Chuck Leaver – Should You Whitelist Or Blacklist?

Written By Roark Pollock And Presented By Chuck Leaver



Similar to any form of security, the world of IT security is one of establishing and imposing a set of allow/disallow guidelines – or more formally titled, security policies. And, simply stated, allow/disallow guidelines can be expressed as a ‘whitelist’ or a ‘blacklist’.

In the distant past, many guidelines were blacklist in nature. The good ‘ole days were when we trusted practically everyone to act well, and when they did this, it would be quite simple to identify bad behavior or anomalies. So, we would just need to compose a couple of blacklist rules. For instance, “don’t enable anybody into the network coming from an IP address in say, Russia”. That was kind of the same thing as your grandparents never locking the doors to your home on the farm, considering that they were aware of everybody within a twenty mile radius.

Then the world altered. Good behavior became an exception, and bad actors/behavior became legion. Naturally, it took place slowly – and in stages – dating to the beginning of the true ‘Internet’ back in the early 1990’s. Remember script kiddies unlawfully accessing public and secure sites, simply to show to their high school pals that they could?

Fast forward to the modern age. Everything is on-line. And if it has value, somebody on the planet is aiming to steal or damage it – constantly. And they have lots of tools at their disposal. In 2017, 250,000 brand-new malware versions were presented – per day. We used to count on desktop and network anti-virus solutions to include brand-new blacklist signatures – every week – to counter the bad guys utilizing harmful code for their bidding. But at over 90 million brand-new malware variations each year, blacklist strategies alone will not cut it.

Network whitelisting technologies have been an essential line of defense for on premises network security – and with a lot of companies rapidly moving their work to the cloud, the same systems will be needed there also.

Let’s take a more detailed look at both approaches.


A blacklist lines out understood destructive or suspicious “entities” that should not be permitted access, or execution rights, in a network or system. Entities consist of bad software applications (malware) including infections, Trojans, worms, spyware, and keystroke loggers. Entities also consist of any user, application, procedure, IP address, or organization understood to position a threat to a business.

The critical word above is “known”. With 250,000 new variants appearing each day, the number that are out there we have no idea about – at least until much later in time, which could be days, weeks, or perhaps years?


So, exactly what is whitelisting? Well, as you might have thought, it is the reverse of blacklisting. Whitelisting begins from a point of view that nearly everything is bad. And, if that is true, it ought to be more effective just to specify and allow “excellent entities” into the network. An easy example would be “all employees in the finance department that are director level or higher are enabled to access our financial reporting application on server X.” By extension, everybody else is denied access.

Whitelisting is frequently described as a “zero trust” method – reject all, and allow just select entities access based on a set of ‘excellent’ characteristics related to user and device identity, behavior, location, time, etc

Whitelisting is commonly accepted for high-risk security environments, where strict rules take precedence over user flexibility. It is likewise highly valued in environments where companies are bound by rigorous regulative compliance.

Black, White, or Both?

First, there are not many that would suggest blacklisting is totally aged out. Definitely at the endpoint device level, it remains reasonably simple to install and preserve and rather reliable – especially if it is kept up to date by third party danger intelligence companies. But, in and of itself, is it enough?

Second, depending upon your security background or experience, you’re likely thinking, “Whitelisting could never work for us. Our business applications are just too varied and complicated. The time, effort, and resources required to compile, monitor, and update whitelists at a business level would be untenable.”

Thankfully, this isn’t actually an either-or choice. It’s possible to take a “finest of both worlds” stance – blacklisting for malware and invasion detection, operating alongside whitelisting for system and network access at large.

Ziften and Cloud Whitelisting

The key to whitelisting boils down to ease of execution – specifically for cloud-based work. And ease of execution becomes a function of scope. Think about whitelisting in two ways – application and network. The previous can be a quagmire. The latter is far simpler to execute and maintain – if you have the best visibility within your cloud environment.

This is where Ziften comes in.

With Ziften, it ends up being easy to:

– Identify and establish visibility within all cloud servers and virtual machines

– Gain constant visibility into devices and their port usage activity

– See east-west traffic flows, consisting of comprehensive tracking into protocols in use over particular port sets

– Convert ‘seeing’ what’s taking place into a discernable variety of whitelists, finished off with accurate protocol and port mappings

– Establish near real time notifications on any anomalous or suspicious resource or service activations


No Responses Yet to “Chuck Leaver – Should You Whitelist Or Blacklist?”

Leave a Reply