Application Whitelisting – What is it?
Before we dive too deep into the concept of whitelisting, readers must understand what application whitelisting is. In addition, understand how it differs from alternative cyber security methods. First, application whitelisting is a proactive approach to cyber security. A security solution that employs application whitelisting will only allow known trusted programs to run. The alternative, blacklisting, allows all unknown files to run unless they’ve already been proven to be malicious. The issue with the blacklist is, malware variants are morphing by the minute, making them “unknown” files. These unknown files will execute on any device employing a blacklist as its primary method of malware detection. Meanwhile, any device using a whitelisting agent will block these files from running, until proven safe.
A Deeper Dive
The whitelist offers increased security for all data on devices utilizing this proactive methodology. Meaning, malware attacks, including ransomware, are far less likely to successfully execute. Leading industry analysts from Gartner and Forrester have agreed, application whitelisting is the best way to mitigate today’s cyber security threats. Although, there are a few downfalls.
Mario DeBoer, an analyst at Gartner, recently told me he does not encourage anyone to change their security solution unless they state they want something different. When asked why he simply said, it is too much work. Needless to say, this caught me off guard. Too much work? Maintaining a less than effective security infrastructure because enhancing it would be “too much work” is not only laughable but does the company a major disservice. To be clear, uninstalling an existing solution and deploying a new one could be time-consuming for the IT staff. However, finding a security solution that offers assistance with the installation and deployment process would help mitigate not only the cost associated with switching but the time invested by the company’s staff to make the change.
There is also the risk of “false positives”. A false positive is when the whitelist blocks an unknown file or program from running when it is not malicious. The number of false positives a user experiences varies based on the whitelist used by their security vendor, and the type of programs and files they’re running on their devices. The concept of false positives has been a barrier for larger businesses and school districts to integrate a whitelist approach. Due to the number of files and programs running on a daily basis, the management of false positives is perceived to outweigh the benefits of increased security.
But does it really?
Many application whitelisting programs allow the users to locally whitelist a program or file, almost immediately. Jon Amato, an analyst for Gartner stated the ideal turnaround time for a false positive should be less than 15 minutes. This is certainly attainable. So, the question remains, does the minor and infrequent inconvenience of false positives outweigh the benefits of increased security measures?
Consider the alternative. The unknown file is allowed to execute and leads to the encryption of systems and files. This leaves the organization inoperable, or at a minimum — going back to pen and paper mode. The cost of downtime, remediation overtime pay, third-party investigators to assess damages, reputation damage, loss of productivity, and inability to conduct day to day operations could be detrimental.
So again, the question remains, does the minor and infrequent inconvenience of false positives outweigh the benefits of increased security measures? You tell me.