Application allowlisting

Application allowlisting is a method of strictly controlling what programs can be run in your environment.

Summary

Application allowlisting, previously called whitelisting, is a security control that only permits specific programs to run. This control has evolved over time, and used to be reliant on manually configuring policies and rules. Application allowlisting is a feature found in most modern endpoint security software which should include regular updates from the vendor to detect and block the latest malware behaviours.

Drive-by downloads, or unintentional downloading of files from a website, and malicious email attachments are the most common causes of malware incidents. Endpoint protection with application allowlist protection can prevent these incidents.

Purpose

Devices used in the organisation are protected with software that can prevent malicious programs from running, and only allow programs that are commonly run or expected to run.

Measuring success

A successful application allowlisting control has straightforward and measurable criteria. Differences in this control between organisations will be in the policies enforced and the operational processes followed.

A successful application allowlisting control has straightforward and measurable criteria. Differences in this control between organisations will be in the configurations set and the operational processes followed.

 Use the following criteria to measure your success in this control:

  • Your organisation has software installed on all devices that enforces application allowlist policies.
  • These policies are automatically managed using learned behaviour and other algorithms. Manual policies and rules can also be created and enforced by administrators.
  • Your organisation enforces access controls which allow the correct policies to be applied to the correct end users.
  • Your organisation enforces the principle of least privilege which limits an end user’s ability to bypass the policies.
  • You monitor known policy bypass techniques, and include this in your vulnerability management process.
  • Your standard build-hardening process includes deploying the endpoint software to any new devices. You will need to consider your workstations, servers, laptops, mobile devices, and any other device that accesses organisation data. This could include organisation-owned and bring-you-own-devices (BYOD).
  • Policy logs are recorded and stored in a central location to capture attempted and blocked file executions. These logs are configured to trigger alerts that feed into operational processes, such as incident or change management. An emergency change management process is followed when critical programs are blocked.

Application allowlisting: key takeaways

  • Application allowlisting has come a long way since the day of manually configuring policies and rules. The feature now comes included in common endpoint protection software, and you can save resources by relying on the system to tell you what programs or actions should or should not be executed.
  • Use application allowlisting features that come with the operating system if you can. These policies and configurations can usually be controlled centrally. It can help reduce the cost of the control, instead of purchasing another piece of software.
  • Application allowlisting is one security control that should be paired with others in the CERT NZ critical control list for a “defense in depth” approach. An attacker can bypass even very strict rule conditions by hiding their malicious code in other trusted, allowlisted applications. Application allowlisting is also not effective if the applications are vulnerable and unpatched.
  • Enforcing a policy with file or folder-based rules will be difficult if there are users that have access to write and execute on a folder (for example, multiple local administrators). With this access the users could either modify a file or write a new file to the folder to execute an untrusted file. It’s important to be alerted when something is blocked so you can investigate, either through a tool or centralised logging.
  • Ransomware attackers have previously disabled tools to disguise their activity so alerts are necessary to raise the alarm if the tool is ever disabled on an end point.

Advice for implementation

Application allowlisting implementation advice