Application whitelisting, the battles you can win

The endpoint and the end user continue to be the weakest links in most security infrastructures. Commonly used as a security tactic, blacklisting looks at known pieces of malware and adds to a list those bad applications from which users should be denied access.

The problem with blacklisting, said Dodi Glenn, vice president of cyber security at PC Pitstop, is that anything else is considered unknown and therefore is able to be accessed.

“Application whitelisting is used as a proactive detection method to prevent ransomware,” Glenn said. “It’s the complete opposite of blacklisting. If an app is not on the list of known good files, it doesn’t get to run.”

Because anything on the list theoretically should’ve already been vetted, only trusted apps are available to run. “The unknown on a blacklist can run; however, the unknown on a whitelist cannot run until it’s determined good,” Glenn said.

By way of example, Glenn explained that there are sundry vulnerabilities in Flash, and a lot of ransomware creators are tapping into those vulnerabilities. The end user then downloads a PDF, the exploit is run, and the payload actually happens and produces.

With application whitelisting technologies, though, the vulnerability will execute but the payload won’t run.

[ ALSO ON CSO: Deploying application whitelisting? NIST has some advice for you ]

“It’s OK for the exploit to run because the ultimate payload can’t run,” Glenn said.

Some application whitelisting technologies will actually do monitoring of ‘good’ files to make sure it doesn’t go awry and do something weird. For example, “Adobe should never do X,Y, Z, and memory monitoring capabilities watch for those anomalies,” Glenn said.

While application whitelisting is not very new, it has been improved. “The big challenge people faced was with its usability and manageability,” Glenn said.

Traditionally, antivirus was able to set and forget, but the problems came when software that was good but had never been seen before was unable to run. “Let’s say a doctor’s office was using a custom billing software. It may never have been seen by an admin and now your system can’t perform your billing procedures. That can impact the flow of business,” he said.

When left up to IT admins, application whitelisting proved to be a lot of legwork. “It’s a lot of legwork for the IT guys to get things up and running. The leg work is what is being changed for the admin,” Glenn said. 

With global whitelisting of applications, everybody globally gets a copy of it so that the same software that doctor Joe and doctor Bob use is globally good.

According to the Guide to Application Whitelisting from the National Institute of Standards and Technology, “Application whitelisting technologies are intended to stop the execution of malware and other unauthorized software.” 

Ransomware or any other malicious software, “If it’s not on the whitelist, it’s going to block malware in the most general way possible. Traditional blacklisting has always been a cat and mouse game because the bad guys take a few seconds to change the code and now it’s bypassed completely,” Glenn said.

When they change something in the file, what was blocked by blacklisting no longer exists for this new file. “Gartner has even come up and said there’s too much turn over. The protection is in the whitelist because those new versions will never appear on a whitelist,” Glenn said.

Still, there are vulnerabilities in whitelisting. “There are some areas that can be improved, specifically in scripting languages. You can’t whitelist a document. There are malware that are purely script based, though not as common. That is a little more difficult,” Glenn said.

Because you can’t whitelist a script, Glenn said, that’s a battle that you’ll never be able to win. All you can do is protect yourself in the best armor and try to anticipate the tactics that your opponent will bring to the battleground.