How is idemeum allowlisting different?
How legacy allowlisting works
With traditional allowlisting you need to review and make a decision about each and every executable in your environment. You install an agent, and that agent starts intercepting and blocking every execution. Now you have 1000 events that you need to go through, review every execution event and decide what needs to be added to an allowlist. This is pretty much how traditional allowlisting solutions work today.
There are some obvious problems with traditional allowlisting:
- Deployment complexity – you deploy allowlisting agents, run them to collect telemetry about application executions in your environment, and then go through thousands of events to inventory what needs to be allowed. This involves identifying applications as well as the myriad of background processes and system components for OS and applications to function properly. This task is very time consuming and delays time to value of allowlisting platform especially in complex IT environments.
- Ongoing overhead – say you identify an application and allow all required binaries and dependencies. Tomorrow this application is updated and now needs to load additional libraries, dependencies or useOS native components. As a result, the application is now blocked and your users are frustrated. This is why you constantly keep hearing feedback about other allowlisting solutions that allowed applications do not stay allowed and constantly require maintenance.
- Lack of controls – what if your application needs to perform certain actions with command shell? What if another application is invoking a PowerShell script? Now you need to allow PowerShell and Command Prompt in your environment. But you might not want to do that, as this will allow these power tools for all users and other applications that should not access them for security reasons. Classic allowlisting solutions do not have visibility into what is launching what, they simply allow or deny processes in isolation.
- User experience – employees may find application allowlisting frustrating and restrictive, especially if it prevents them from using preferred tools or installing software needed for their work. When allowlisting breaks due to application updates, or users have no means to communicate with the IT team, then can try to bypass the security measures, potentially introducing new vulnerabilities
How idemeum allowlisting works
Idemeum allowlisting was designed with operational simplicity in mind. Here is how we address the deployment, operational, and user experience challenges.
- Application catalog – idemeum offers pre-configured application catalog to allowlist most common applications (Zoom, Google Drive, O365, Notion, and more). All it takes is a single click to allow an application in your environment. Idemeum will automatically allow the application and all required dependencies.
- Process chain trust – unlike other solutions, idemeum does not look at application execution as a single event. For every execution idemeum traces the whole process chain to make sure all dependent executions are automatically allowed. For instance, when installing Adobe Reader, it will launch cmd.exe, Edge browser, and other system executables to perform certain operations. Idemeum will analyze all process executions to identify related ones and automatically allow all executables that Adobe requires for normal operations. No need to manually track every single file, idemeum will automatically do that.
- Application fencing – with idemeum you can control what applications are allowed to do when executed. With legacy allowlisting solutions, if you need to allow PowerShell for an application, then it will be allowed for all other applications and users, significantly increasing your risk exposure. With idemeum you can allow PowerShell execution when it is part of RMM agent operations, but block PowerShell for users and other applications.
- Requests and approvals – most modern IT environments are dynamic in nature, where changing business requirements demand frequent changes in applications that need to be used. if something gets blocked that is legitimately needed, employees can request IT to approve the execution and event the elevation of desired application. IT teams can receive mobile notifications and approve applications with one click from mobile devices, or leverage the ticketing system where idemeum can create tickets for application requests.
Application allowlisting offers a robust defense against unauthorized software execution, malware and ransomware. Legacy systems are hard to deploy and require careful planning, ongoing maintenance, and a holistic approach that addresses the complexities of modern IT environments and user needs. Idemeum streamlines allowlisting deployment making it less frustrating for users, and easy for IT and MSP teams who now need to spend less time reviewing allowlisting events.