What is Application Allowlisting? | SentinelOne

What is Application Allowlisting?

Introduction

 

Application allowlisting (previously known as whitelisting) is a form of endpoint security that helps organizations increase their cyber security.

As the world becomes increasingly digitized, many organizations can store sensitive information across various devices and applications. Although convenient, this makes organizations vulnerable to cyberattacks.

Businesses suffered 50% more cyberattack attempts per week in 2021 compared to 2020. This means implementing application allowlisting and other endpoint security strategies is more critical than ever.

This article takes a closer look at application allowlisting and how it works as well as provides recommendations for application allowlisting best practices.

What is Application Allowlisting?

What is Application Allowlisting?

Application allowlisting is a form of endpoint security that helps prevent malicious programs from running on a network. It monitors operating systems in real time to prevent unauthorized files from being executed.

According to NIST SP 800-167, an application allowlist is: “a list of applications and application components (libraries, configuration files, etc.) that are authorized to be present or active on a host according to a well-defined baseline.” Using application allowlisting technologies, organizations may prevent the execution of malware and other unauthorized software on end-user devices and the network.

Application allowlisting gives administrators and organizations control over which programs can run. Any program not specifically allowlisted is automatically blocklisted.

Application Allowlisting vs Application Whitelisting

Although “application allowlisting” and “application whitelisting” refer to the same thing, application allowlisting is the preferred language for describing this security capability.

According to the UK’s National Cyber Security Centre, equating “white” with “good, permitted, and safe” and black with “bad, dangerous, and forbidden” is problematic, especially when another less ambiguous term is available to describe the same activities.

Blocklisting vs Blacklisting

It is the same case for “blocklisting” (or denylisting) and “blacklisting.” While it was common to use the term “blacklisting” to describe undesirable attributes in cybersecurity, the neutral “blocklisting” is now in favor.

 

How Does Application Allowlisting Work?

Application allowlisting involves specifying an index of allowed or approved software applications on computer systems to protect them from potentially harmful applications. A third-party vendor can provide this list of approved applications or build it into the host operating system.

Using application allowlisting, organizations can prevent the installation and execution of applications that are not explicitly authorized. Allowlisting software compares any applications attempting to run on the network with the list of allowed applications. If the application is on the allowlist, it is allowed to proceed.

Network administrators are typically the ones who choose which applications to allow so they can maintain strict control over the safety of their system and minimize the number of people who have access to the cybersecurity decision-making process.

Unlike antivirus software, which uses blocklists to prevent known “bad” activity and allow everything else, allowlisting technologies permit known “good” activity and block everything else. Ultimately, this practice can help mitigate various threats, including malware and unauthorized or potentially vulnerable software.

Since many of today’s malware-based threats are customized and targeted, application allowlisting can help stop malware from being installed or executed. Sometimes, application allowlisting technologies may be more effective than antivirus software for preventing unknown malware.

In addition to blocking unauthorized applications, application allowlisting software monitors an operating system in real time, preventing the execution of unauthorized files. Beyond simply stopping unwanted applications from running, application allowlisting performs a granular inspection of the application installation packages to verify the integrity of the files.

Application allowlisting is a simple yet effective step to securing an organization’s endpoints. Administrators can stop malicious programs before they cause irreparable harm by ensuring end-users can install only approved applications.

Application Allowlisting vs Blocklisting

Using a predefined list of “bad” applications, blocklisting software typically compares any applications attempting to run on the network with the list of blocked applications. If the application is not on the blocklist, it is allowed to proceed.

For example, conventional antivirus software uses blocklisting to prevent known malware from being executed on a computer system. Since application allowlisting denies unlisted applications and application blocklisting allows unlisted applications, application allowlisting is arguably more secure than application blocklisting.

Application Allowlisting vs Application Control

“Application allowlisting” and “application control” are often used interchangeably, but they do not always mean the same thing. Although both technologies can prevent unauthorized applications, application allowlisting is more stringent than application control.

Application control is similar to application allowlisting since it can prevent unauthorized applications from being installed on endpoints.

But, the technology itself has two significant caveats. First, application control works at the installation package level, which means it cannot prevent an end-user from running an application installed on the system or a standalone executable file.

Second, application control tools don’t always inspect application installation packages at a granular level. Instead, they only verify if the application is allowed. A threat actor could install unauthorized code into an otherwise legitimate application package to bypass application control tools.

Application Allowlisting Types

Different application allowlisting types offer different balances between security, usability, and maintainability. They include the following:

1. File Path

The file path is the most general attribute and permits all applications with a particular path (i.e., directory or folder). A file path can be a weak attribute since it allows the execution of any malicious files within the directory. However, if strict access controls enable only administrators to add or modify files, the file path can become a more robust attribute.

File paths can also be beneficial by not requiring each file within the path to be listed separately, which can reduce the need to update the allowlist for every new application and patch.

2. Filename

The filename is often too general of an attribute on its own. For instance, if a file were infected or replaced, its name would be unlikely to change, and the file would still execute under the allowlist.

Additionally, a threat actor could place a malicious file onto a host using the same name as a standard benign file. Due to these weaknesses, filename attributes work best with other attributes, such as file path or digital signature attributes.

3. File Size

By monitoring the file size of an application, administrators assume that a malicious version would have a different file size than the original version.

However, threat actors often intentionally craft malicious files to have the same size as their benign counterparts. Other attributes, including digital signature and cryptographic hash, may better identify files and should be used instead of file size whenever possible.

4. Cryptographic Hash

Cryptographic hashes can provide a reliable and unique value for an application file as long as the cryptography used is strong and the hash is already associated with a “good” file. A cryptographic hash is usually accurate no matter where the file lives, what it is named, or how it is signed.

However, cryptographic hashes are less helpful when files are updated. For instance, when patching an application, the patched version will have a different hash. In these cases, the patch may appear legitimate through its digital signature and the cryptographic hash added to the allowlist.

5. Digital Signature and Publisher

Today, many publishers digitally sign application files. Digital signatures provide a reliable and unique value for the recipient’s verification of application files and can enable teams to ensure that the file is legitimate and unaltered.

However, some publishers do not sign application files, so using only publisher-provided digital signatures is often impossible. Some application allowlists can be based on the publisher’s identity rather than verifying individual digital signatures. Still, this method assumes that organizations can trust all applications from trusted publishers.

Application Allowlisting Benefits and Limitations

There are several benefits and limitations associated with application allowlisting.

Advantages

The main advantage of application allowlisting is that it can help stop malware and ransomware from entering and executing within networks. Since application allowlisting is more restrictive than blocklisting, end-users will need permission from administrators before they can install programs that are not on the organization’s allowlist. Requiring approval for unauthorized applications can help proactively prevent malicious programs from being installed on endpoints.

The main advantages of application allowlisting include the following:

  • Preventing malware and unknown threats
  • Creating a software inventory
  • Incident response support
  • Monitoring of files

Disadvantages

One important limitation of application allowlists is that they can create additional work for security teams. For instance, compiling the initial allowlist requires obtaining detailed information about end users’ tasks and the applications needed to perform those tasks.

Similarly, maintaining allowlists can take time due to the increasing complexity of applications and enterprise technology stacks.

Some of the main disadvantages associated with application allowlisting include the following:

  • Challenging to implement
  • Impacts end-users
  • Scope limitations
  • Labor-intensive

Application Allowlisting Best Practices

  1. Audit the Network

A clean system can benefit from a thorough scan with external storage devices to detect which applications and procedures are essential for optimal operations.

Scanning network components can help network administrators establish a solid baseline of which programs need to be accepted. A network audit can also help eliminate unnecessary or malicious applications already running on the network.

  1. Allowlist Trusted Applications and Specific Admin Tools

Create a list of allowed or approved applications and specific administrative tools and categorize them as essential and non-essential. Prioritizing applications based on importance helps determine which applications are critical to business functions and which are simply nice to have.

  1. Document an Access Policy

Next, craft an access policy that outlines a set of rules, so only users who meet specific criteria can use the applications they need. Setting up various access levels for team members on an allowlist can help streamline network access and assist with application allowlist management.

  1. Check the Publisher

There are several unlicensed and insecure applications, many of which can infect web applications and networks. Verifying the publisher’s authenticity before installing it on a computer can help reduce the chances that a threat actor will exploit an unknown vulnerability.

  1. Allowlist Both Cloud and On-premise Applications

Reviewing both on-premise and cloud-based applications can help ensure an allowlist covers all the bases. A thorough software inventory should provide complete visibility into all the applications and processes on every endpoint and server.

With this information, security teams may be in a better position to identify unauthorized applications or outdated software.

  1. Update the Allowlist

Continuously updating an allowlist is critical to avoid workflow disruptions. Since developers often release updated versions of applications due to vulnerabilities in older versions, updating an allowlist can help ensure it’s in line with the latest versions of the software.

Failure to update the allowlist regularly could result in damage or disruptions, as applications may not be able to function effectively.

  1. Use Additional Cybersecurity Measures

Today, deploying more than a single cybersecurity method is required to defend systems and networks from dynamic threat actors. Implementing various security techniques is the best way to ensure strong defenses.

Rather than relying solely on application allowlisting, add other cybersecurity methods such as DNS filtering, email security, patch management, antivirus, and extended detection and response platforms to cover any potential gaps.

Fortunately, application allowlisting typically integrates well with other cybersecurity measures, so organizations can combine different tools to cater to their unique networks and systems.

Application Allowlisting Examples & Use Cases

Application allowlisting is a proactive method of keeping networks secure and its primary purpose is to provide application access control. However, organizations can also use application allowlisting tools for other purposes, including:

  • Creating a software inventory: Most application allowlisting technologies help organizations keep a list of the applications and application versions on endpoints and servers. A software inventory can help organizations quickly identify unauthorized applications (i.e., unlicensed, prohibited, outdated, unknown, or modified applications). Visibility into both cloud-based and on-premise applications can also support forensics investigations.
  • Monitoring file integrity: Many application allowlisting tools can continuously monitor attempts to change application files. Some application allowlisting technologies can prevent files from being altered, while other tools can immediately report when changes occur.
  • Incident response: Application allowlists can also help organizations respond to security incidents. For instance, if the organization can capture the characteristics of a malicious file, it could also use an application allowlisting tool to compare other hosts for the same file names, indicating whether they were compromised.

Application Allowlisting Tools & Software

Organizations considering an application allowlisting tool should begin by analyzing the environments in which the hosts will run.

Application allowlisting solutions are typically best suited for hosts in Specialized Security-Limited Functionality (SSLF) environments that are highly restrictive and secure due to the high risk of attack or data exposure. It’s also important to remember that application allowlists require dedicated staff to manage and maintain the solution.

Next, organizations can consider which application allowlisting tools best suit their environment. For centrally managed hosts (e.g., desktops, laptops, and servers), an application allowlisting technology already built into the operating system may be most practical due to the relative ease and minimal cost of managing these solutions.

If built-in allowlisting capabilities are unsuitable or unavailable, a third-party solution with robust centralized management capabilities is the next best option.

Prevent and Protect with SentinelOne

Creating an effective application allowlist begins with visibility across the entire technology stack. Organizations cannot protect what they can’t see.

With SingularityXDR from SentinelOne, organizations can eliminate blind spots for centralized end-to-end enterprise visibility, powerful analytics, and automated response across the complete technology stack. See data collected by disparate security solutions from all platforms, including endpoints, cloud workloads, network devices, email, identity, and more, all within a single dashboard.

Discover why the world’s leading and largest enterprises trust SentinelOne and get a demo today.