Application whitelisting defined, how application whitelisting works, and more in Data Protection 101, our series on the fundamentals of data security.
A Definition of Application Whitelisting
Application whitelisting is not a new concept within the realm of enterprise security. In direct opposition to the concept of blacklisting, application whitelisting is a more proactive approach that allows only pre-approved and specified programs to run. Any other program not whitelisted is blocked by default.
The most obvious use for application whitelisting is to block malware from entering and executing on endpoints within a network, but one secondary benefit to application whitelisting is the ability to manage, reduce, or control the demand on resources within a network. When employees are able to run only whitelisted applications, system crashes and slowed speeds are not as likely due to increased demands on network resources.
How Application Whitelisting Works
The process is quite simple in theory: A program that wishes to execute is compared against a whitelist, and permitted to execute only if it is found on the list. A secondary measure known as hashing is sometimes used to ensure a program’s integrity (whether it is actually the program it appears to be, thereby avoiding programs designed to mimic approved programs for the purpose of gaining permission to run).
Application whitelisting places control over which programs are permitted to run on a user’s machine or on a network in the hands of administrators, rather than end users. Under normal operating procedures, the end user would be permitted to select and run any programs he chooses on his own machine. This greater control ensures that users cannot run malicious programs, as no programs not vetted and whitelisted by administrators are able to run.
With the volume of malware growing by the minute, it’s impractical and impossible to maintain a comprehensive blacklist of identified malicious programs. The application whitelisting approach, the reverse approach, is much more practical in today’s environment.
Application Whitelisting: Not an All-Encompassing Solution
While the proactive approach of application whitelisting may lead one to assume that it’s an all-encompassing security solution, it’s not a replacement for traditional security measures, but a supplement. Application whitelisting should be used in conjunction with both standard and emerging security technologies to ensure adequate protection in the modern threat landscape.
Application whitelisting is particularly useful as the amount of malware is ever-growing and becoming increasingly varied by the day. It’s impossible to keep up with the emerging malware using reactive approaches to security, leaving enterprises vulnerable to new, as-yet-unidentified malware reaching their networks. In fact, modifying existing malware is one method used by sophisticated hackers to circumvent patches created in response to the discovery of malicious programs.
Blacklisting tactics are inefficient and cannot scale sufficiently to meet the demands of constantly emerging, growing, and changing malware in the modern landscape. Zero-day attacks are impossible to prevent using standard blacklisting approaches, for instance. Application whitelisting eliminates this challenge, effectively preventing executable files from downloading on users’ machines simply because they have not been whitelisted.
Challenges in Application Whitelisting
Application whitelisting has been the subject of some criticism, which is partially attributed to the fact that this security tactic, which has been around for some time, is just now gaining momentum. One of the most prominent challenges is the impact application whitelisting can have on the end user. By relying on a deny-by-default mechanism of action, a user must have an application whitelisted before he is able to utilize it. In some organizations, this process can be cumbersome and create workflow delays that frustrate employees.
In addition to fostering a sense of loss of control, application whitelisting poses challenges in the management of the whitelist itself. The ability to automate the exception management process and to automate whitelist management entirely or at least partially is a major benefit to modern application whitelisting solutions.
To solve some of these challenges, some organizations have experienced success by implementing application whitelisting in monitor-only mode, which provides visibility into all executable files running on endpoints within a network. This facilitates detection and confirmation of attacks, enabling rapid response, although this shifts the approach from proactive to reactive.
Application whitelisting is gaining ground as a viable security practice as more enterprises embrace proactive approaches to security. When used in conjunction with other, traditional and advanced security practices, application whitelisting is highly effective for many organizations.