The Deep Dive Into Application Whitelisting

Application Whitelisting – What is it?

Before we dive too deep into the concept of whitelisting, readers must understand what application whitelisting is.  In addition, understand how it differs from alternative cyber security methods.  First, application whitelisting is a proactive approach to cyber security.  A security solution that employs application whitelisting will only allow known trusted programs to run.  The alternative, blacklisting, allows all unknown files to run unless they’ve already been proven to be malicious.  The issue with the blacklist is, malware variants are morphing by the minute, making them “unknown” files.  These unknown files will execute on any device employing a blacklist as its primary method of malware detection.  Meanwhile, any device using a whitelisting agent will block these files from running, until proven safe.

A Deeper Dive

The whitelist offers increased security for all data on devices utilizing this proactive methodology.  Meaning, malware attacks, including ransomware, are far less likely to successfully execute.  Leading industry analysts from Gartner and Forrester have agreed, application whitelisting is the best way to mitigate today’s cyber security threats.  Although, there are a few downfalls.

Mario DeBoer, an analyst at Gartner, recently told me he does not encourage anyone to change their security solution unless they state they want something different.  When asked why he simply said, it is too much work.  Needless to say, this caught me off guard.  Too much work?  Maintaining a less than effective security infrastructure because enhancing it would be “too much work” is not only laughable but does the company a major disservice.  To be clear, uninstalling an existing solution and deploying a new one could be time-consuming for the IT staff.  However, finding a security solution that offers assistance with the installation and deployment process would help mitigate not only the cost associated with switching but the time invested by the company’s staff to make the change.

There is also the risk of “false positives”.  A false positive is when the whitelist blocks an unknown file or program from running when it is not malicious.  The number of false positives a user experiences varies based on the whitelist used by their security vendor, and the type of programs and files they’re running on their devices.  The concept of false positives has been a barrier for larger businesses and school districts to integrate a whitelist approach.  Due to the number of files and programs running on a daily basis, the management of false positives is perceived to outweigh the benefits of increased security.

But does it really?

Many application whitelisting programs allow the users to locally whitelist a program or file, almost immediately.  Jon Amato, an analyst for Gartner stated the ideal turnaround time for a false positive should be less than 15 minutes.  This is certainly attainable.  So, the question remains, does the minor and infrequent inconvenience of false positives outweigh the benefits of increased security measures?

Consider the alternative.  The unknown file is allowed to execute and leads to the encryption of systems and files.  This leaves the organization inoperable, or at a minimum — going back to pen and paper mode.  The cost of downtime, remediation overtime pay, third-party investigators to assess damages, reputation damage, loss of productivity, and inability to conduct day to day operations could be detrimental.

So again, the question remains, does the minor and infrequent inconvenience of false positives outweigh the benefits of increased security measures?  You tell me.

 4,934 total views,  1 views today

(Visited 1 times, 1 visits today)

4 thoughts on “The Deep Dive Into Application Whitelisting”

  1. Anyone who has ever read any of my research will know that this is very likely the worst possible way in which I was ever paraphrased. Changing endpoint protection products at enterprise scale is not trivial, so you need good reasons to change. There are many potential good reasons. Not sure wat’s laughable about that.

  2. I used PC Matic for several years and was very happy with it. I understand the benefits of white listing and had very few problems with using programs that I knew to be good, but not allowed to run by PC Matic. What caused me to leave, however, was completing disc backups with Windows Backup. It finally got to the point that I could never complete a disc backup, so I had to go to a different anti-virus solution. The note I got from PC Matic said that it was easy to allow unknown files to be accessed. True, if you like to sit around for hours watching a backup complete. I prefer to let that happen while I’m not around, like the middle of the night. Has this issue been addressed?

    1. Hi Phil, thanks for the great insights! It sounds like this may have been a strange issue but it’s hard for me to tell without being able to dig into it further when it was happening. Windows tools shouldn’t be having any issues running so I’m not sure why you were seeing so many files blocked. Was it the backup software being blocked or your files being backed up?

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.