Application Whitelisting

Application whitelisting

Application whitelisting is a “deny by default” approach to executables, DLLs and scripts. The technology to do this on Windows and Linux has existed for more than a decade, but the administrative burden and cost of using native mechanisms used to be too high for most enterprises to attempt this, so they didn’t.

Times have changed.

We’ve searched the world and have partnered with innovative vendors who have revolutionized application whitelisting by making it easy and simple to install, integrate and manage. A large global enterprise with 50,000+ workstations and 25,000 servers can now implement very strict and granular application allowlist policies on Windows, Linux and MacOS systems in under 6 weeks, and run it themselves with less than 0.2 FTE for ongoing operational maintenance.

Application whitelisting has for many years been an essential cybersecurity compliance requirement for almost all regulated government and publicly listed enterprises in the United States, Canada, Australia and New Zealand. The MENA region isn’t far behind, with several GCC central banks having recently declared it to be a compliance requirement for their licensed financial institutions.

Many CTOs and CISOs think they’ve already implemented application whitelisting in their organisation, and for them we have simple assessment tools that put that claim to the test. AppLocker implementations that rely on primitive path-based rules provide a false sense of security because they are easily bypassed by commodity malware.


Block Ransomware

Ransomware is a type of malware, which is a type of software. With properly implemented application allowlisting policies (i.e. with no path-based rules), ransomware can’t run.

It’s as simple as that.


Block Zero-Day Exploits

How many known vulnerabilities are in your network? What about your unknown vulnerabilities? Do your cyber adversaries have working exploits for your unknown vulnerabilities? Yes, they do.

Exploits are a type of malware, which is a type of software. With properly implemented application allowlisting policies (i.e. with no path-based rules), exploits written to disk won’t execute, which means attackers can’t establish persistence, they can’t move laterally and they can’t chain another exploit to escalate their privileges. The attack is stopped before it’s allowed to start.

With application whitelisting, you’ll have more time to test patches and software updates before applying them across your enterprise. Why? Because even if your adversary successfully exploits an unpatched vulnerability (e.g. JavaScript in memory), their attempts to establish persistence, move laterally or escalate privilege will not only be blocked, but it will also be detected and raise alarms in real-time.

Microsoft 365 E5 customers relying on Defender ATP have to wait 10-15 minutes before a breach raises an alert - and that’s too long, especially if the vulnerability is wormable. With a proper application allowlisting solution, the alert is raised within 1 or 2 seconds. Sophisticated adversaries will test their zero-day exploits against commodity anti-malware solutions like Microsoft 365 Defender ATP to ensure that when they attack your systems, the attack works and goes undetected. If you want the upper hand, you need to block zero-day exploits. You need application whitelisting.

It’s as simple as that.


Zero Trust

If the Windows, Linux and MacOS workstations and servers in your organization allow unknown programs and scripts to execute, then you’re missing a key piece of your zero trust architecture implementation. Device-level authentication and posture checks mean nothing if the device is infected with malware.

Application allowlisting assumes everything is malware, so everything is blocked unless explicitly allowed. Now that’s real Zero Trust.