As I work my way around from customer to customer, many of whom have seen or been slapped in the head with the ASD Top 4, I am constantly asked, “how do we implement whitelisting and what’s it all about?”
This following should equip you with some questions that will help make decisions that fit your company’s needs, not the vendor who is banging on your door. Considering I work for a vendor this may sound weird but after nearly 30 years in IT I’ve learned that if your solution doesn’t fit the customer’s need you may get a short term win, but lose a long term customer.
In my experience simple is good for security – simple to maintain, simple to update etc. So, quite simply, “whitelisting is all about your backup rule”.
The principle of whitelisting is simple – here is a list of things you can run – no more no less. The challenge comes when we try and keep that list up to date, and protect our rule from a crafty user or someone who would like to bypass the rules.
Here’s your basic options:
1. Use specific paths and rely on file level security to prevent file copies or over-writes.
2. Use digital signatures or hashing for each allowed file to prevent changes.
3. Use certificates or other credentials from trusted vendors
4. Use online database of signatures for allowed files
5. File ownership – keep a list of trusted owners who can update files.
Each of these options has their market leaders and vendors claiming their way is the best way. Really it’s about what best suits the customer.
If our world never changed then things would be easy, but updates to allowed files happen all the time, and this is where the real cost of whitelisting comes in:
- If we change or update a whitelisted file, how much management is involved in making sure users can run the new version?
- If we want to add a file to the whitelist, how much work is required to make sure the authorised users can run this new file?
It’s here that other questions can be raised. One discussion I’ve had many times with customers is, “do you want a whitelisting solution, or do you just want to make sure user can only run authorised files?”
While they may sound the same, the technologies involved—and therefore the solution and ongoing maintenance—can vary widely.
I urge you to ask your team, your vendor, your management two questions:
- Do we need really whitelisting or are we just after better protection?
- If we do choose whitelisting, what is our backup rule, and how do we keep things current?
One last thing I’d urge you to do, test any solution in your environment, with your endpoints. Confirm any vendor claims are real before parting with your hard earned cash.
This article is brought to you by Enex TestLab, content directors for CSO Australia.