Implementing application control

Application control is a method of strictly managing what programs can be run in your environment.

Summary

Application control is a security control that only permits specific software packages to run. This control has evolved over time, and used to be reliant on manually configuring policies and rules. Application control can include a previous control: application allowlisting, previously called whitelisting, which is a security control that only permits specific programs to run. Application control is a feature found in most modern endpoint security software which should include regular updates from the vendor to detect and block the latest malware behaviours.

Drive-by downloads, or unintentional downloading of files from a website, and malicious email attachments are the most common causes of malware incidents. Endpoint protection with application control protection can prevent these incidents.

Purpose

Devices used in the organisation are protected with software that can prevent malicious software from running, and only allow programs that are commonly run or expected to run.

Measuring success

Successful application control has straightforward and measurable criteria. Differences in this control between organisations will be in the configurations set and the operational processes followed.

Use the following criteria to measure your success in this control:

  • Your organisation has software installed on all devices that enforces application control policies.
  • These policies are automatically managed using learned behaviour and other algorithms. Manual policies and rules can also be created and enforced by administrators.
  • Your organisation enforces access controls which allow the correct policies to be applied to the correct end users.
  • Your organisation enforces the principle of least privilege which limits an end user’s ability to bypass the policies.
  • You monitor known policy bypass techniques, and include this in your vulnerability management process.
  • Your standard build-hardening process includes deploying the endpoint software to any new devices. You will need to consider your workstations, servers, laptops, mobile devices, and any other device that accesses organisational data. This could include organisation-owned and bring-your-own-devices (BYOD).
  • Policy logs are recorded and stored in a central location to capture attempted and blocked file executions. These logs are configured to trigger alerts that feed into operational processes, such as incident or change management. An emergency change management process is followed when critical programs are blocked.

Application allowlisting: key takeaways

  • Application control has come a long way since the day of manually configuring policies and rules. The feature now comes included in common endpoint protection software, and you can save resources by relying on the system to tell you what programs or actions should or should not be executed.
  • Use application control features that come with the operating system if you can. These policies and configurations can usually be managed centrally. It can help reduce the cost of the control, instead of purchasing another piece of software.
  • Application control is one security control that should be paired with others in the CERT NZ critical control list for a “defense in depth” approach. An attacker can bypass even very strict rule conditions by hiding their malicious code in other trusted, allowlisted applications or software packages. Application control is also not effective if the applications are vulnerable and unpatched.
  • Enforcing a policy with file or folder-based rules will be difficult if there are users that have access to write and execute on a folder (for example, multiple local administrators). With this access the users could either modify a file or write a new file to the folder to execute an untrusted file. It’s important to be alerted when something is blocked so you can investigate, either through a tool or centralised logging
  • Ransomware attackers have previously disabled tools to disguise their activity so alerts are necessary to raise the alarm if the tool is ever disabled on an end point.

Advice for implementation

Enable application control