Airlock Blog

How is application allowlisting evolving to help manage risk and build trust?

Written by Iain Ferguson | 11 April 2024

How is application allowlisting evolving to
help manage risk and build trust? 

Application allowlisting–formerly application whitelisting–is moving to a dynamic, granular model that sheds the cumbersome, one-size-fits-all approaches of the past.

At Airlock Digital, we’re combining application allowlisting with execution control to better protect businesses, and enable administrators to manage risk and trust in fast-changing environments.      

This is why we’ve branded our cornerstone product Airlock Allowlisting. 

Preventing living of the land attacks

Allowlisting and execution control are increasingly important in stopping exploits that target living off-the-land binaries (LOLBins), legitimate system components that cybercriminals can co-opt for attacks that can be hard to detect because they are not inherently malicious

Living off-the-land attacks are increasingly ubiquitous and a particular threat to critical infrastructure organisations, with United States and Australian cyber security agencies warning recently that state-sponsored actors are among those employing the techniques.

With Airlock Digital’s allowlisting solution businesses can take a more proactive approach to countering these attacks than is often possible with signature-based detection.

Many endpoint security products look at the behaviour that results from use of a tool such as OpenSSH to determine whether something is going wrong. 

However, with Airlock’s allowlisting solution , businesses have the organisational and environmental context to decide with confidence whether to switch off a tool that is not malicious in itself, but can be used to compromise an environment. For example, organisations that don’t require the aforementioned Open SSH capability built into an operating system can simply disable it.

At Airlock Digital, we are continuing work on allowlisting to make it easier for businesses–and most importantly, non-security practitioners–to drive forward to pick and choose what software and functionality they allow within their environments.  

A granular approach builds trust and minimises risk

The other important thing to understand is that not all application allowlisting products are equal. 

At Airlock Digital, we deliver high-calibre allowlisting to our customers thanks to the granular nature of our product. 

Many vendors say they undertake application allowlisting or application control, but act only on executables, or apply fuzzy definition of trust that allows applications designated as belonging to a certain category, or that have a sound reputation based on feedback from the cloud. 

However, this is not allowlisting.

True allowlisting enables a business to define trust as it relates to the applications and files that run in its environment. 

And in order to stop attacks, a business needs to trust the application as an executable, and all its associated parts (also known as application libraries). For example, one widely installed product has a primary executable that, when run, breaks out into three libraries and extracts further into nearly 100  libraries. 

So to trust an application, a business has to apply a definition of trust to each of those components. That is what Airlock Allowlisting and Execution Control enables.

If a business implements software that trusts only the primary application executable, it risks being exposed to attacks through an application's components.

Some vendors in this industry state that it is too hard to trust all applications, including the primary executable and associated files, at scale and consequently have resorted to a high-level, fuzzy definition of trust.

A dynamic, adaptable approach

However, the granular, workflow-based model applied by the Airlock allowlisting solution supports businesses that update their definition of trust internally at least once every few days. 

This dynamic approach recognises that developers and other team members naturally bring in code constantly, and businesses must make their security controls highly adaptable to their changing environments. 

It also aligns closely with what the Australian Cyber Security Centre and the Australian Signals Directorate maturity models are trying to address: the need to implement Essential Eight cyber security incident mitigation strategies to a high level.  

With Airlock Digital, businesses can achieve the Essential Eight maturity model level relevant to their needs while managing risk and building trust internally and externally.    

 

Airlock Digital is here to help!
Book a demo with any of our team members
by clicking the button below.