Application control is a cybersecurity measure that regulates and manages the execution of software applications on a computer or network. It involves defining and enforcing policies that dictate whether applications can run, as well as how they are allowed to execute.
Advanced application control functionality can include enforcing granular least privilege, by controlling subfunctions of the applications and considering additional context before permitting execution.
Application control aims to enhance security by mitigating the risks associated with unauthorized or malicious software.
Application control falls within the Access Control cybersecurity category. Access control mechanisms ensure only authorized entities, applications, or processes can access specific resources or perform certain actions within a system.
In particular, application control focuses on controlling the execution of software applications based on predefined rules and policies. It is primarily concerned with preventing unauthorized or malicious applications from running on endpoints or servers.
While application control may be provided by vendors as a standalone software, or sometimes bundled as part of a firewall or UTM offering, it is often a natural component of an endpoint privilege management solution. These solutions, also referred to as privilege elevation and delegation management (PEDM), pair granular control of privileges on endpoints (desktops, servers, etc.) with application control capabilities. Endpoint privilege management itself is a core discipline of privileged access management (PAM). Endpoint privilege management ensures that users and applications have appropriate privileges, while application control ensures that only approved applications can execute, reducing the attack surface and potential vulnerabilities.
Block listing, also referred to as allow listing, involves broadly preventing the execution of applications based on known hashes, effectively keeping recognized malware at bay. With roughly three quarters of malware may be undetectable via signature-based tools, deny listing alone is insufficient.
Malware's rapid evolution makes it difficult for deny lists to keep pace with an ever-expanding list of files. Moreover, deny lists prove inadequate in controlling user access, as savvy users can easily circumvent them. Failures in block listing are termed ‘false negatives’, which occur when the absence of a list match wrongly assumes the software's legitimacy.
Application allow listing, in contrast to deny listing, is a specific method within application control where only a pre-approved list of applications is allowed to run, effectively blocking all other applications. In other words, application allow listing is a subset of application control that focuses solely on permitting approved applications.
Keep in mind that traditional allow listing methods often rely on hashes, posing challenges. Given the multitude of applications in a typical OS install, maintaining an up to date allow list may require extensive initial configuration and ongoing updates with each system change or update.
While allow lists are effective for system hardening, the downside is that they are prone to errors, including false positives that can result in legitimate software being blocked.
In complex systems, a combination of allow listing and block listing is commonly used. In such scenarios, there's often a need for a grey list—a collection of items, such as people, files, apps, or algorithms, that have not been categorized as either allow listed or block listed.
Grey lists serve as a temporary holding space, allowing for decisions to be made regarding the appropriate classification of these items. This is particularly useful for granting temporary access to newcomers, visitors, or third parties in systems requiring flexible access control.
Trusted Application Protection enhances standard application control by providing a higher level of confidence in the trustworthiness of applications. This technology enhances security against sophisticated threat actors layering in contextual intelligence. This also gives organizations protection against fileless malware and living off the land (LotL) attacks.
The additional context added to the process tree of application control allows for the restriction of attack chain tools, such as PowerShell and Wscript that are spawned from commonly used applications, such as browsers or document handlers (Word, PowerPoint, Excel). This added layer of security ensures that only trusted and verified applications are allowed to run, reducing the risk of malware and unauthorized software. It enhances the effectiveness of application control by focusing on the integrity and source of applications.
Application control ensures that only authorized applications have access and are allowed to execute, while preventing unauthorized or malicious ones from running.
By clearly defining which applications are permitted and which are denied, organizations significantly reduce the likelihood of security breaches and other cyber threats, along with mitigating the risks associated with unauthorized or malicious software (phishing, ransomware, fileless living-off-the-land (LotL) attacks.
Application control helps organizations comply with cybersecurity regulations and mandates by preventing the execution of unapproved or malicious programs. For example, it aligns with the Australian Cyber Security Centre's Essential Eight and other regulatory frameworks by ensuring that only trusted applications run within the environment.
Enforcing application control policies that restrict the execution of unauthorized or unapproved applications helps reduce the risks associated with users independently adopting software or tools without IT department approval.
Application control should ideally include creating frameworks for incident response protocols to handle exceptions, false positives, and security incidents effectively. So that when deviations from established policies occur, they are addressed promptly and appropriately.
Trusted Application Protection (TAP) technologies add an additional layer of security by verifying the authenticity and integrity of applications through context-based, intelligent parameters. This enhances the trustworthiness of applications allowed to run in an environment and reduces the risk of unauthorized software.
In sum, application control’s main aim is to provide granular control over application execution to safeguard critical resources, endpoints, and sensitive data.
Shadow IT is the use of information technology systems, devices, software, applications, and services without explicit IT department approval.
Users or entire departments may use these systems or tools to meet their work objectives. Whether it makes their jobs easier, more efficient, or provides enhanced features or services outside of what’s offered through their organization, unapproved applications can still pose a significant threat.
Shadow IT is not typically implemented with malicious intent. More often, it is a result of users faced with inefficiencies or impasses that hamper productivity or completion of a deadline-sensitive task.
Application control can thwart or rein-in shadow IT attempts by enforcing policies that restrict the execution of unauthorized or unapproved applications.
The Essential Eight is the Australian Cyber Security Centre (ACSC)’s prioritized list of cybersecurity risk mitigation strategies designed to harden an organization’s cyber defenses against the most common attack vectors. It is required for Australian Government departments and agencies. Many private sector organizations also implement the mandate and its best practices.
Application control is the first of eight mitigation strategies outlined by the ACSC, defined as:
“Application control to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers.”
Below, we will delve into how organizations can implement application control and, when done properly, become compliant.
When most organizations approach Application Control, they tend to follow some or all of these steps:
Discover and document critical applications and potential risks. Determine the level of control needed for your organization's security goals.
Develop application control policies based on allow listing, blocklisting, or a combination, considering trusted sources, publishers, directories, and behaviors.
Test the policies in a controlled environment to ensure they work as intended without causing disruptions.
Deploy the policies to the target systems, utilizing security tools, Group Policy, or third-party software.
Continuously monitor and update the policies to adapt to changes in applications, threats, and security requirements.
Establish protocols to handle exceptions, false positives, and security incidents.
While these steps provide a solid starting point for implementing application control, it's important to acknowledge that the process is not without its challenges. The complexities involved in deployment, monitoring, and incident response can render this approach just a stopgap solution.
Furthermore, the threat landscape is constantly evolving, with cyberattackers now employing sophisticated tactics, including leveraging emerging AI and elusive fileless malware.
Many application control solution providers employ a "Default-Deny" approach, where only allowlisted applications are allowed to execute. These solutions offer comprehensive catalogs of trusted application hashes, simplifying management, and offer dynamic guidance to fine-tune entries for new solutions. Examples of such guidance include:
These actions usually demand administrative privileges and are restricted for standard users. Application control vendors typically devise mathematical models to set thresholds for application trust, determining file reputation and establishing parameters for greylisting.
Many organizations find it challenging to effectively implement allow and deny lists due to their complexities and associated management costs. While these lists offer notable benefits for endpoint security, their restrictive nature, labor-intensive upkeep, and high expenses often limit their usage to small-scale deployments, such as datacenters and kiosks.
However, integrating allow and deny listing into a privilege management strategy considerably streamlines the process. Modern PAM solutions can granularly control applications on Windows, macOS, Unix, Linux, and network devices—all without hindering end-user productivity.
Users with local admin rights possess extensive access to the operating system and all applications, including critical system folders. Maintaining allow lists for these folders proves impractical due to the frequent updates of numerous applications.
Conversely, standard user accounts lack the ability to modify these secure folders without authorization, making them more trustworthy. By combining allow listing with privilege management, a higher level of endpoint security can be achieved more efficiently and cost-effectively.