What is Application Whitelisting?
Application Whitelisting is the only proactive security strategy to prevent malicious code from running on a computer. It works by allowing the user (or administrator) to create and maintain a list of known ‘good’ files which they trust, only these files can run on the computer while all others are blocked. This proactively prevents unknown threats such as ransomware and malware from loading on a computer.
Contrast Application Whitelisting with traditional Anti-virus solutions which work on a blacklist model and only prevent files from running which have been classified as ‘bad’. This reactive approach allows attackers to modify the files (malicious code) they use to attack organisations to avoid detection.
The Australian Signals Directorate intelligence agency ranks Application Whitelisting as most effective strategy (#1) to prevent Targeted Cyber Intrusions*.
Visit here to find out more about why application whitelisting is considered the most effective strategy.
Source: Australian Signals Directorate – Strategies to Mitigate Targeted Cyber Intrusions http://asd.gov.au/publications/Mitigation_Strategies_2014.pdf
What is the difference between Application Control and Application Whitelisting?
Application Control and Application Whitelisting are terms often used interchangeably by security companies which have a big impact on your security.
- Application Control typically refers to ‘fuzzy’ application whitelisting technologies which place trust in software packages for the purposes of software management;
- Application Whitelisting refers to ‘strict’ application whitelisting technologies which place trust in files for the purposes of security.
For more information on the difference between Application Control and Application Whitelisting, please see:
Does Application Whitelisting make Anti-Virus software redundant?
Each organisation has a unique risk profile when it comes to cyber security. Airlock implements the most effective form of Application Whitelisting on the market, based on the cryptographic hash values of files. As a result it significantly decreases an organisations risk profile of being impacted by cyber threats, however as with every technology should be used as part of a defence in depth strategy.
Airlock operates in two modes:
Enforcement Mode – in this mode Anti-Virus software will not see any files that are blocked by Airlock if they have attempted to run as the load will be intercepted by the Airlock Enforcement Agent before Anti-Virus software can scan the executable file.
Audit Mode – in this mode the Airlock Enforcement Agent allows execution of any files on a system and merely observes activity, therefore Anti-Virus software may detect, and depending on the configuration, possibly prevent execution of known malware.
What is Airlock’s Architecture?
Airlock is provided as an on-premise client-server solution.
Typical Airlock deployments consist of an:
- Airlock Enforcement Agent – installed on workstations and servers to provide protection;
- Airlock Server – Easy to install, supporting both physical and virtual infrastructure;
- Airlock Application Capture (optional) – Installed on a known trusted workstation or server to assist with the maintenance of Application Whitelisting rule sets.
What File Enforcement Actions are there in Airlock?
The real benefit of Application Whitelisting is the proactive prevention of threats. However during deployment Airlock has the ability to simulate the blocking of files when a file is not found to be on the defined Application Whitelist policy.
Airlock has the ability to perform the following three file enforcement actions:
In Enforcement mode, files are proactively prevented from loading when when they are not trusted. The event is recorded and reported centrally.
When implementing Application Whitelisting for the first time a file discovery phase needs to be performed in order to build a defined Application Whitelist rule set. Audit mode identifies untrusted files in the environment and simulates the blocking of files.
All untrusted files which are permitted to run in this mode are catalogued, recorded and reported.
OTP (Temporary Exception):
In certain situations there may be a need to exempt users from Application Whitelisting. Airlock allows the temporary exemption of users on a case by case basis through the use of One Time Pad (OTP) codes. Codes are unique per computer and administrators have the ability to choose the length of time a user is exempt from Application Whitelisting.
During the time the user is exempt from Application Whitelisting, all files the user loads on the system are recorded and uploaded for review by an administrator. OTP codes can be used even when the user is disconnected from the corporate network.
Does Airlock trust application publishers?
Airlock was designed from the ground up to be the easiest and most secure Application Whitelisting solution on the market. Airlock also provides customers with flexibility by supporting the use of publisher rules.
Airlock’s publisher support provides the following features:
- Allow files to run based on their publisher;
- See which files across an entire enterprise have invalid publishers (digital signatures), allowing suspect files to be easily identified and reviewed;
- Simple cataloguing and publisher management;
- Records of all file executions which have occurred as a result of a particular publisher rule.
Airlock performs continual file publisher verification to ensure its legitimacy. If a file is found to be invalid, files are prevented from executing and this information is reported back to the Airlock server.
Note: Airlock recommends customers allow files to execute based on their cryptographic hash value, the most secure method of application whitelisting. Application whitelisting in this manner is made easy with the Airlock platform.