Cybersecurity

Some automation makes allowlists more manageable, less manual

Sure, an allowlist is a secure option, but maintaining one isn’t easy.
article cover

Mikroman6/Getty Images

· 3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

Perhaps it’s no surprise that former Navy pro Jeffrey Wells puts cybersecurity advice in nautical terms: You can’t defend the ocean.

You can control your small part of it, however.

Mechanisms like allowlists, said Wells, permit only a select set of IT-approved applications, not every single boat in the deep blue sea.

“It’s not your only line of defense, but it’s your first line of defense, which makes...a very narrow way for something to get into the organization, and you have at least some control of who gets through that port,” Wells, the retired Navy intelligence officer and current partner at the risk-services company Sigma7, told IT Brew.

Application allowlists, sometimes referred to as whitelists, aren’t as painfully manual as they used to be. Some of today’s control methods automatically build the approved inventory after an audit of everyday practices.

“I wasn’t a fan of whitelists before. But the newer approaches to this, I like, because it takes out a lot of the guesswork,” said Paddy Harrington, senior analyst at the consultancy Forrester

Some options. ThreatLocker, for example, offers a “learning period,” a catalog of all applications and their dependencies that are running on end-users’ computers. Other vendors, like Airlock Digital and Ivanti, have similar ways of taking inventory of known apps.

The technologies monitor the use of typical applications, launched executables, and dynamic-link libraries (DLL). After the review phase: enforcement begins.

“It captures what ‘good’ looks like. That’s your allowed list. So, if it’s not allowed, it just doesn’t run,” Harrington said.

One reason the allowlists are a more enticing option lately, according to Harrington: ransomware, which has to execute before it starts encrypting. A well-kept allowlist keeps those kinds of applications from launching, along with any other malicious offerings that may entice users (like phony ChatGPT apps).

Allowlists of the past often required the manual collection of approved applications. Older mechanisms like Group Policy involved a level of (many) individual rule settings.

Teams trying to work fast, like a “SkunkWorks” development team, may feel held back by an IT-approved list.

“Whitelisting ended up working out for a lot of companies. But it’s still very difficult to do, to say, ‘Nothing but this runs,’” said George Gerchow, chief security officer and SVP of IT at the cloud-based data-analytics company Sumo Logic.

Whether manual or automated, however, updating the VIP list is important, which involves regularly checking in with end-users.

“Understanding what are the critical applications that are out there within the organization is an undertaking unto itself. And it does require some time and a comprehensive sort of gap assessment and review of saying, ‘Let me go out to every business unit and say: What is it that you guys are using day to day?’” said Wells.

Finding critical assets and blocking the rest, when done right, is a walled-off enterprise. Or, to borrow another ocean metaphor: an island.—BH

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.