Applications are often targeted by various threat actors who attempt to exploit vulnerabilities for money and data. According to the Ponemon Institute’s 2020 Cost of a Data Breach Report, data breaches on average cost $3.86 million. Given this hefty price tag – and the growing sophistication of today’s cyber threats – it’s vital enterprises protect applications from attacks by controlling how and why they’re accessed.
The two most popular approaches to application control are whitelisting and blacklisting, and it’s worth understanding how they can help protect your network from threats. Blacklisting is a more traditional and passive strategy; it relies completely on an ever-expanding list of malware. Whitelisting, on the other hand, requires proactive, hands-on involvement to create a balance between protection and security operations. So, enterprises that are at greater risk of attack may lean more toward whitelisting their devices, whereas companies which need to provide more flexibility in their business tend to adopt blacklisting into their security strategy.
Here’s a detailed look at both these approaches and how can they help your business secure its applications.
What is Application Whitelisting?
Application whitelisting is a form of application control that takes a trust-centric approach of allowing only the known good. Essentially, authorization is granted only to applications, files, directories, or processes that are classified as required and safe to execute. Everything else denied by default. Application whitelisting is done using attributes like file name, file size, and/or directory path.
The U.S. National Institute of Standards and Technology (NIST) recommends the use of stronger attributes like digital signature and cryptographic hashes to be used in combination with other attributes to strengthen security. Whitelists are created after taking the full view of all tasks users or servers need to perform. Based on dependencies, applications and other processes are added to the whitelist to ensure smooth operations across the network. Advanced whitelisting solutions also provide the flexibility of adding rules which determine who and how a particular application or process is accessed. For example: A whitelist rule could be that Chrome.exe, a whitelisted process, should not be allowed to spawn powershell.exe.
Pros and Cons of Application Whitelisting
Application whitelisting provides complete control over systems and allows only the known good, which makes it hard for any malware to execute, infect, or spread within the network. Application whitelisting also prevents zero–day attacks, as anything beyond the authorized zone is on default-deny, including new and unknown malware. This makes whitelisting highly effective in protecting critical servers and applications that are vital for the business. On the flip side, though, whitelisting is restrictive, which means every time the user needs to run an application that is not on the whitelist, they need to raise a ticket. In large enterprises, this becomes an operational challenge. Also, creating a comprehensive whitelist and keeping it updated can be a tough task for admins to handle. But this effort can be greatly reduced if the whitelisting solution being deployed has pre-existing policy templates, which are lists of whitelists based on prior intelligence.
What is Application Blacklisting?
Application blacklisting is a simple and straightforward security strategy where everything that is known to be malicious – the known bad – is prevented from running on endpoints and servers that are part of the network. Blacklisting takes a threat-centric approach to block all possible malicious software from taking hold of your network. It is a list of signatures and hashes that have been deemed malicious or suspicious and are therefore prevented from being downloaded or executed on your systems.
Traditionally, blacklisting has been used by antivirus and anti-malware security solutions by maintaining a database of signatures, heuristics, or behavioral characteristics that are associated with malware and viruses. Apart from blocking obvious threats like spyware, trojans, and worms, blacklists can include users, applications, processes, and IP addresses to protect critical applications from unauthorized access and to meet compliance requirements.
Pros and Cons of Application Blacklisting
Application blacklisting has been around for years, and it remains a popular security option for most enterprises because of its relative simplicity and direct benefit of preventing known threats. Admins can easily block known malicious software while allowing users access to any applications they need. However, there are also downsides of relying on blacklisting alone. The AV-TEST Institute registers over 350,000 new malicious programs (malware) and potentially unwanted applications (PUA) per day. With so many new threats emerging so often, it’s almost impossible to keep track of all types of malware. And even if your signature database is up to date, blacklisting is completely useless in the event of a zero–day attack – an attack by a malware that is completely new or unknown.
Blacklisting vs. Whitelisting: What Is the Right Approach?
This is a question most security professionals grapple with since both approaches have plusses and minuses. While application blacklisting is obviously needed to keep out the known bad, which increases with each passing day, it can only protect from known threats. Application whitelisting, on the other hand, is designed to protect against both known and unknown threats, but can be restrictive when deployed and operationally challenging to maintain.
In many enterprises, application blacklisting is used as a minimum security measure in the form of antivirus or other signature–based security running on multifunction devices like laptops and desktops. Application whitelisting, on the other hand, is used to protect special–purpose systems like kiosks, POS systems, ATMs, and check-in kiosks – where the device has a limited function and capability. However, to achieve maximum protection for applications running on all your endpoints and servers, your security should include both whitelisting and blacklisting tools. This can be achieved by deploying solutions that combine the security provided by blacklists, i.e. protection from the known bad, with whitelisting features that protect critical applications from being unknown malware.
ColorTokens’ Approach to Application Control
ColorTokens Xprotect provides both whitelisting and blacklisting capabilities to not only prevent the known, bad but also protect your applications from threats that haven’t yet been discovered. Xprotect gives you complete visibility of all applications and processes running on your endpoints and servers so that it’s easy for security teams to build a comprehensive whitelist which ensures all necessary software runs without interruptions.
With context-based, process-level control, highly granular whitelisting policies can be deployed to prevent all unknown threats. On the other hand, Xprotect also delivers threat intelligence from multiple credible sources to blacklist known threats and assign trust scores to other non-whitelisted files and applications, allowing you to decide which ones to allow and which ones to deny. Find out more about how ColorTokens Xprotect can secure your applications.
About the Author: Vivek Biswas is a Product Manager at ColorTokens. He has been developing software products and services both as a developer and a product manager for the last 7 years. He has a B.Tech in Materials Engineering from IIT Roorkee and an MBA from the Indian School of Business.