Allowlisting, formerly referred to as whitelisting, is akin to a security guard at a concert making sure the only people that go backstage with the band are on the VIP list. On the opposite end of the spectrum is blocklisting. Blocklisting, formerly called blacklisting, is equivalent to the security guard letting everyone backstage except for a few untrusted people on the deny list. If you were in the band, which method would make you feel more secure? How do you know that the only people that mean you harm are listed on the untrusted list?
What Is Allowlisting?
Application allowlisting, like that supported by ThreatLocker Allowlisting, operates using a default deny, Zero Trust philosophy. It allows admins to select what applications are permitted, and all others will be blocked. Instead of relying on known bad applications or bad behavior, any application, script, or library not contained on the allow list will be blocked by default. ThreatLocker Allowlisting's "never trust, always verify" ideology blocks known and unknown exploits, including zero-days and ransomware.
What Is Blocklisting?
In contrast, blocklisting operates by only blocking known bad applications; admins designate a list of applications that will not be permitted, and everything else can run. Blocklisting is effective in preventing known bad or unwanted applications. The problem arises when a new application is weaponized, a zero-day vulnerability is exploited, or a hacker uses novel malware. Because these are not known bad applications, they will not be on the blocklist and will run without restriction. At that point, it would be up to antivirus or EDR (Endpoint Detection and Response) solutions to recognize and stop any bad behavior.
Which Approach Is More Secure: Allowlisting or Blocklisting?
Although allowlisting is arguably more secure than blocklisting, some admins may choose to blocklist instead because it seems easier. Traditionally, allowlisting was difficult to implement as admins had to build and change the allowlist when applications updated to prevent trusted applications from being blocked. ThreatLocker Allowlisting addresses the implementation challenge of allowlisting with Learning Mode. When first deployed, ThreatLocker will catalog all of the applications currently running in the environment and will automatically create policies to permit those applications, and anything that’s not on the allowlist will be blocked by default. ThreatLocker has an entire team working 24/7/365 to capture updates for thousands of applications, helping ensure they will not be blocked when they update in an environment, they’re permitted in. Custom rules can also be created for custom or specialty applications that are not included in ThreatLocker built-ins, to permit those one-off applications to update without impacting productivity.
Which Application Control Approach Aligns with Zero Trust?
Application control can take one of two approaches, allowlisting or blocklisting. Although both seek to place some control over the applications in an environment, only allowlisting truly aligns with the Zero Trust "never trust, always verify" philosophy. In other words, nothing can be explicitly trusted, and every person, application, and network connection must be restricted to only the exact access they require. According to CISA (Cybersecurity and Infrastructure Security Agency) #StopRansomware Guide update published in May 2023, "Use allowlisting rather than attempting to list and deny every possible permutation of applications in a network environment." ThreatLocker Allowlisting default deny approach aligns with CISA’s recommendation, helping build and maintain the Zero Trust security posture needed to combat modern cybersecurity threats.
Interested in learning more about how ThreatLocker makes Allowlisting easy to implement and maintain while providing effective protection against known and unknown threats? You can book a demonstration today and see the entire ThreatLocker Endpoint Protection Platform in action.