Application whitelisting (AWL) is a technology that has been used in the security industry for a long time but is not yet widely accepted in enterprise workstation environments. AWL is the opposite of blacklisting which is the model used in most antivirus software today. Traditional antivirus looks for malicious files by fingerprinting files on the system and checking those fingerprints against a registry of known malware (the blacklist). Antivirus also looks at other variables and file behaviors to decide whether an intervention is needed. That intervention is the antivirus adding that file to the local blacklist. Application whitelisting is different.
Whitelisting operates on a no trust, “default deny” model which does not allow any code to run on the system unless it has been explicitly added to the list of executables known to be NOT malicious. With whitelisting software becoming more advanced and enterprises growing wearier of being attacked this technology is on the rise. If you are not whitelisting at least your critical enterprise servers, you should be. Most industry experts would agree that deploying a whitelisting software like McAfee Application Control is the single best way to secure an endpoint from being attacked. The reason every server, workstation, and mobile device does not use this technology is that it needs to be properly managed.
Deploying a whitelisting program in production is a daunting task that will be met with skepticism throughout the enterprise because people generally do not like to be told what they can and cannot run on their workstations. Getting managements support and developing well thought out policies to deal with the inherent issues that will come up once you go live is vital.
Starting a pilot program on enterprise servers that generally do not change much is a great place to start. The way AWL works is you either take a snapshot of a system and all of its executables to create your whitelist or you can use the corporate gold image if one exists. The next step is to turn on the technology in audit mode to allow time for establishing a baseline. This step allows changes to be made to the system but logs them for review. Generally, 2 – 4 weeks is a good amount of time to get a good picture of what the systems normal behavior looks like. The final step when you lock down the system is establishing policy to decide what happens when the end user tries to execute a program not on the whitelist. There should be a review team able to make decisions in a reasonable amount of time. Every successful AWL deployment will have a dedicated team to deal with approval requests and the management overhead. At ArchetypeSC we have experienced professionals that can give your enterprise the upper hand against the persistent threats attacking networks constantly. When a hacker gains access to a system they need to run tools to successfully achieve their objective. If the tools aren’t able to run because of a whitelisting policy, then the chances of your enterprise having a breach have been drastically reduced.