To Whitelist or not to whitelist... is the question

What is whitelist / whitelisting?

Whitelist is a list of entities that are authorized to run on a host according to a well-defined baseline. These entities could be application, host, port, runtime process, or application components (libraries, configuration files, etc.). They are designed to permit known good actors and block everyone else. Some of the examples that we see in real life are airport security, ad tracker blocker, and the Apple App Store. At the airport, everybody is checked before they are allowed through the TSA check and finally to the gate. An ad tracker blocker blocks all tracking except the ones permitted by a user. Apple Store verifies and posts apps after whetting it for security and privacy.


What is a blacklist?

Blacklist blocks all known bad actors and permits everyone else. It is a list of entities that are associated with malicious activity. Some of the examples that we see in real life are clubs, casinos, antivirus software, and DNS servers. In clubs, there is a bouncer who permits everyone, except people who are not in the dress-code. In casinos, everyone is permitted to come in and gamble, except people who are listed in the casino's black book. An antivirus is signature-based and blocks known bad activities and permits others. DNS servers also block a list of malicious IP addresses.

Greylist is a list of entities which are neither classified into black nor white list. To deterministically move it into whitelist or blacklist, more information is required.





Benefits of whitelisting

Whitelisting is a deterministic way to stop bad actors. It does not allow unauthorized entities like Malware, crypto mining software, software vulnerabilities, unauthorized connections to run on a host.

Generally, whitelists are generated in one of two ways:

  1. a developer provides information about the characteristics of a know good app. This could be complemented by other organization-specific information and workflows.

  2. a developer observes a good app on a clean host to understand its characteristics and build a baseline to derive whitelist policies.

After generating whitelist rules it is executed in one out of two modes - audit/discovery mode and enforcement mode:

  1. Audit mode allows everything to be executed. It raises alert when an item that is not whitelisted is executed. These alerts can be analyzed and used for monitoring but not preventing or blocking a bad actor.

  2. Enforcement mode allows only whitelisted items to be executed, blocking everything else. Enforcement mode requires a high level of confidence to de-risk business continuity. For this reason, companies start with Audit mode before turning on enforcement mode. This allows them to fully appreciate the ramification before turning on enforcement mode.

When to use a whitelist

Whitelist is a deterministic way to allow apps to run. In most organization people, processes, and apps are always in flux. This makes whitelisting very hard, as policies have to be kept updated.

This brings us to a key idea that the value of an asset should determine the granularity of security. This aligns with my previous article on classification. In the article, we said that an organization should classify or segment its resources based on its value and spend more time and resources protecting its most valuable asset.

It is recommended to use whitelisting in high-value/crown jewel zone (e.g., payment processing applications). The policies should state what an application or service can do at a process level and prevent it from doing anything else. Similarly, for a low-value zone (e.g., WordPress blog) use a coarser whitelist to allow a broader set of entities.

Starting on this journey of whitelisting can be very daunting. With hundreds of applications, organizations don't know where to start and how to go about it. In concept whitelisting sounds beautiful but requires the right workflows to get done. If you are feeling overwhelmed, you are not alone. Especially if you have a mixed bag of apps running in legacy and modern infrastructure.

If you are thinking about whitelisting applications for modern cloud-native apps, running on multi-cloud, and don’t know where to start, get a demo from Araali and we can provision a free account to get you started.

25 views