In my role, I have the privilege of speaking to many organisations on their cyber security strategy, posture, and architecture. There are similar patterns across the board – Multi-Factor Authentication (MFA) is prevalent, Endpoint Detection and Response (EDR) is the norm, and cloud security is a priority. However, one thing stands out: not nearly enough organisations are considering or have implemented application control.
Why is this the case? Well, it’s not due to a lack of awareness. Thanks to the Essential Eight, everybody knows what it is (which is great), but when prompted on why they haven’t got it in place yet, I hear similar things:
- “Our EDR system stops all the attacks”
- “It’s too difficult to centrally collect all the events”
- “The user impact is too high”
- “We don’t have the resources to manage and maintain the configuration and the project goes on forever”
I understand the sentiment in all of these statements, but in 2024, I believe these reasons are based on out-of-date information. So, I’m going to break down each of them and hopefully clear up some of the fear, uncertainty and doubt around application control, and why it should be a key consideration in most organisations’ security strategies.
“Our EDR system stops all the attacks”
EDR solutions are certainly powerful but they’re not infallible. Organisations need to be cautious about repeating history by putting all their eggs in the antivirus basket (which worked until it didn’t). For example, EDR bypasses are regularly baked into malware kits or even commoditised with wide distribution via GitHub.
Most EDR bypasses have one thing in common – they use an executable or dynamic linked library (DLL) file – the Mockingjay process injection technique. To enhance security, organisations can employ application control for precise management of DLLs and applications. This additional layer complements EDR, enhancing overall defences.
Also, don’t forget that malicious attacks don’t always use malicious applications. For example, Teamviewer is a legitimate app that can be used for malicious purposes. EDR isn’t going to block legitimate software, but application control and its policies are in your hands and can indeed protect organisations from this often-forgotten attack method.
“It’s too difficult to centrally collect all the events”
I think this sentiment stems from older approaches to application control – namely using group policy objects, domains, organisational units (OUs), log collectors, and other nightmares stemming from the use of Applocker.
Since then, new technologies have come along that take away the complexities. Nowadays, organisations can access products that provide a centrally managed, cloud-based console with file reputation data in real-time. They even group endpoints so you can make changes freely without making a mess of the rest of your policies. On top of that, all endpoints can communicate in real-time, anywhere in the world. We’re now in a world where organisations can find out in a matter of seconds what applications are running and execute policy changes worldwide – a far cry from where we once were.
“The user impact is too high”
I remember sitting in many meeting rooms arguing with IT staff over helpdesk tickets due to a newly patched software being broken by group policy-based application control, excessive tickets, or the cyber team being the sworn enemy of the software developers due to how restrictive policies can be.
I still have nightmares about having my team apply a policy to allow an app, waiting for a group policy refresh (15 minutes and three reboots usually do the trick) only for it to fail and having to rinse and repeat. So, believe me when I say I completely sympathise with this sentiment. Once again though, it’s based on old techniques and technologies.
Nowadays, we see the best application control products giving functionality, like centrally managed one-time password (OTP) codes with configurable expiry times, being able to move things into audit mode in a matter of seconds, and then collecting the file data and moving them back to enforcement. No reboots, no delays, and no user impact.
“We don’t have the resources to manage and maintain the configuration and the project goes on forever”
If you’re thinking of the old methods of application control, then I wholeheartedly agree with this, it’s untenable for a smaller team. However, once again, modern technologies and architecture have allowed this to be easier than ever. To provide some real numbers, at Sekuro, we see organisations with cyber security teams of a mere 1-2 people manage to achieve enforcement on 500+ endpoints in a couple of months.
So, hopefully I’ve been able to convince you application control is far less daunting than in the past.
If that’s not enough, there are some lesser-known benefits of application control in 2024:
- Browser extensions control: I bet that most organisations have thousands in the wild that likely pose a hidden threat, and in some cases, they can do more damage than applications running on the user endpoint.
- Tailor-made policies make you a harder target: Attackers can bypass EDR because all they need is a copy of the software for them to hack away at until they find a way to evade its behaviour monitoring. Every customer is running the same EDR engine, so bypassing one means a universal bypass. However, application control is configured by each organisation for its unique environment. It means Company A’s policies will look nothing like Company B’s. This makes it incredibly difficult for attackers to create payloads that they know will work in all environments.
- Reduction in patching fatigue: We all know the feeling of seeing an urgent patch or Zero Day coming out and having the whole team hustle at the eleventh hour to get it done. But if we look at many Zero Day vulnerabilities and their exploits, they mostly require a DLL or some other executable to run on the destination system. So, in many cases, if that DLL is untrusted by an organisation’s policies, teams have a lot more time up their sleeves to patch in a structured way. Your teams will appreciate skipping the late nights and weekend work.
- Incident Response (IR) shortcut: With central management and real-time collection of applications, your IR teams can suddenly search a file hash from an Indicator of Compromise (IOC) in real-time to see if it shows on any of your endpoints around the world in a matter of seconds – including the parent process, timestamp and underlying command that called it.
If application control is something that’s been in the “too hard” basket the last few years, it’s probably worth another look in your next strategy refresh.
Find out how your organisation can be better protected against advanced and unknown threats, maintain full visibility and control over a diverse range of endpoints, and more effectively manage risk. Contact us to chat with one of our security consultants.
Lee Roebig
Customer CISO, Sekuro
Lee is an experienced Cyber Security professional with 16+ years in the technology Industry. He has previously worked in cyber security leadership and architecture roles inside multiple global organisations prior to joining Sekuro. At Sekuro, Lee helps clients with Cyber security strategy, Zero Trust, Virtual CISO, mentorship, executive advisory and security architecture. He has worked with numerous clients on cyber security strategies across industries such as health, insurance, construction, manufacturing, leisure including multiple ASX listed companies.
More Articles
Selling the Strategic Imperative of Zero Trust to Your Board
In conversation with Nathan Wenzler, Chief Security Strategist at Tenable (Part 2)
