Application allowlisting, or application control, is a security capability that reduces harmful security attacks by allowing only trusted files, applications, and processes to be run.
Let’s Define Allowlisting
To block unauthorized activities that could potentially initiate a harmful attack, companies are using application allowlisting, or application control, to strengthen their perimeter security. Allowlisting identifies known files, applications, or processes and allows them to execute. Conversely, unknown activities are blocked or restricted, which prevents them from opening up and spreading within a system or environment in an attack mode.
Some companies review the blocked files manually to approve usage or remediate where necessary. However, advanced endpoint security solutions can execute allow listing processes automatically through software controls and protection policies that completely lockdown and secure corporate assets, intellectual property, and regulated data. These solutions reduce downtime by automating the approval of trusted software and eliminating the need for allowlist management.
While allowlisting is being touted as a security essential (see the Industry Pulse below), it is only one of many tools that provide complete and comprehensive endpoint security.
When it is combined with other advanced techniques like behavioral analysis and machine learning, allowlisting is a significant contributor to blocking and preventing malicious attacks.
As an example, NSS Labs, an independent organization that provides cybersecurity guidance, tested Advanced Endpoint Protection (AEP) products to determine their effectiveness. The goal of the test was to validate the proactive blocking and active detection capabilities for known and unknown threats.
As seen in the company’s 2017 Security Value Map for Advanced Endpoint Protection, NSS Labs’ test proved that it is possible to use tools like allowlisting and other endpoint security capabilities to stop 100% of the attacks.
Security experts have called allowlisting a must-have, foundational security strategy that has the ability to stop nefarious attacks such as ransomware.
In fact, an article on CSO suggests that real-time allowlisting based on recommendations, reputation scores, and other data can theoretically “offer the promise of nearly-perfect endpoint security with very low management overhead.”
Help Net Security recently shared a similar perspective from a senior security and privacy Gartner analyst, Neil MacDonald, on how allowlisting can be used to block malicious attacks. “To lessen the risk of future attacks against vulnerabilities of all types, we have long advocated the use of application control and allowlisting on servers,” says MacDonald. “ If you haven’t done so already, now is the time to apply a default deny mindset to server workload protection – whether those workloads are physical, virtual, public cloud or container-based. This should become a standard practice and a priority for all security and risk management leaders in 2018.”
Phil Hagen, a digital forensic and incident response (DFIR) strategist at security solutions company Red Canary, agrees with MacDonald. In a recent blog, Hagen notes that “application control solutions like that offered by our partner Carbon Black are absolutely the single most meaningful step toward prevention that an organization can take. This methodology ensures that only a list of approved binaries can run on the systems within an enterprise. Whether the phishing payload is garden-variety ransomware or highly-targeted custom malware, the price of becoming a victim generally reaches far beyond that of deploying and maintaining an allowlisting solution.”
400,000 machines were infected by the WannaCry ransomware outbreak within the first week.
In today’s high-risk cyber world, it’s critical to have a complete endpoint security solution that includes allowlisting so that sensitive data is continually protected. Based on strict policies of allowable activities, allowlisting and application control allows for critical system lockdowns in real time that automatically prevent all untrusted files, applications, and processes from executing. With these sophisticated capabilities, companies can:
Stop Attacks - By allowing only approved software to run
Automate Software - Approvals and updates via IT and cloud-driven policies
Prevent Unwanted Change - To system configuration at the kernel and user mode levels
Power Device Control - File integrity monitoring and control (FIM/FIC) capabilities
Meet IT Risk - Audit controls across major regulatory mandates