Misplaced trust is a dangerous thing when it comes to cybersecurity. Attackers routinely take advantage of systems that automatically permit certain types of activity.
Therein lies the problem with application whitelisting, which is the practice of designating specific applications that users are allowed to run on their systems. It’s the opposite of blacklisting, which blocks applications that are known to contain security threats or vulnerabilities, as well as those that are considered inappropriate. Antimalware systems, intrusion detection and prevention systems, and spam filters use blacklisting to prevent the execution of undesirable software.
Blacklisting remains an important component of a layered defense but isn’t adequate on its own. As the number, variety, and complexity of threats continue to increase, it’s difficult to maintain an up-to-date list of applications to be blocked. Furthermore, some threats emerge so quickly, it’s virtually impossible to blacklist them in a timely manner.
It would seem that allowing only approved applications and blocking everything else would solve the problem. However, determining which applications should be allowed to execute and maintaining an accurate whitelist are resource-intensive processes. As a result, administrators tend to create overly broad whitelisting rules based on the application publisher, filename, file path, and similar attributes.
That’s where misplaced trust comes into play. Even if an application originates from a trusted source or process, it could have been compromised. In fact, attackers can use relatively simple techniques to defeat basic whitelisting and distribute malicious code.
Application greylisting is a more flexible approach that helps overcome the limitations of blacklisting and whitelisting. If it’s unknown whether an application is malicious or benign, the code is allowed to execute in a restricted mode until it can be investigated further. It’s similar to how email spam filters work; messages that can’t be identified as good or bad are sent to the user’s “junk” folder, where links are disabled and attachments are blocked.
In addition to boosting security, greylisting gives end users greater flexibility to install apps that could benefit the business. It puts a curb on shadow IT without alienating users or creating support issues.
The CyberArk Endpoint Privilege Manager includes application control features that automatically block malicious code while greylisting unknown applications. The CyberArk Application Risk Analysis service uses machine learning and malware identification to assign a risk score to all greylisted apps. Deep integration with third-party file reputation systems adds another layer of protection.
Endpoint Privilege Manager enables IT teams to set policies regarding the handling of unknown software and to determine more quickly whether an application should be whitelisted or blacklisted. It also supports a wide range of trusted sources, such as Microsoft System Center Configuration Manager and other corporate software distribution systems, making it easier for IT teams to manage and update whitelists.
Clango’s team of CyberArk Certified Delivery Engineers have the training and experience to design and implement solutions based on Endpoint Privilege Manager as well as CyberArk’s Core Privileged Access Security platform. We can help you identify areas of misplaced trust within your security architecture and leverage privileged account management, application control, and other tools to minimize this risk.
If you’d like to learn more about how we can optimize your CyberArk implementation, send us an email at firstname.lastname@example.org.