What is Whitelisting?
Application Control for Dummies
Application control helps you handle the ever-increasing number of threats to computers and devices on a corporate network. As security threats and malware have evolved, so too has the need for technologies like application control. Gone are the days when malware might redirect the user’s search engine. Now, targeted attacks are common, and security attackers make a living from finding and exploiting vulnerabilities.
Application whitelisting, or application control, is a security capability that significantly reduces malware and other harmful security attacks by allowing only approved and trusted files, applications, and processes to be installed and run on a system.
To block unauthorized activities that could potentially initiate a harmful attack, companies are using application whitelisting, or application control, to strengthen their perimeter security. Whitelisting identifies known files, applications, or processes and allows them to execute. Conversely, unknown activities are blocked or restricted, which prevents them from opening up and spreading within a system or environment in an attack mode.
Some companies review the blocked files manually to approve usage or remediate where necessary. However, advanced endpoint security solutions can execute whitelisting processes automatically through software controls and protection policies that completely lockdown and secure corporate assets, intellectual property, and regulated data. These solutions reduce downtime by automating the approval of trusted software and eliminating the need for whitelist management.
What makes a rootkit so dangerous?
In this episode of "The 101" we learn more about a malware type that is widely panned as the most dangerous type out there - rootkits. Now that’s a bold statement, so in order to understand why that is, today we ask: “What makes a rootkit so dangerous?”
To view this and other episodes of "The 101" click here.
When it is combined with other advanced techniques like behavioral analysis and machine learning, whitelisting is a significant contributor to blocking and preventing malicious attacks.
As an example, NSS Labs, an independent organization that provides cybersecurity guidance, tested Advanced Endpoint Protection (AEP) products to determine their effectiveness. The goal of the test was to validate the proactive blocking and active detection capabilities for known and unknown threats.
As seen in the company’s 2017 Security Value Map for Advanced Endpoint Protection, NSS Labs’ test proved that it is possible to use tools like whitelisting and other endpoint security capabilities to stop 100% of the attacks.
Security experts have called whitelisting a must-have, foundational security strategy that has the ability to stop nefarious attacks such as ransomware.
In fact, an article on CSO suggests that real-time whitelisting based on recommendations, reputation scores, and other data can theoretically “offer the promise of nearly-perfect endpoint security with very low management overhead.”
Help Net Security recently shared a similar perspective from a senior security and privacy Gartner analyst, Neil MacDonald, on how whitelisting can be used to block malicious attacks. “To lessen the risk of future attacks against vulnerabilities of all types, we have long advocated the use of application control and whitelisting on servers,” says MacDonald. “ If you haven’t done so already, now is the time to apply a default deny mindset to server workload protection – whether those workloads are physical, virtual, public cloud or container-based. This should become a standard practice and a priority for all security and risk management leaders in 2018.”
Phil Hagen, a digital forensic and incident response (DFIR) strategist at security solutions company Red Canary, agrees with MacDonald. In a recent blog, Hagen notes that “application control solutions like that offered by our partner Carbon Black are absolutely the single most meaningful step toward prevention that an organization can take. This methodology ensures that only a list of approved binaries can run on the systems within an enterprise. Whether the phishing payload is garden-variety ransomware or highly-targeted custom malware, the price of becoming a victim generally reaches far beyond that of deploying and maintaining a whitelisting solution.”
In today’s high-risk cyber world, it’s critical to have a complete endpoint security solution that includes whitelisting so that sensitive data is continually protected. Based on strict policies of allowable activities, whitelisting and application control allows for critical system lockdowns in real time that automatically prevent all untrusted files, applications, and processes from executing. With these sophisticated capabilities, companies can:
Stop attacks by allowing only approved software to run
Automate software approvals and updates via IT and cloud-driven policies
Prevent unwanted change to system configuration at the kernel and user mode levels
Power device control and file integrity monitoring and control (FIM/FIC) capabilities
Meet IT risk and audit controls across major regulatory mandates