Application Whitelisting: Challenges and Best Practices

Whitelisting is a way of creating an inventory of secure software applications that may run on an organization’s network. Whereas blacklists block specific application sets, whitelists specify which programs are allowed—with the objective of preventing harmful files and malicious software from running on a company’s infrastructure. This approach also improves resource management by prioritizing application traffic.

All the same, whitelisting limits the scope of solutions a team may implement, often causing frustration and impeding efficiency. Newly proposed software must go through an often lengthy vetting process before deployment. Managing a whitelist is time-consuming, requiring constant monitoring and modification.

This article is part of our series of articles about zero trust security.

New call-to-action

How Does Application Whitelisting Work?

Application whitelisting specifies which applications are allowed to run in the corporate environment—a list which may change over time to accommodate the needs of users on the network. The list can contain libraries, files, and executables.

IT organizations can use the application whitelist feature built into some host operating systems, leverage a third-party application whitelist tool, or use the whitelisting feature within some endpoint protection tools.

Whatever the method used for whitelisting, the main goal is to prevent unauthorized installation and execution of applications to specific network endpoints.

To implement application whitelisting in your infrastructure, you can follow these steps:

Application whitelisting is one way to block unwanted content on your network. Another approach is web filtering – blocking unwanted websites and web content.

Read our guide to web filtering

Tal Zamir

Tal Zamir
CTO, Perception Point

Tal Zamir is a 20-year software industry leader with a track record of solving urgent business challenges by reimagining how technology works.

TIPS FROM THE EXPERTS

  1. Leverage machine learning for dynamic whitelisting
    Utilize machine learning algorithms that can analyze application usage patterns and automatically adjust whitelists. This can help reduce the administrative burden of manual updates and adapt to changes in real-time.
  2. Regularly review and audit the whitelist
    Periodically review the whitelist to ensure it remains relevant and secure. Remove obsolete or unused applications, as they may introduce vulnerabilities if not actively maintained.
  3. Establish strict update and patching protocols
    Before deploying updates, ensure that the updated application is thoroughly tested in a sandbox environment and the whitelist is adjusted accordingly. This minimizes the risk of introducing new vulnerabilities through unvetted updates.
  4. Educate end-users on the whitelisting process
    Inform users about the reasons behind application whitelisting and the process for requesting new applications. Transparent communication helps in reducing user frustration and ensuring compliance with security policies.
  5. Utilize behavioral analysis alongside whitelisting
    Incorporate tools that monitor application behavior in real-time. Even whitelisted applications can be compromised, so monitoring how an application behaves can help detect anomalous activities that static whitelists might miss.

Identifying Applications for Whitelisting: Whitelisting Attributes

There are various attributes that can help determine if an application file or folder may be vetted for whitelisting. Each one has its limitations, so you should use two or more attributes to identify files and programs for whitelisting.

File Path Whitelisting

By whitelisting a file path, you allow all applications in that path to run. There are two options:

File Whitelisting

Using the file name as an attribute on its own potentially opens a path to malicious programs that replicate whitelisted filenames. Therefore, this attribute is usually used with other identifier.

File Size Whitelisting

This attribute is used under the assumption that a malicious version of an application has a different file size. Because this attribute is easy to manipulate, it must be used in conjunction with others.

Cryptographic Hash Whitelisting

A much stronger attribute, almost impossible to replicate, is a cryptographic hash. Attributing a unique value to an application file serves as a stronger filter than names or file system locations.

Digital Signature

Digitally signing an application file helps verify its authenticity. This unique attribute helps determine if a file has been compromised.

Process Whitelisting

Some applications require a predetermined set of processes to run. Process whitelisting can lock down a system by enabling only legitimate processes while preventing other processes from executing.

New call-to-action

Challenges in Application Whitelisting

One of the greatest concerns regarding whitelisting is its effect on end-users. Denying applications by default is a cumbersome mechanism, which often impedes business processes and frustrates employees.

The whitelisting process itself is also difficult to implement and manage. Automating the exception management process, and the whitelist management process itself, can be a great improvement.

An alternative to traditional application whitelisting is monitor-only whitelisting. This lets the organization visualize all executables running on endpoints, and alert when unrecognized applications are discovered, without blocking applications from running. This can provide many of the security advantages without frustrating users. However, it is a passive approach that makes it possible for malicious programs to infect endpoints.

App Whitelisting Best Practices

Compile an Application Inventory

It is important to create a comprehensive list of legitimate applications used by your organization, before deploying application whitelist software. All these applications must be included in the company’s whitelist policy. Software that is not explicitly listed in company-created policies cannot be run and will be unavailable to users.

It is best to use the publisher’s digital signature or an encrypted file hash to identify applications. Most application whitelisting tools allow you to create a whitelist strategy based on these two identifiers. Using weaker identifiers, like filenames or filesystem locations, may result in false negatives and false positives.

Classify Essential and Non-Essential Business Applications

Consult with business teams and identify which of the applications currently running on the network are essential for day-to-day operations, or non-essential. Many applications may have been installed but never used, employees may have transitioned to another tool and left the old one installed, and so on. Whitelist essential applications, while blocking non-essential ones, to reduce security risk and reclaim the wasted resources they utilize.

Integrating Whitelisting and Patch Management

A primary challenge associated with whitelisting is to integrate whitelisting and patch management processes. Most organizations have an automated patch management process. Patching will usually prevent whitelisted software from identifying the software, and the new version will be blocked by the whitelisting tool.

If you use a tool like Windows Server Update Services (WSUS) for patch management, the tools provide an opportunity for administrators to approve patches before automatically deploying them. This presents an opportunity for administrators to add patches to the whitelist policy, just before or after approving them for distribution.

Another solution is to create an application whitelist strategy based on the vendor’s digital signature. In this way, when a vendor releases a patch, the patch contains the same digital signature as the application it is trying to update, and the patch automatically receives permission to use it.

Allow Selective Admin Access to Admin Tools

Some employees, such as IT staff, will require access to administrative tools. You cannot whitelist these tools, but at the same time, you should not let any employees use them, because this can create operational and security risks.

You will need to identify and whitelist IT management tools, while restricting access to only those individuals who need the tools for their day-to-day jobs.

Perception Point Advanced Browser Security

Perception Point Advanced Browser Security adds enterprise-grade security to standard browsers like Chrome, Edge, and Safari. The solution fuses advanced threat detection with browser-level governance and DLP controls providing organizations of all sizes with unprecedented ability to detect, prevent and remediate web threats including sophisticated phishing attacks, ransomware, exploits, Zero-Days, and more.

By transforming the organizational browser into a protected work environment, the access to sensitive corporate infrastructure and SaaS applications is secure from data loss and insider threats. The solution is seamlessly deployed on the endpoints via a browser extension and is managed centrally from a cloud-based console. There is no need to tunnel/proxy traffic through Perception Point.

An all-included managed Incident Response service is available for all customers 24/7. Perception Point’s team of cybersecurity experts will manage incidents, provide analysis and reporting, and optimize detection on-the-fly. The service drastically minimizes the need for internal IT or SOC team resources, reducing the time required to react and mitigate web-borne attacks by up to 75%.

Customers deploying the solution will experience fewer breaches, while providing their users with a better experience as they have the freedom to browse the web, use SaaS applications that they require, and access privileged corporate data, confidently, securely, and without added latency.

Contact us for a demo of our Advanced Browser Security solution.

CISO

What is Application Whitelisting?

Whitelisting is a way of creating an inventory of secure software applications that may run on an organization’s network. Whereas blacklists block specific application sets, whitelists specify which programs are allowed—with the objective of preventing harmful files and malicious software from running on a company’s infrastructure. This approach also improves resource management by prioritizing application traffic.

How Does Application Whitelisting Work?

Application whitelisting specifies which applications are allowed to run in the corporate environment—a list which may change over time to accommodate the needs of users on the network. The list can contain libraries, files, and executables.

What are Application Whitelisting Attributes?

There are various attributes that can help determine if an application file or folder may be vetted for whitelisting:
– File Path Whitelisting
– File Whitelisting
– File Size Whitelisting
– Cryptographic Hash Whitelisting
– Digital Signature
– Process Whitelisting

What are App Whitelisting Best Practices?

– Compile an Application Inventory
– Classify Essential and Non-Essential Business Applications
– Integrating Whitelisting and Patch Management
– Allow Selective Admin Access to Admin Tools

What are Challenges in Application Whitelisting?

One of the greatest concerns regarding whitelisting is its effect on end-users. Denying applications by default is a cumbersome mechanism, which often impedes business processes and frustrates employees. The whitelisting process itself is also difficult to implement and manage. Automating the exception management process, and the whitelist management process itself, can be a great improvement.