Application Whitelisting
A Critical Piece in Your Security Puzzle

Security always seems to be top of mind, for users and businesses alike. As such, organizations should constantly be assessing the integrity of their network and data while reviewing the trending and proven security techniques available in the marketplace. Creating a defense-in-depth strategy for your organization involves a layered approach to security, where multiple practices or techniques are combined to create a stronger, more dynamic protection plan against hacking.

Following the release of Windows Server 2003, the capability to implement Software Restriction Policies (SRP) has been widely accepted as one of the safest ways to secure corporate networks. Integrated via Microsoft Active Directory and Group Policy features, SRP identifies and controls the programs running on a domain to increase reliability, integrity and manageability of the devices within an environment.

A common SRP technique is blacklisting where known threats are blocked from running through your anti-viral or anti-malware programs. Utilizing blacklisting methodologies within your organization is a critical aspect of any security strategy as it is a cost effective approach to threat detection; however, this is a reactive defense that cannot scale to today's growing volume and variety of threats. In the instance of a zero-day attack, such as Heartbleed and Shellshock which leveraged previously unknown system vulnerabilities, blacklisting techniques alone will leave your organization completely susceptible as it can only protect you against the known, and in today's highly ambiguous grey area of security certainty, organizations must be preparing for evolving threats to remain secure and successful.

Enter: Application whitelisting.

Whitelisting is a proactive approach to SRP configuration where, instead of blocking known attacks, your network administrator defines a limited set of permitted programs called a whitelist which are allowed to run within a domain. By default, this prevents all other programs - including most malware - from running in the environment. Essentially, it functions as an "if-than" filter thwarting unauthorized applications from breaching a system. When employed in conjunction with traditional security measures, it creates an additional layer in your organization's defense-in-depth strategy.

Take, for example, if an employee opens an e-mail or inserts a USB drive containing malicious code; through the effective use of whitelisting, it will be unable to run within the domain, maintaining the integrity of your organization's network. Traditional downtime in such situations ranges from a couple hours to a number of days, depending on the penetration of the malware. While you may feel that your network data is secure, can your business withstand an extended network outage?

For an effective application whitelisting solution, network administrators should note that all executable code must be blocked by default so only approved, whitelisted programs can run. Additionally, network users cannot have modification abilities on the files allowed to run, and all installations and downloads of new applications will involve administrator authorization. While there are definite advantages to application whitelisting, like the blockage of most current malware and the absence of daily oversight, there are some disadvantages to consider within your organization.

Efficient application whitelisting requires regular maintenance of the whitelist as new applications are added and removed based on the approval process defined within your organization. This, in turn, requires some performance overhead for enforcement and continuous improvement definitions. It is also important to consider that end-users will be limited on downloads, applications and files they are permitted to use which can create some frustration and annoyance. Proper communication on the importance and necessity of rigid policies should be a priority within your security strategy as staff will be more receptive to restrictions when they are made aware of the reasoning. Engage your employees as advocates on your journey to network integrity and never underestimate the importance of a communication plan with all organizational changes.

To learn more about whitelisting practices, how it can benefit your organization, and next steps on ensuring your business' security, contact Eide Bailly Technology Consulting today.