Essential Eight Best Practice Guide: Application Control

Introduction

Application control is a powerful security strategy that many organisations use to protect critical assets. On a device or network that uses an application control, only specific, pre-approved applications are allowed to run. This prevents users from running malicious software, such as viruses, malware, and ransomware, which can compromise the security, confidentiality, integrity, or availability of a business’s systems.

While application controWl is an effective way to reduce the risk of cyber attacks, it presents some technical, people, and business challenges. This guide provides a comprehensive overview of the benefits and challenges of implementing application control as well as best practices for successful deployment in a business environment.

Benefits of Application Control

• Improved Security: The key benefit of application control is improvements in cybersecurity. Businesses can drastically reduce their risk of ransomware and other malware threats by only allowing approved applications to run on their networks. This protects valuable assets like data and intellectual property from compromise.

• Reduced Maintenance and Support Costs: Malicious code, like ransomware and malware, cause significant damage and disruption to business operations, leading to costly repairs and lost productivity. By preventing it from running in the first place, businesses can reduce the need for specialised containment and recovery support, saving money and freeing up resources for other priorities.

• Enhanced Compliance: Depending on the industry, businesses may be subject to regulatory requirements to ensure sensitive data is protected. Application control is one security strategy that can help them improve their compliance posture and avoid potential fines and penalties.

• Reducing Licencing Cost and Shadow IT: Implementing application control means each new application is considered at a corporate level. With a clear and controlled process for adding new applications, businesses can better manage software licensing costs and avoid purchasing unnecessary or duplicate applications.

Challenges of Implementing Applicaton Control

• Selecting an Appropriate Toolset:

Implementing application control requires a toolset to enforce a whitelist of allowed software. Many modern security packages can perform this function, each with its own pros and cons. An important consideration is the Essential Eight maturity level the business is targeting within application control; some basic toolsets are not capable of achieving the additional technical requirements of maturity level two or three.

• Defining the Whitelist:

Creating a list of approved business applications may seem straightforward; however, in practice, it is often complicated, especially for a larger organisation. The implementing team needs to work with business units and individuals to understand what applications they use and what they use them for. Different departments may use different applications for the same use case (e.g., Excel and Google Sheets). Implementing teams and senior stakeholders may need to make difficult decisions to rationalise the business’s application usage to form a final whitelist.

• Enacting Organisational Change:

Once the whitelist is defined, some users will likely need to stop using an application they know and begin using a new one for the same activity. This may require training, change agents, communication plans and other elements of organisational change management.

• Defining a New Application Process:

A key benefit of application control is the centralisation of control over corporate applications. However, for the strategy to be successful long term, the wider business needs a quick, efficient and well-publicised process for requesting that new applications be reviewed, added to the whitelist and rolled out. All business needs change over time, and the market is constantly releasing new solutions which could benefit different roles and departments. For business units that previously procured their own software packages, elements of organisational change may be required to ensure resistance is minimised and the benefits of centralised control are well understood.

Bes Practices for Implementing Application Control

• Conduct a Risk Assessment:

Before implementing application control, every business should conduct a risk assessment to determine the potential vulnerabilities and threats to their systems. This will help to identify applications that should be included on the whitelist and prioritise the deployment of the strategy. Businesses should also consider their overall security strategy and determine how application control fits in.

• Engage with IT Staff and Employees:

A successful implementation of application control takes strong engagement with all stakeholders. This may include training employees on the benefits and uses of the strategy, as well as providing ongoing support and guidance as needed. It is especially important to involve IT staff in the planning and implementation process to ensure the necessary technical considerations are addressed.

• Regularly Update and Maintain the Whitelist:

To ensure that the application whitelist remains effective, businesses should regularly update and maintain the list of approved applications. This will include adding new applications as they are requested and assessed and removing any that are no longer in use.

• Monitor and Review the Effectiveness of the Whitelist:

Finally, long-term success requires regular monitoring and review of the whitelist’s performance. This can include tracking the number of attempted executions of non-whitelisted applications and analysing any possible security incidents. Businesses should use this information to continuously improve the whitelist and their overall security posture.

• Work with an Experienced Partner:

Implementing application control requires not only technology skillsets but also roles capable of effectively engaging with business stakeholders and enacting organisational-wide change. These latter skills are crucial to the success of the strategy and are often not held in abundance within an IT team. Working with an experienced partner will reduce the burden on an organisation’s IT resources, as well as greatly improve the overall success of the implementation.

Essential Eight Maturity Guidance

Maturity Level One:

To achieve maturity level one in application control, businesses need to prevent ‘The execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets […] from within standard user profiles and temporary folders used by the operating system, web browsers and email clients.

At this level, there is limited application whitelisting involved. Instead, applications are controlled by preventing regular users from running them directly. System administrators, who are presumed to be less likely to run malicious software, run applications on behalf of users.

Maturity Level Two:

Achieving maturity level two involves implementing application whitelisting mechanisms on workstations and internetfacing servers.

This means a whitelist of approved executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets have been defined at an organisational level, and tools are in place to ensure only applications on the whitelist can be executed. These tools must log all allowed and blocked executions and attempts for later review.

Maturity Level Three:

In order to reach maturity level three, businesses must take several further steps to ensure the security of their systems. Firstly, application control must be extended to all servers, not just those that are internet-facing. This will help to protect against potential threats that originate from within the local network.

Additionally, businesses must expand their whitelist to include drivers. This extends the protection against unauthorized software running on the systems protected by application control.

Another important step is implementing Microsoft’s “recommended block rules” and “recommended driver block rules.” These rules have been designed to help protect against common security threats and will help to ensure that Microsoft systems are as secure as possible.

Another requirement of maturity level three is the centralisation of allowed and blocked execution logs and protection for them from unauthorized modification or deletion. This will help to ensure that the logs are accurate and reliable and will provide a valuable resource for monitoring and troubleshooting security issues.

Finally, businesses should actively monitor those event logs and take action at any sign of compromise. This will help to quickly identify and quickly respond to security incidents, which will help to minimize the impact of any potential breaches.

Conclusion

Application control can be an effective security strategy for businesses looking to protect their systems and critical assets from malicious software. While it presents various technical, people, and business challenges, the benefits of improved security, reduced maintenance and support costs, and enhanced compliance can significantly outweigh these challenges. By following best practices for implementation; maintaining a robust, regularly updated whitelist; and working with partners experienced in application control, businesses can use this strategy to significantly reduce their risk of cyber attacks.