With over 350,000 new malicious programs (malware) and potentially unwanted applications (PUA) being discovered every day, protecting applications has become a significant challenge for enterprises and organizations. While antivirus and antimalware software generally do a solid job of blocking known cyber threats, it’s practically impossible to keep tabs on all new and emerging threats that are unknown and have yet to be discovered.
This is where application whitelisting plays a key role. Application whitelisting solutions provide protection against a whole range of threats by reducing the attack surface of organizations where applications play an integral part. By taking a trust-centric approach, also known as a Zero Trust approach, application whitelisting puts the control back in your hands by letting you decide which software runs on your endpoints and servers. By whitelisting processes, files, and/or applications that are necessary for the business, you can proactively create a list of authorized files and software while preventing any other program or file from executing, thereby protecting your network from known and unknown threats.
Benefits of Application Whitelisting
Here are four ways a top-tier application whitelisting solution can help make your enterprise more cyber resilient:
1. Malware and Unknown Threat Prevention
Application whitelisting allows only authorized software to execute on your servers and endpoints. All other software is considered unauthorized and is prevented from being executed. This prevents most malware from executing on your systems. Though antivirus/antimalware solutions also provide the same benefit, whitelisting gives you the added advantage of preventing even unknown threats. In the event of a zero-day attack or an attack by customized malware which has not yet been discovered by threat intelligent agencies, whitelisting ensures that these threats do not take hold of your systems by categorizing them as unauthorized and blocking their execution. Application whitelisting can prevent a range of attacks, including ransomware, zero-day threats, fileless malware, DTrack malware, advanced persistent threats (APTs), return-oriented programming (ROP), remote access trojan (RAT), and many more.
However, it is rarely enough to simply allow and deny applications without taking context into account. A web browser like Chrome and an administrative application like Powershell are legitimate applications. But a Powershell being spawned out of a web browser like Chrome could be indicative of malicious behavior. A good application whitelisting technology understands the context of applications that are being run and keeps track of parent and child processes of the specific application process to determine if an application needs to be allowed or denied beyond just simple whitelisting.
2. Software Inventory
For any application whitelisting solution to be successful, it needs to provide complete visibility into the applications and processes on your host systems. This visibility can be used to create an inventory of the applications and application versions installed on every endpoint and server. Armed with this information, security teams can identify unauthorized applications and wrong versions of software that are still on the host. The visibility provided by whitelisting solutions is also useful in forensics where unknown, modified, and unauthorized applications need to be investigated. Additional benefits of software inventory include accounting, budgeting, and efficient resource allocation. If you have purchased 100 copies of an accounting program and you see only 50 in use, it may be a good idea to trim the number of licenses that have been purchased.
3. File Monitoring
There are many types of whitelisting solutions, and most of them allow you to monitor changes made to application files. Depending on its capabilities, the whitelisting solution could either prevent the files from being changed or flag any changes that occur for further investigation. This alerts security teams to any suspicious or malicious activity in the host and allows them to fine tune their security policies and update their whitelists accordingly. On the other hand, with a smart whitelisting solution, you should be able to make legitimate updates that alter the properties of the application, such as Microsoft updates, without raising alerts.
4. Incident Response
Application whitelisting can also help enterprises prevent the spread of malware. When a security incident occurs and certain malicious files are discovered on a host, application whitelisting technologies can be used to check if other hosts also have the same files, thereby determining whether they have been compromised. Once the infected hosts have been identified, the malicious files can be removed from the network. This can be done by plugging in the cryptographic hash value of the file that is deemed malicious and scanning the network to detect which hosts carry this hash value, thereby identifying all malicious files.
Application Whitelisting: The Zero Trust Security Approach
Enterprises are beginning to realize that signature-based security is not strong enough to protect applications from all cyber threats. This is why many of them have already started to implement principles of Zero Trust into their network security strategy. By allowing only the “known good” to run, whitelisting takes a Zero Trust approach to security across your endpoints and servers. From a security perspective, there’s a strong argument to be made that application whitelisting provides the best protection you possible from sophisticated modern-day threats.
About the Author: Jai Balasubramaniyan is the Director of Product Management at ColorTokens Inc. He has been instrumental in creating award winning Enterprise Security Products at Cisco, Trend Micro, Check Point, Zscaler, Gigamon, CrowdStrike and ColorTokens. Jai has several patents and publications in the security field. He has a Masters in Computer Science from Purdue University and an MBA from the Kellogg School of Management.