As attacks grow more sophisticated and the number of unknown threats increases, securing business-critical applications has become more challenging. Applications are often targeted by various threat actors who attempt to exploit vulnerabilities for money and data. Application whitelisting technologies are specifically designed to address these challenges. By allowing only the “known good,” whitelisting solutions help organizations prevent zero-day attacks and unknown malware from gaining access to applications.
The NIST View of Application Whitelisting
The National Institute of Standards and Technology (NIST) provides a comprehensive overview of application whitelisting, including guidance to help organizations understand, evaluate, and implement the technology. The “NIST SP 800-167: Guide to Application Whitelisting” defines whitelisting as follows:
An application whitelist is a list of applications and application components (libraries, configuration files, etc.) that are authorized to be present or active on a host according to a well-defined baseline. The technologies used to enforce application whitelists — to control which applications are permitted to be installed or executed on a host — are called whitelisting programs, application control programs, or application whitelisting technologies.
NIST provides a definitive framework highlighting the effectiveness of using application whitelisting as a security solution. When implemented properly, whitelisting is the most effective method of protecting your applications from known and unknown threats.
The Difference Between Application Blacklisting and Whitelisting
Application whitelisting is a form of application control that takes a trust-centric approach of allowing only the known good. Essentially, authorization is granted only to applications, files, directories, or processes that are classified as required and safe to execute. Everything else is denied by default. It is performed using attributes like file name, file size, and/or directory path, etc.
Application blacklisting is a simple and straightforward security strategy where everything that is known to be malicious — the known bad — is prevented from running on endpoints and servers that are part of the network. Blacklisting takes a threat-centric approach to block all possible malicious software from taking hold of a network. It utilizes a list of signatures and hashes that have been deemed malicious or suspicious, so they are therefore prevented from being downloaded or executed on the network’s systems.
6 Types of Whitelisting Attributes
Application whitelisting takes advantage of a variety of application file and folder attributes to ensure that only vetted and whitelisted files and processes are allowed to run. Here are six types of whitelisting attributes that can be used to secure applications. Each of the attributes has pros and cons, which is why it is recommended that whitelisting uses two or more attributes.
1. File Path Whitelisting
File path whitelisting is a common type of whitelisting that allows all applications in a specified path to run. File path whitelisting has two variations: 1) directory-based whitelisting, where every file in the directory and subdirectories are allowed; and 2) complete file path whitelisting, where only the specified file name matching the file path is allowed.
2. File Whitelisting
The name of the file can also be used as an attribute. Filename whitelisting is often used in tandem with other attributes to ensure strong security. That’s because when used as a lone attribute, filename whitelisting can fall victim to malicious programs that can relatively easily replicate filenames.
3. File Size Whitelisting
The assumption here is that the malicious version of an application will have a file size that is different from the original. Like filename whitelisting, file size whitelisting is not a strong attribute in itself, but it can be used in combination with other attributes to protect the host.
4. Cryptographic Hash Whitelisting
A cryptographic hash provides a unique value to an application file. Whitelisting using this attribute will ensure that only hashed files that have been whitelisted are allowed to execute, regardless of the file name, file location, or signature.
5. Digital Signature
The digital signature of an application file can be a unique whitelisting attribute. It can be used to verify the authenticity of the file and, therefore, to conclude that the file has not been compromised.
6. Process Whitelisting
Whitelisting can also be done at the process level by selecting only those processes that are relevant to run specific applications. Using process as an attribute locks down systems by allowing legitimate processes to run while preventing the execution of all other processes.
Benefits of Application Whitelisting
Application whitelisting plays a key role in enabling organizations to protect and defend against a range of known and unknown threats. By taking a trust-centric approach, also known as a zero trust approach, it puts the control back in your hands by letting you decide which software runs on your endpoints and servers. By whitelisting processes, files, and/or applications that are necessary for the business, you can proactively create a list of authorized files and software while preventing any other program or file from executing, thereby protecting your network from known and unknown threats
5 Features to Look for in an Application Whitelisting Product
Not all whitelisting products are equally effective but choosing the right solution helps you secure your applications from malware, zero-day attacks, ransomware, lateral threats, and advanced file-less attacks. Make sure that the whitelisting solution you choose has the following five features:
1. Multi-Attribute Whitelisting
Some common whitelisting attributes include file path, file name, and file size. However, these attributes on their own are not strong enough to prevent attackers from exploiting vulnerabilities. Look for stronger attributes like cryptographic hash and digital signatures, and then explore how they can be used within your network to secure endpoints and servers
2. Process-Level Control
Solutions that allow you to whitelist individual processes afford a greater degree of control over your endpoints. By allowing only processes that are actually used by applications running on your endpoints, you can ensure that any malware is prevented from spawning new or unknown processes that could potentially compromise your endpoints.
3. Rule Settings
As attackers become more innovative, they are finding new ways to exploit system vulnerabilities. To prevent zero-day attacks and file-less malware attacks, look for solutions that allow you to set specific rules that ensure that any deviant behavior, even by a whitelisted application, is immediately blocked and flagged.
Legacy and unpatched systems are the ones that are most vulnerable and in need of a security upgrade. When zeroing in on a whitelisting solution, check if the solution can be deployed in and is compatible with the various OS software that is used within your network environment. A whitelisting solution that is compatible with such systems can protect them from attacks without the need for OEM patches.
5. Efficiency and Scalability
When you’re looking for an application whitelisting solution, make sure it’s lightweight and does not degrade the performance of your endpoints and servers. In a world that is increasingly migrating to the cloud, a cloud-based whitelisting solution will not only ensure faster deployment but will also allow you to quickly scale across your network and receive real-time data on threats and vulnerabilities.
Whitelisting: The Bottom Line
Whitelisting is a great security strategy to ensure that you have complete control of your endpoints and servers. However, it may also make your systems restrictive and put extra load on security admins who need to maintain and update extensive whitelists. However, powerful whitelisting solutions and whitelist templates can reduce the operational burden of initial deployment.