Airlock Digital Allowlisting Solution
Audit and Enforcement Modes
The value of Airlock Digital Application Control to organizations lies in significantly reducing the risk of infection by malware and ransomware on their endpoints-without impacting productivity. But how can organizations understand what files and applications are running in their environments so they can create trust-based allowlists that meet their requirements? And how can they then implement those allowlists?
To address these challenges, we have established audit and enforcement modes within Airlock Digital. In line with our approach of building by security practitioners for security practitioners, we have made each mode and process between them as efficient, functional and intuitive as possible.
Audit Mode
Audit mode enables organisations to build the policies that ensure legitimate files and applications continue to run within their environments. During this discovery phase, customer-side administrators monitor file executions across endpoint devices such as desktops, laptops and servers. From this activity, a list of trusted applications and files is automatically sent back to Airlock’s central console. Administrators then work through the data observed by the Airlock enforcement agent, which informs the next stage of tuning policy.
Easily Reducing Untrusted Executions and Tuning Policy
With Airlock, administrators can work through untrusted file executions in bulk and reduce the volume of file data quickly. File data is captured continuously for use across the solution and administrators can drill into and filter unique files by hash, publisher, parent process and other attributes. Airlock’s ‘bulk add’ process aggregates file data and creates a summary based on reputation (with files categorized as known, unknown, suspicious or malicious-the latter not selected by default to protect the environment) established through Airlock’s partnership with VirusTotal.
This process enables administrators to define the files they trust, within a relevant policy group. An administrator then chooses the relevant policy tree and Airlock updates, regenerates and delivers the policy to the organisation’s endpoints. This update process occurs automatically after each policy change is performed by an administrator. The end user may then run trusted files without interruption.
Running this process a number of times enables an administrator to reduce the volume of untrusted executions from tens of thousands to tens quickly and easily. In particular, applying trust selection to files signed by reputable publishers such as Microsoft and Google brings the number down sharply. Our customers typically take about three weeks to tune policy, regardless of scale.
The process takes about the same length of time whether a customer has 10, 100 or 100,000 computers because in most enterprise environments, computers share about 80% of file data between them. Once this process is completed, administrators typically spend less than 20 minutes in the product each day to perform the required tasks.
Enforcement Mode
At this point the organization is ready to move into enforcement mode. This mode, in which administrators enforce policy-sets and proactively prevents non-allowlisted applications and files from running in their environment, is where Airlock delivers a powerful security outcome. In enforcement mode, the organization minimizes the risk to its operations, people and customers that malicious code and other unauthorized software executions would otherwise present.
In addition, because organizations customize each allowlisting deployment to their specific needs, malicious actors’ ability to test attacks before launching them is severely limited. And critically, organizations can elevate their security capabilities to align with Australian Signals Directorate Essential Eight, the United States’ National Institute of Standards and Technology (NIST) SP 800-171r3 and Technology Cybersecurity Framework and the Communications Security Establishment Canada Top 10 IT Security Actions.
In our next blog, we’ll explore the role of One-Time Passwords (OTP) in enabling streamlined exception management in Airlock Digital.
Airlock Digital is here to help! Book a demo with any of our team members by clicking the button below.