Application Whitelisting: Challenges and Best Practices
What is Application Whitelisting?
Whitelisting is a way of creating an inventory of secure software applications that may run on an organization’s network. Whereas blacklists block specific application sets, whitelists specify which programs are allowed—with the objective of preventing harmful files and malicious software from running on a company’s infrastructure. This approach also improves resource management by prioritizing application traffic.
All the same, whitelisting limits the scope of solutions a team may implement, often causing frustration and impeding efficiency. Newly proposed software must go through an often lengthy vetting process before deployment. Managing a whitelist is time-consuming, requiring constant monitoring and modification.
This is part of our series of articles about zero trust security.
How Does Application Whitelisting Work?
Application whitelisting specifies which applications are allowed to run in the corporate environment—a list which may change over time to accommodate the needs of users on the network. The list can contain libraries, files, and executables.
IT organizations can use the application whitelist feature built into some host operating systems, leverage a third-party application whitelist tool, or use the whitelisting feature within some endpoint protection tools.
Whatever the method used for whitelisting, the main goal is to prevent unauthorized installation and execution of applications to specific network endpoints.
To implement application whitelisting in your infrastructure, you can follow these steps:
- Benchmarking—scan storage drives of endpoints running on the network, to identify applications and processes required for your business needs, and identify unnecessary or potentially harmful applications and processes.
- Create an initial whitelist—including legitimate, safe applications and required for business operations.
- Activate application whitelist—activate the whitelisting software on the network. It will start comparing any new applications with the whitelist before allowing them to run.
- Changes and updates—upon purchasing a license for new software applications, whitelist it, and add its executable files and libraries to your whitelist before running. When updating an application, you must change the whitelist to reflect the files and executables used by the new version.
Application whitelisting is one way to block unwanted content on your network. Another approach is web filtering – blocking unwanted websites and web content.
Read our guide to web filtering
Identifying Applications for Whitelisting: Whitelisting Attributes
There are various attributes that can help determine if an application file or folder may be vetted for whitelisting. Each one has its limitations, so you should use two or more attributes to identify files and programs for whitelisting.
File Path Whitelisting
By whitelisting a file path, you allow all applications in that path to run. There are two options:
- Directory-based whitelisting—this option allows all files in a directory and its subdirectories.
- Complete file path whitelisting—this option only allows file names that match the specific file path. It may use wildcards to specify multiple files.
Using the file name as an attribute on its own potentially opens a path to malicious programs that replicate whitelisted filenames. Therefore, this attribute is usually used with other identifier.
File Size Whitelisting
This attribute is used under the assumption that a malicious version of an application has a different file size. Because this attribute is easy to manipulate, it must be used in conjunction with others.
Cryptographic Hash Whitelisting
A much stronger attribute, almost impossible to replicate, is a cryptographic hash. Attributing a unique value to an application file serves as a stronger filter than names or file system locations.
Digitally signing an application file helps verify its authenticity. This unique attribute helps determine if a file has been compromised.
Some applications require a predetermined set of processes to run. Process whitelisting can lock down a system by enabling only legitimate processes while preventing other processes from executing.
Challenges in Application Whitelisting
One of the greatest concerns regarding whitelisting is its effect on end-users. Denying applications by default is a cumbersome mechanism, which often impedes business processes and frustrates employees.
The whitelisting process itself is also difficult to implement and manage. Automating the exception management process, and the whitelist management process itself, can be a great improvement.
An alternative to traditional application whitelisting is monitor-only whitelisting. This lets the organization visualize all executables running on endpoints, and alert when unrecognized applications are discovered, without blocking applications from running. This can provide many of the security advantages without frustrating users. However, it is a passive approach that makes it possible for malicious programs to infect endpoints.
App Whitelisting Best Practices
Compile an Application Inventory
It is important to create a comprehensive list of legitimate applications used by your organization, before deploying application whitelist software. All these applications must be included in the company’s whitelist policy. Software that is not explicitly listed in company-created policies cannot be run and will be unavailable to users.
It is best to use the publisher’s digital signature or an encrypted file hash to identify applications. Most application whitelisting tools allow you to create a whitelist strategy based on these two identifiers. Using weaker identifiers, like filenames or filesystem locations, may result in false negatives and false positives.
Classify Essential and Non-Essential Business Applications
Consult with business teams and identify which of the applications currently running on the network are essential for day-to-day operations, or non-essential. Many applications may have been installed but never used, employees may have transitioned to another tool and left the old one installed, and so on. Whitelist essential applications, while blocking non-essential ones, to reduce security risk and reclaim the wasted resources they utilize.
Integrating Whitelisting and Patch Management
A primary challenge associated with whitelisting is to integrate whitelisting and patch management processes. Most organizations have an automated patch management process. Patching will usually prevent whitelisted software from identifying the software, and the new version will be blocked by the whitelisting tool.
If you use a tool like Windows Server Update Services (WSUS) for patch management, the tools provide an opportunity for administrators to approve patches before automatically deploying them. This presents an opportunity for administrators to add patches to the whitelist policy, just before or after approving them for distribution.
Another solution is to create an application whitelist strategy based on the vendor’s digital signature. In this way, when a vendor releases a patch, the patch contains the same digital signature as the application it is trying to update, and the patch automatically receives permission to use it.
Allow Selective Admin Access to Admin Tools
Some employees, such as IT staff, will require access to administrative tools. You cannot whitelist these tools, but at the same time, you should not let any employees use them, because this can create operational and security risks.
You will need to identify and whitelist IT management tools, while restricting access to only those individuals who need the tools for their day-to-day jobs.
Reduce Application Whitelisting with Hysolate
Hysolate offers fully managed OS isolation, so your team is free to open and use any untrusted application within their Hysolate Workspace. Admin policies can be set so all untrusted applications can only be opened in Workspace, reducing the need for whitelisting, while also reducing user frustration.
Hysolate has a native user experience, so users can toggle back and forth between their host device and their Hysolate Workspace, and is simple for admins to manage, with granular policies via the Hysolate Management console.
Want to try Hysolate for yourself to see how it can save you time and resources on application whitelisting? Download Hysolate Free here.