Six Questions about Application Whitelisting & Advanced Threats

What if I whitelist something that's bad?

John Fox: First of all, whitelisting something on one endpoint does not make it whitelisted on any of the other endpoints. If you make a mistake and accidently do that on a single endpoint, that malware is going to be contained on that one endpoint. Furthermore, we have a feature called systems intelligence that allows you to look at a complete list of all the applications that have been authorized to run on any endpoint. A quick glance at that periodically is a good way to look for things that pop in there, like software that you don't want to have running in your environment. It can easily be turned off and disallowed from there. It actually is a good tool for helping with the suggestion that Chris made about reducing your attack surface by eliminating applications that have low business need, yet high risk. You can look at an inventory and handle it there.

Is Microsoft's AppLocker whitelisting solution suitable for enterprise environments?

Chris Sherman: For those of you who aren't familiar with AppLocker, it’s Microsoft's built in whitelisting solution, which began to be offered in Windows 7 Ultimate and Enterprise. It's rooted in the XP software restriction policies, which were very static and basically unusable in large, dynamic end user environments, due to having relatively inflexible policy management. Unfortunately, AppLocker isn't really much different. It's a far cry from the trust based third party solutions which allow for much greater control and more user focus exception handling processes. For this reason, I haven't really seen many large organizations using AppLocker. However, in static Windows only server environments, it may just fit the bill. In Windows 10, we're going to see a new form of whitelisting get released called Device Guard. It will be interesting to see if this new feature will gain higher adoption in enterprise environments compared to AppLocker. I suspect that many of the current whitelisting vendors will begin to serve as a management overlay for Device Guard, similar to how endpoint encryption vendors began supporting BitLocker.

How do I manage the whitelist with Digital Guardian's app whitelisting?

John Fox: In my opinion, an application whitelisting solution should not require you to manage the whitelist directly anyway. If your application requires you to pay attention to managing the actual whitelist, what's on it, and worrying about what's in there, what's not in there, then it's probably an overly complicated solution. I think the best way is to look for a solution that manages the whitelist for you. So you tell it what you want to do. I want to install this new software. I want to apply this patch. It handles the details for you. I think that's the best advice I have for that: it might be a telltale sign of an overly complicated process that might be difficult to manage.

Why is having a local whitelist better than a central one?

John Fox: The primary reason for that is, with a central whitelist, there are advantages to that, but if anything ever were to get accidentally whitelisted that you did not want to be on the whitelist, that would now be authorized on every single one of your endpoints; whereas with a unique whitelist that's local on each endpoint, each is managed separately. Something bad slipping through is not going to be able to proliferate.

Does Digital Guardian help with figuring out which risky applications you don't need and eliminating those?

John Fox: We do have a feature that gives you a list of all the applications that are installed and authorized to run on any of your endpoints that you're managing, and it does allow you to point at any one of them and say, "I don't want this. Disallow it."

Do I still need an AV with application whitelisting?

Chris Sherman: While the adoption of AV is going down, many organizations aren't ready to completely do away with AV yet. We're seeing more and more organizations who are frustrated with their paid AV, going with a free or low cost solution and then layering on a more proactive solution such as whitelisting and others like endpoint visibility control. In this way, the lightweight AV product can take care of those easy kills and limit noise for the more proactive layers of protection.