Controlling which applications, executables, websites and IP addresses are allowed to run on your IT system is a key defence against cyber-attacks and preventing malicious code from creating havoc and stealing your data and holding it to ransom. Traditionally, this used to be called whitelisting and blacklisting, which of course is now unacceptable. Instead, we refer to an allowlisting or sometimes passlisting approach, with the alternative approach being blocklisting or sometimes disallowlisting or denylisting.
Application allowlisting only allows preapproved applications and processes to run. Blocklisting takes the opposite approach, preventing any known malicious applications – or malware – to run on endpoints and servers.
In the evolution of defence against malware, the anti-virus system was the first iteration. We still use this technology today, examining new executables and files, comparing them with a list of signatures that represent known malware. This is blocklisting: we block applications which the anti-malware system recognizes as something malicious.
Anti-malware systems have evolved to combine multiple techniques and services such as threat intelligence centers, endpoint telemetry, user behavior analysis, etc. But cybercriminals have a habit of staying one step ahead. They continually use new techniques to prevent their malware from being identified, by using obscure programming languages to thwart signature-based detection, malicious behaviour detection and malware analysis, for example.
Anti-malware, or blocklisting, vendors try to keep up with cybercriminals using their security expertise and artificial intelligence, all aimed at spotting malicious processes. But the AV-TEST Institute registers more than 450,000 new malicious programs and potentially unwanted applications every day. Keeping up with this ever-growing list of threats is never complete nor foolproof.
And the organization using this kind of technology has to at least try to block 100 percent of this malware, while the cybercriminal only needs to get a tiny percentage of their attacks past the defenses.
A look at Allowlisting
On the face of it, allowlisting is a more logical approach. In a business environment, there is generally no reason for a previously unknown piece of software to run. A typical business PC is built to a standard design that includes all the tools that its user will require. At the moment, it’s probably Windows 10 with Microsoft Office installed, maybe Teams or Zoom, and a selection of business applications, some installed locally and some web-based.
Allowlisting leverages this typical business IT system environment by arranging that only pre-authorized applications and processes, ie those which are on the allowlist, are allowed to run. Any application, script or macro not on the list is simply blocked. This means that suspicious mutated malware variants and zero-day attacks that are usually undetectable can be prevented.
Strong allowlisting provides a proven methodology for detecting any kind of threat and ensuring robust endpoint security. For example, drive-by downloads or downloading files from websites and opening untrusted email attachments are some of the most common reasons for having malware incidents. Allowlisting ensures that users can click on any kind of link or open any email attachment safe in the knowledge that any malicious payload will not be allowed to execute.
Application allowlisting also has operational benefits beyond threat protection, including creating an application inventory to identify unauthorized applications and incorrect versions of approved applications; improving file integrity; and for incident response by scanning malicious files for attributes such as hashes, across the entire enterprise.
Why isn’t allowlisting more widely used?
One of the reasons that many companies don’t implement allowlisting is that many solutions can be difficult to set up and maintain. Establishing the initial list of approved processes for each system can be complicated, and in the modern environment where applications are updated regularly, some allowlisting systems do not cope well. But with modern allowlisting systems and AI, the difficulties of configuration and maintenance are dealt with so that users are not disrupted while they are doing all the right things.
I’m not advocating the complete removal of all endpoint protection systems and replacement with an allowlisting approach. Endpoint protection has a whole range of capabilities beyond that of preventing the execution of malware, but allowlisting done properly provides a robust layer of IT security.
Keep it simple
With the millions of new daily cyberattacks taking place globally, the approach of trying to identify all malware seems overly complicated. The alternative approach, which only allows known processes to run while blocking everything else, is far simpler. There’s less work for the machine to do and less reliance on experts and artificial intelligence to successfully identify each new piece of malware. Allowlisting is like the bouncer on the door, if you’re not on the list, you won’t get in.