Happy WDAC Wednesday! Welcome to a new series with the aim of detailing and demistifying Microsoft’s Application Control for Business (ACFB), a powerful solution used to allow or block applications on Windows endpoints. Why WDAC Wednesday? Well even though its the old name a good acronym sticks. Each week in this series I’m going to outline a ACFB related topic which could be something technical, conceptual or how it fits into your organisation.
The risk of malware
Malware, simply software with malicious intentions, presents a very real and significant risk to organisations. Malware has different purposes however in the context of government or business environments is genrally used to gain a foothold in an environment to move laterally, or exfiltrate or encrypt data for ransom.
AV and EDR aren’t enough
Anti-virus (AV) and endpoint detection and response (EDR) solutions have become a standard protection capablity in all environments however by their nature the protection is generally reactive – after the threat has been seen. Although AV/EDR solutions are becoming increasingly sophisticated, they remain largely signature and behaviourally based. This can leave AV/EDR solutions unable to protect against new threats that have not been previously seen; malware evolves as rapidly as the protections.
Application Control for Business (AFCB)
A well implemented application control solution can offer highly effective protection against malware threats by not allowing them to execute in the first place. An application control policy is a whitelist of software that is allowed to excute within an environment and by its nature will not include malware. Application Control forms an element of a zero trust architecture where trust is not assumed and explicit verification is required.
Application control is not a silver bullet
Application control solutions however are not a silver bullet, they are most effective when used in combination with other layers of protection – as part of a defense in depth. Attackers are increasingly pivoting to use malware-less living off the land techniques, by using executables built into the operating system. Application Control or other solutions also need to protect against those risks. They can also be difficult to implement and impactful on end users whilst the application whitelist is defined, which is an iterative process. However as they say Rome wasn’t built in a day.
What’s next
Application control is a journey and each week will cover topics to help on that journey from solution capabilities from audit mode to how to plan and approach an application control implementation.