Whitelisting, a grey area?

According to a paper from the Center for Strategic and International Studies (CSIS), the vast majority of successful security breaches to corporate networks are made using basic techniques. By implementing just four critical security controls you could remove 85 to 90% of threats. In a previous article I talk through the benefits of patching applications and operating systems, which cover two of the controls. The control that I’ll be covering today is application whitelisting.
Whitelisting is a term for a list of approved items and when it comes to IT, the term usually refers to application whitelisting where there is a list of known good software titles that can be used by the employees, where any software that is not listed in the whitelist is not allowed to run. There are many advantages to doing this; Zero day attacks for example are significantly reduced, if not eradicated altogether, as any unauthorised executable code that is placed on a system is rendered useless as it will be unable to run, thus incapable of delivering its intended payload. This is the method that most of today’s malware, spyware and viruses use to spread themselves around.
There have been various articles over the years claiming that Anti-Virus (AV) is dead and the main reason for this is the reactive approach AV takes, i.e. AV software relies on a catalogue of virus definitions and the constant updating of that catalogue in order to stay effective. In short, the virus has to be created, deployed, and someone infected in order for a definition to be created to detect and remove it downstream – not the most proactive model – whereas whitelisting gives complete control over what applications are actually run; if it is not on the list, the software does not run. Simple, yes?
Well not really, let me explain:
Everything above is true; an Application Whitelist does give complete control and if the software isn’t explicitly on the list then that software will not run. However creating the list in the first place is not an easy task. Applications are not individual files that run, they are a collection of possibly hundreds of files that all need to be able to run in concert, and if just one of those files isn’t on the whitelist there is a strong chance that the application won’t start or will fail at some point during operational usage. It is imperative therefore that your whitelist is crafted very carefully in order to be effective. One other thing to bear in mind is that your operating system will come under the same rules that your applications will, so adding every file that your operating system needs is a must. There are few things more annoying than setting up a whitelist and testing it on your machine, only to find that the operating system won’t load because some of the files it requires are being blocked by your whitelisting application.
In short, setting up an Application Whitelist is not an easy task, and in a great deal of cases the effort of getting it right and the risk of getting it wrong is prohibitive, so many companies simply don’t bother.
However, by understanding your current risk and what applications are already installed within your environment you have a big piece of the puzzle. Knowing what is actually being used and removing the waste gives you another big piece, as you can hone your whitelist on what is relevant. Technologies such as Security Benchmark and AppClarity from 1E give you information about every application that is installed within your environment, if an application is run from a temporary location or doesn’t have any publisher information as an example then there is a good chance that it is not something that you want running in your environment. This kind of information is critical when trying to understand what applications must be added to your Application Whitelist.
Creating the whitelist is only part of the story; there is constant maintenance required because as applications are installed and updated, new files are introduced into the environment that must be added to your Application Whitelist. That’s where 1E’s enterprise app store, Shopping can give you the flexibility that helps whitelisting projects to succeed by allowing users to select the applications they need and have them installed by a known good mechanism that can be added as a trusted source, rather than the user carrying out the installation manually as these files would be blocked from executing.
As I’ve said previously, Application Whitelisting is not an easy task. Knowing up front your risk, what applications exist within your environment, what is actually being used and removing the unused applications all significantly help you get your Application Whitelist in order. Controlling the applications that are allowed into your environment using an enterprise app store lowers the maintenance that a whitelist needs by making sure that apps are only introduced using a known mechanism.
The take home message is this: Application Whitelisting is a proven method in protecting your environment and has been highlighted by the CSIS as one of four key security controls. Let 1E technologies help you protect your environment, to find out how we can assist you please contact us at [email protected].
In the third part of this series I will look at the fourth control: Removing Unneeded Administrative Privileges.