things change drastically over time across all organisations. Therefore, it is important to review your whitelisting policies at least once a year. Here are the following conditions that you should review your policies for:
- Old rules that are obsolete now.
- Temporary exceptions that should be converted to either new rules or simply removed.
- Rules that can be made more specific or switched over to more stringent requirements.
When it comes to enterprise security, no amount of prevention and mitigation is enough. Application whitelisting provides an added layer of security to high-risk environments with centralised control. If you are looking for a solution that is more effective than the traditional anti-virus blacklisting and offers more control over the entire process, then application whitelisting is the way to go.
Need application whitelisting in your organisation? Contact us to see how we can help.