Application whitelisting enhances security by controlling software usage. Learn how to implement effective whitelisting strategies.
Related Links By SentinelOne July 16, 2021Application whitelisting is a security approach that allows only approved applications to run on a system. This guide explores the principles of application whitelisting, its benefits, and how it enhances security.
Learn about best practices for implementing whitelisting and the importance of regular updates and monitoring. Understanding application whitelisting is crucial for organizations to protect against unauthorized software and malware.
Application allowlisting is a form of endpoint security that helps prevent malicious programs from running on a network. It monitors operating systems in real time to prevent unauthorized files from being executed.
According to NIST SP 800-167, an application allowlist is: “a list of applications and application components (libraries, configuration files, etc.) that are authorized to be present or active on a host according to a well-defined baseline.” Using application allowlisting technologies, organizations may prevent the execution of malware and other unauthorized software on end-user devices and the network.
Application allowlisting gives administrators and organizations control over which programs can run. Any program not specifically allowlisted is automatically blocklisted.
Although “application allowlisting” and “application whitelisting” refer to the same thing, application allowlisting is the preferred language for describing this security capability.
According to the UK’s National Cyber Security Centre, equating “white” with “good, permitted, and safe” and black with “bad, dangerous, and forbidden” is problematic, especially when another less ambiguous term is available to describe the same activities.
It is the same case for “blocklisting” (or denylisting) and “blacklisting.” While using the term “blacklisting” to describe undesirable attributes in cybersecurity was common, the neutral “blocklisting” is now in favor.
Application allowlisting involves specifying an index of allowed or approved software applications on computer systems to protect them from potentially harmful applications. A third-party vendor can provide this list of approved applications or build it into the host operating system.
Using application allowlisting, organizations can prevent the installation and execution of applications that are not explicitly authorized. Allowlisting software compares any applications attempting to run on the network with the list of allowed applications. If the application is on the allowlist, it is allowed to proceed.
Network administrators are typically the ones who choose which applications to allow so they can maintain strict control over the safety of their system and minimize the number of people who have access to the cybersecurity decision-making process.
Unlike antivirus software, which uses blocklists to prevent known “bad” activity and allow everything else, allowlisting technologies permit known “good” activity and block everything else. Ultimately, this practice can help mitigate various threats, including malware and unauthorized or potentially vulnerable software.
Since many of today’s malware-based threats are customized and targeted, application allowlisting can help stop malware from being installed or executed. Sometimes, application allowlisting technologies may be more effective than antivirus software for preventing unknown malware.
In addition to blocking unauthorized applications, application allowlisting software monitors an operating system in real time, preventing the execution of unauthorized files. Beyond simply stopping unwanted applications from running, application allowlisting performs a granular inspection of the application installation packages to verify the integrity of the files.
Application allowlisting is a simple yet effective step to securing an organization’s endpoints. Administrators can stop malicious programs before they cause irreparable harm by ensuring end-users can install only approved applications.
Using a predefined list of “bad” applications, blocklisting software typically compares any applications attempting to run on the network with the list of blocked applications. If the application is not on the blocklist, it is allowed to proceed.
For example, conventional antivirus software uses blocklisting to prevent known malware from being executed on a computer system. Since application allowlisting denies unlisted applications and application blocklisting allows unlisted applications, application allowlisting is arguably more secure than application blocklisting.
“Application allowlisting” and “application control” are often used interchangeably, but they do not always mean the same thing. Although both technologies can prevent unauthorized applications, application allowlisting is more stringent than application control.
Application control is similar to application allowlisting since it can prevent unauthorized applications from being installed on endpoints.
But, the technology itself has two significant caveats. First, application control works at the installation package level, which means it cannot prevent an end-user from running an application installed on the system or a standalone executable file.
Second, application control tools don’t always inspect application installation packages at a granular level. Instead, they only verify if the application is allowed. A threat actor could install unauthorized code into an otherwise legitimate application package to bypass application control tools.
Different application allowlisting types offer different balances between security, usability, and maintainability. They include the following:
The file path is the most general attribute and permits all applications with a particular path (i.e., directory or folder). A file path can be a weak attribute since it allows the execution of any malicious files within the directory. However, if strict access controls enable only administrators to add or modify files, the file path can become a more robust attribute.
File paths can also be beneficial by not requiring each file within the path to be listed separately, which can reduce the need to update the allowlist for every new application and patch.
The filename is often too general of an attribute on its own. For instance, if a file were infected or replaced, its name would be unlikely to change, and the file would still execute under the allowlist.
Additionally, a threat actor could place a malicious file onto a host using the same name as a standard benign file. Due to these weaknesses, filename attributes work best with other attributes, such as file path or digital signature attributes.
By monitoring the file size of an application, administrators assume that a malicious version would have a different file size than the original version.
However, threat actors often intentionally craft malicious files to have the same size as their benign counterparts. Other attributes, including digital signature and cryptographic hash, may better identify files and should be used instead of file size whenever possible.
Cryptographic hashes can provide a reliable and unique value for an application file as long as the cryptography used is strong and the hash is already associated with a “good” file. A cryptographic hash is usually accurate no matter where the file lives, what it is named, or how it is signed.
However, cryptographic hashes are less helpful when files are updated. For instance, the patched version will have a different hash when patching an application. The patch may appear legitimate in these cases through its digital signature and the cryptographic hash added to the allowlist.
Today, many publishers digitally sign application files. Digital signatures provide a reliable and unique value for the recipient’s verification of application files and can enable teams to ensure that the file is legitimate and unaltered.
However, some publishers do not sign application files, so using only publisher-provided digital signatures is often impossible. Some application allowlists can be based on the publisher’s identity rather than verifying individual digital signatures. Still, this method assumes that organizations can trust all applications from trusted publishers.
There are several benefits and limitations associated with application allowlisting.
The main advantage of application allowlisting is that it can help stop malware and ransomware from entering and executing within networks. Since application allowlisting is more restrictive than blocklisting, end-users will need permission from administrators before they can install programs that are not on the organization’s allowlist. Requiring approval for unauthorized applications can help prevent malicious programs from being installed on endpoints.
The main advantages of application allowlisting include the following:
One crucial limitation of application allowlists is that they can create additional work for security teams. For instance, compiling the initial allowlist requires obtaining detailed information about end users’ tasks and the applications needed to perform those tasks.
Similarly, maintaining allowlists can take time due to the increasing complexity of applications and enterprise technology stacks.
Some of the main disadvantages associated with application allowlisting include the following:
Fortunately, application allowlisting typically integrates well with other cybersecurity measures, so organizations can combine different tools to cater to their unique networks and systems.
Application allowlisting is a proactive method of keeping networks secure and its primary purpose is to provide application access control. However, organizations can also use application allowlisting tools for other purposes, including:
Organizations considering an application allowlisting tool should begin by analyzing the environments in which the hosts will run.
Application allowlisting solutions are typically best suited for hosts in Specialized Security-Limited Functionality (SSLF) environments that are highly restrictive and secure due to the high risk of attack or data exposure. It’s also important to remember that application allowlists require dedicated staff to manage and maintain the solution.
Next, organizations can consider which application allowlisting tools best suit their environment. For centrally managed hosts (e.g., desktops, laptops, and servers), an application allowlisting technology already built into the operating system may be most practical due to the relative ease and minimal cost of managing these solutions.
If built-in allowlisting capabilities are unsuitable or unavailable, a third-party solution with robust centralized management capabilities is the next best option.
Creating an effective application allowlist begins with visibility across the entire technology stack. Organizations cannot protect what they can’t see.
With SingularityXDR from SentinelOne, organizations can eliminate blind spots for centralized end-to-end enterprise visibility, powerful analytics, and automated response across the complete technology stack. See data collected by disparate security solutions from all platforms, including endpoints, cloud workloads, network devices, email, identity, and more, all within a single dashboard.
Discover why the world’s leading and largest enterprises trust SentinelOne and get a demo today.
