Application Control - more security with little effort
It is difficult to underestimate the importance of digital security these days . It is important to use different methods and mechanisms in a complementary manner to set the hurdles for attackers as high as possible. However, there is one topic that we have tended to neglect so far: Application control.
At first glance, application control sounds quite simple. IT "simply" allows only those applications on the systems that the users need. But here, too, the challenges begin: Who specifically needs which application and which version? The larger the company, the greater the variety of business units, and with it comes the challenge to provide and manage the user's systems, perhaps not for each individual user, but for specific departments.
What if the users need additional programs? That sounds like additional administrative work. After all, only the software, software libraries and scripts for the systems that are necessary to remain productive and that are secure should be released centrally.
Modern application control solutions not only have lists of approved and/or prohibited programs, but are also capable of learning. Here is one example for such a solution: The Application Control Module from our technology partner DriveLock.
But let's start with a few words about traditional approaches to whitelisting. Static lists are a reliable way to protect the network. With standard application control, administrators are able to control the execution of any application on computers. Various rules or policies can be used to determine which applications are run and which are blocked. This enabling or disabling can be defined based on various criteria and rule types.
- Application hash databases
- Vendor certificate rules (digital signatures)
- File owner rules (NTFS permissions)
- Hash rules (application hash database)
- Trusted Updater rules
- File name and path rules (e.g. .exe / .dll / .msi)
- Special rules (Allow all OS components, updates, .net framework, etc.)
The approach with static whitelists only works to a limited extent in the rapidly changing threat environment and often requires disproportionate level of maintenance effort. "Predictive" whitelisting reduces this maintenance effort.
IT teams must therefore implement a solution that is always up to date, offers users the greatest possible flexibility and relieves the IT department of the burden of updating. This is only possible if the application control is "capable of learning".
Drivelock's application control solution therefore features automated learning of the local whitelist. Through automated learning, the portfolio of applications expands over time. Users in the company can thus use their programs under application control - without having to accept compromises in security.
At the time of the DriveLock installation, the system is "sealed". From that point on, there are only defined and configured ways in which changes to the whitelist are made in a self-learning manner. The automated learning of the whitelist always ensures the security standard by preventing the implementation and execution of unknown applications.
In the case of new and/or unknown applications, application control provides the IT team with various ways in which users can be notified and - if they have been granted the appropriate rights - can intervene in a controlling manner.
Depending on the security settings, users are simply notified or can decide for themselves how the system should behave in the case of unknown applications. This gives the IT department the opportunity to delegate responsibility to the users and the latter the freedom to manage themselves. With appropriate authorization, they can install new software without having to wait for confirmation from the IT team. IT managers then check in a central location which applications have been installed and launched through self-releases.
But even supposedly harmless applications that are on the list of permitted programs can be exploited by attackers. So-called "fileless malware" can transform scripts or system tools. This attack can be countered by limiting the permission and controlling the behavior of these applications. Application behavior control can be used to define exactly which resources and services an application is allowed to access. Again, the learning capability helps determine precisely what is compliant behavior and what should be blocked as an anomaly.
On the one hand, this approach ensures that user productivity is not restricted by rules that are too rigid. On the other hand, it provides high security across the enterprise by freeing up admins to focus on protecting against viruses, Trojans and other malware.