| certifications | security - David Chapman
Application Whitelisting: What It Is and How to Use It
Application whitelisting the idea of providing a list of approved applications that are desired to be allowed to run. Application whitelisting tools are specifically designed with various features a business will need in order to properly whitelist. It could vary from whitelisting an executable name, a path or even generating a signature of the application itself to put into a database and compare. It may even use all of the above along with heuristics to determine a risk score for the application for maximum security.
Large organizations use application whitelisting tools in order to cut down on unsupported applications they do not want running. This can be for a multitude of reasons. In highly secured environments it can help prevent unsafe or unauthorized software from making it on to the network. Other times it helps cut down on malicious software by simply allowing only what's known to be good and desired. In environments where shared computers are used in public places it can help prevent infection or injection of malicious applications.
Application Whitelisting vs. Blacklisting
Application whitelisting and blacklisting are two ways to view the same problem. With application whitelisting you are creating a list of known good applications you wish to allow. This uses the concept of Zero Trust where everything is assumed to be untrusted unless you whitelist it. If you have a small deployment of applications or a decent team to update and maintain a whitelist, this can be the most secure way to go. Where issues are run into is when new applications need to be used or signatures of existing applications change due to software updates and the team is not responsive enough to correct promptly.
Blacklisting on the other hand requires a much less overhead. The assumption is generally everything is trusted except for a few bad actors. In those cases as they pop up an organization may blacklist applications. Sometimes the issue with these is keeping up with new applications coming out that may need to be added to the blacklist.
Some organizations use a hybrid approach of whitelisting known good applications, blacklisting known bad applications and letting a tool do heuristics to score an application to make a determination. Usually in this hybrid approach a default is selected as to whether to allow or block if no clear determination can be made.
How Does Application Whitelisting Work?
There are a few ways that application whitelisting works. Basic ones may use the path and name of the application to whitelist. The problem with this is malicious software can use those same paths and application names to bypass that whitelisting. More in depth whitelisting packages tend to use checksum or signatures of the application. If the application has been modified that signature would be different and then not be allowed on the whitelist.
In recent years, application packages are actually signed by a publisher. This helps to ensure they have not been modified but also that they are vouched for. For example Microsoft signs all of its applications so that you know they are authentic Microsoft applications. Why this matters is because Application Whitelisting tools that are aware of this can allow you to whitelist by the publisher, making this much easier.
How to Implement Application Whitelisting
There are a few application whitelisting tools that can be used to implement application whitelisting. Most antivirus software is built on the blacklisting concept and in particular segments of code being blacklisted but some work off application whitelisting. If you have antivirus software that works off whitelisting and it meets your needs, that's great. For many people though this is not the case.
Application whitelisting tools are more specialized applications geared towards this type of whitelisting and are usually a better fit. One common application whitelisting vendor is Microsoft. It produces AppLocker, which is a great tool to implement if you are windows based and using the appropriate versions and editions. The requirement for Windows 10 Enterprise can be a barrier to entry for some.
On the Microsoft path again, for those on Active Directory, Software Restriction Policies is another method of implementing application whitelisting. Traditionally it is limited to just whitelisting paths though and that may be insufficient for the types of whitelisting required by the business.
Benefits of Application Whitelisting
The main benefit of application whitelisting is peace of mind, knowing unauthorized or unknown software is not running on your computers or network. Many times spyware, malware or any type of malicious code can be caught by blocking unapproved executables/code. Protecting against a specific category, known as Zero Day, is very helpful. Zero Day attacks are simply new attacks that have no other mitigation or awareness of the attack so any blacklisting of them would not be known. Therefore working off whitelists of only known and approved software would protect against brand new Zero Day attacks.
Application whitelisting also helps increase security compliance and aids in endpoint protection. Certain lines of business need strict control over endpoints. This is particularly so for endpoints that deal with sensitive information such as credit card numbers, dates of birth, medical records or financial records. Only allowing specific applications to be run aids in the regulatory compliance audits related to these various types of information.
Having an approved database of applications means an IT department is aware of the applications. Many times vulnerabilities can come from unpatched or buggy versions of applications. If one gets installed but IT is not aware of it, they likely will not maintain it and be able to patch it. If, however, they are aware of it, they likely will have a method of patching it along with their other patching.
Limitations of Application Whitelisting
Application whitelist can be problematic at times and does have its limits. In order for any application to be approved, an administrator must approve it. The organization needs to be appropriately staffed to be able to whitelist applications as timely as the business needs. Some applications are self-updating and do so frequently. Depending on the type of whitelist (signature versus file path versus publisher), that whitelist may need to be updated somewhat frequently. There is also the remote possibility of the application whitelisting tool failing and preventing any application from running. It is rare but can happen and can make repairing the machine a bit more difficult.
In other cases, executables and applications may modify their code as part of the normal operations. This is rare today but if an executable doesn't have a specific signature because it is constantly changing, it may be difficult to properly whitelist using a signature. On the other hand, path or filename whitelists are easy to bypass by simply overwriting an existing approved path. These path based whitelists assume the applications are installed in the same path on every computer.
While this may be common, some users may elect to install to alternate locations due to disk space issues. Other times they may have edge cases that require the applications to be installed to removable media, like a USB drive that may be one drive letter on one machine and another drive letter somewhere else. This issue pops up quite a bit with whitelisting/exclusions in antivirus software for large rollouts that are not extremely uniform.
Application whitelisting can be a great tool for a business if the needs drive it. Any organization that is remotely concerned with security should investigate whether this is a technology that should be implemented in their environment. When asking the question "what is better, application whitelisting vs antivirus", the high level answer is application whitelisting tools are almost always better because they are more specialized. This does not mean it is better for the business as other factors such as cost and management of extra software rolled out may be more than the business can accommodate.
A great deployment will strike a good balance between security and user experience all while balancing the budget. Application whitelisting can be a huge failure if the end users are constantly unable to perform essential business functions on a day to day basis. When selecting an application whitelisting tool or application whitelisting vendor, investigate the software features that your business may want. Appropriate application whitelisting software features will be key to a successful deployment.