Sometime in 2010 virtually every new Windows PC will now come with a version of application whitelisting installed in the form of AppLocker. It’s time to start thinking about how application whitelisting will change the way you approach desktop security and how you intend to use whitelisting to protect your critical IT assets. In preparation for this shift, I thought it would be good to give some food for thought about what changes and what considerations you should give to your ultimate whitelisting strategy.
First, let’s look at what changes.
- Define good applications, don’t focus on finding bad ones. Application whitelisting completely changes the paradigm for endpoint security. The new requirement for desktop security is putting in a place a process to define what applications are allowed to run on your systems. The blacklisting antivirus approach will likely remain in a transition to find and clean up any residual infections.
- Focus is on prevention not detection. The days of rushing out a new signature for antivirus or operating system patch are over. Application whitelisting will protect your systems agains new threats, even zero day and custom targeted threats. What this means is that your whole operational process for updating endpoints can evolve to a saner scheduled update process that includes patch testing to ensure that the patch doesn’t break anything.
- Establish a process for application updates and additions. System changes will now conform to the policies you set. You will establish rules for when change is appropriate and who is authorized to make changes. What this results in is more control of the endpoint environment as a whole.
Now that you know the changes that are coming, what is going to be important to your success in implementing application whitelisting?
- Prevent user revolt – first do no harm – Application whitelisting can not rely upon a master approved list and arbitrarily shut off unknown applications. A good solution must start from the premise of first preventing any new malware from getting on the system and not disabling unknown applications. Doing otherwise will result in users with applications that crash because of their new whitelisting implementation.
- Transition AV to a clean up role – Traditional blacklist antivirus won’t just disappear, but it’s role will. It will no longer be seen as a preventative solution but rather as a clean up tool. This will play an important role in identifying the remnants of malware that may have been on a system when you loaded whitelisting and will assist in removing unwanted malicious applications.
- Managing change makes all the difference – This is where good enterprise class application whitelisting systems will distinguish themselves. Adding and updating software will never go away on endpoints. It is a natural part of the productivity process. Application whitelisting must support this goal and be able to make this process as painless as possible. This means defining under what circumstances change can occur on an endpoint without IT interaction. For example, you may want to allow users to update digitally signed software from a major software vendor. Managing change effectively is at the heart of a strong application whitelisting solution.
Application whitelisting will certainly be coming to your systems in the near future. Take the time to think about how this will change your endpoint security and operations strategies and you will be well prepared to get the most benefits from it.
“Prevent user revolt – first do no harm – Application whitelisting can not rely upon a master approved list and arbitrarily shut off unknown applications. A good solution must start from the premise of first preventing any new malware from getting on the system and not disabling unknown applications. Doing otherwise will result in users with applications that crash because of their new whitelisting implementation.”
Pardon me, so how do you implement application whitelisting?
Thanks for the question, Leo. With regards to this specific part of our post, CoreTrace’s application whitelisting solution, BOUNCER, starts by automatically generating a perfect whitelist directly from any given computer–a list of all applications. This locks the computer in that condition and no new unauthorized applications (including malware) will be allowed to run, ever.