AppLocker is Window's built-in application whitelisting technology. Very few organizations have implemented AppLocker in enforcement mode because of the challenges and reputation of whitelisting. Turning on AppLocker requires a lot of planning, research and commitment to ongoing care and feeding and even if you do all that you may very well have issues with broken workstations and unhappy users. Don't get me wrong, I think application control is the key preventive control for endpoint risks but AppLocker isn't flexible or powerful enough for most organizations and you may not have budget for a more sophisticated 3rd party whitelisting solution.
But get this: AppLocker still has value even if you can't use it to lock down what's allowed to run on your endpoints. AppLocker actually supports 2 different modes:
- Enforcement mode prevents non-whitelisted apps, scripts, installers and Store apps
- Audit mode logs any non-whitelisted software but doesn't stop it from running
Audit mode, and the events it generates, provides a really cool way to know immediately when anything new runs on your network without collecting a tremendous amount of events from every endpoint. Think about that for a moment. If you are familiar with the Windows Security Log you know about event ID 4688, the process start event, which informs you whenever an EXE is executed. But imagine trying to collect all those events from all your endpoints and then attempt to filter them in your SEIM against a listed of known EXEs. There are so many problems with that:
- That’s a LOT of events to handle which will likely cause resources issues somewhere
- 4688 only tells you about EXEs, nothing about DLLs, OCX files, scripts, MSI files or packaged apps at MS store
- 4688 only tells you the name of the path and name of the EXE which can be gamed by the attacker to look like something innocent
AppLocker on the other compares all the above file types to a whitelist of publisher certificates and file hashes and logs a specific event ID when something runs that's not on the list.
This address all those issues and I'll show you how in detail in this next webinar. The good news is that it only takes a couple minutes to produce the whitelist. Now your whitelist will probably never be 100% accurate but who cares? You aren't breaking anything for the user; it's just a matter of false positives. When you get events about unauthorized software that turn out to be legit you either need to improve your whitelist or add them to a SIEM-side filter.
In this real training for free ™ webinar we're going on a deep dive of how to implement AppLocker in audit mode and then monitor those events so that you know as soon as something new shows up on your endpoint.
Our sponsor for this session is LogRhythm which already supports AppLocker events and Erick Ingleby will be on deck to briefly show you how LogRhythm can even take automatic remediation measures on endpoints when unauthorized software is detected – including the immediate collection of additional evidence so that it will be ready for the security analyst to investigate.
Please register now!