The ever-increasing threat of attacks from new and unknown malware strains has made application whitelisting an important tool to secure endpoints and servers. At its core, whitelisting takes a zero trust approach to security by allowing only the known good to run while preventing all unknown files and applications from executing. This trust-centric approach helps you secure your applications from malware, zero-day attacks, ransomware, lateral threats, and advanced file-less attacks.
Top 5 Features to Look for in an Application Whitelisting Solution
Not all application whitelisting products are equally effective, however. If you’re in the market for a whitelisting solution, it’s important to select one that checks these five key boxes.
1. Multiple Whitelisting Attributes
Attributes are at the center of any whitelisting solution, as they give you the flexibility to allow legitimate programs and applications to run based on the needs of your enterprise. There are many different attributes that can be used for whitelisting. Some of the most commonly used include file path, file name, and file size. However, if used individually, these attributes are not strong enough to prevent attackers from exploiting vulnerabilities. When choosing a whitelisting solution, check for stronger attributes like cryptographic hash and digital signatures, and explore how they can be used within your network to secure endpoints and servers.
2. Process-Level Control
While file path, file name, file size, cryptographic hash, and digital signatures are desirable attributes, they also have shortcomings which either allow them to be exploited or sometimes make them operationally impractical. However, solutions that allow you to whitelist processes afford a greater degree of control over your endpoints. By allowing only processes that are actually used by applications running on your endpoints, you can ensure that any malware is prevented from spawning new or unknown processes that could potentially compromise your endpoints. So, solutions that provide control at the process level are desirable if your enterprise is at high risk of attack from unknown malware.
3. Rule Settings
As attackers become more innovative, they are finding new ways to exploit system vulnerabilities. In many cases, even whitelisted applications can be turned malicious. Also, a large percentage of successful attacks include the use of file-less malware, which is undetectable by traditional antivirus solutions. To prevent zero-day attacks and file-less malware attacks, look for solutions that allow you to set specific rules that ensure that any deviant behavior, even by a whitelisted application, is immediately blocked and flagged. For example, a Chrome browser spawning a powershell.exe is suspicious and ideally would not be allowed to execute. However, both Chrome and PowerShell may be whitelisted applications. To prevent the powershell.exe file from executing, your whitelisting solution should be able to set rules defining the context, such as which processes an application or process can spawn in a given situation.
Enterprise networks consist of thousands of endpoints that could be running on different types of operating systems. In fact, many endpoints and servers may use legacy or unpatched OS, putting them at high risk of attack. When zeroing in on a whitelisting solution, check if the solution can be deployed in and is compatible with the various OS software that is used within your network environment. Legacy and unpatched systems are the ones that are most vulnerable and in need of a security upgrade. A whitelisting solution that is compatible with such systems can protect them from attacks without the need for OEM patches. The right whitelisting solution will be able to significantly improve your overall security posture.
5. Efficiency and Scalability
It is likely that your endpoints are already loaded with antivirus and/or EDR solutions that are constantly scanning and communicating with a server to either update their signature database or send behavior data for analysis. When you’re looking for an application whitelisting solution, make sure it’s lightweight and does not degrade the performance of your endpoints and servers. In a world that is increasingly migrating to the cloud, a cloud-based whitelisting solution will not only ensure faster deployment but also allow you to quickly scale across your network and receive real-time data on threats and vulnerabilities. Another advantage of a cloud-based solution is the lack of hardware requirement and vendor lock-in, which significantly reduces capital expenses.
Other Considerations When Selecting Application Whitelisting Products
There are several whitelisting solutions on the market today, and finding one that meets your requirements is critical. Apart from the features mentioned above, you should also consider the operational challenges, how long it takes to implement, and how many resources need to be allocated to manage the solution. Solutions that can operate in simulation mode allow you to learn about the impact on workflows before implementation. Also, having whitelist templates can greatly reduce the time needed to create whitelists manually.
ColorTokens Xprotect combines powerful whitelisting capabilities, which allow process-level control of endpoints and servers, with embedded threat intelligence and process-level trust scores to analyze and validate every running process and file. Xprotect is a cloud-delivered solution that allows only company-sanctioned applications, which lets you adopt different levels of security based on the type and purpose of endpoints.
Learn how ColorTokens Xprotect can secure your enterprise against a host of known and unknown threats. Schedule a demo with our security experts today.
About the Author: Jai Balasubramaniyan is the Director of Product Management at ColorTokens Inc. He has been instrumental in creating award winning Enterprise Security Products at Cisco, Trend Micro, Check Point, Zscaler, Gigamon, CrowdStrike and ColorTokens. Jai has several patents and publications in the security field. He has a Masters in Computer Science from Purdue University and an MBA from the Kellogg School of Management.