Application control is similar to traditional firewall enforcement technology in that administrators have the ability to enforce their written security policy. However, application control changes the way one thinks about traditional security policies because organizations now have the ability to control not only services, such as HTTP, but also specific applications.
Application control takes security policy enforcement to the next level by not only looking at packet header information, such as a source or destination port, but also looks deep into the packet payload to identify specific applications.
Application control is designed to control both legitimate, as well as malicious applications. Contrary to popular belief, there is much more to allowing or blocking specific applications. The most important aspect of this technology involves securing the applications in addition to securing the end-user consuming or hosting the application. One example of this would be the application Google Talk, which can be considered a viable business application. However, at some point, any application can become threatening. In early 2011, there was a specific phishing vulnerability that was targeted against Google Talk users. Having the ability to quickly react to these types of emerging threats is why application control is an important component to any security environment.
"Hackers have realized that traditional firewalls do a good job of mitigating connection-based attacks."
– Jason Clark, SE director - U.S. channels at Fortinet
Beyond monitoring/blocking applications, application control is commonly used in the workplace to provide visibility into application usage and respective bandwidth consumption. Many organizations will take advantage of application control to conduct risk and/or bandwidth analysis assessments to determine what type of applications are in use within their network. Organizations can then take steps to mitigate offensive or malicious applications, as well as apply role-based application policies. For example, Rick in the marketing department may be allowed to access social media applications for marketing purposes, while customer service representatives should have limited, if any, access to social media applications. This is an example of why a role-based application policy can not only increase employee productivity but also secure and control application usage.
A comprehensive security infrastructure
Application control is now an absolute necessity in a comprehensive security policy because threats have evolved. More importantly, not only have threats evolved, but also the way users consume information has evolved. Instead of users consuming static content, such as Encyclopedia Britannica, they are using dynamic content, such as Wikipedia. Hackers have obviously taken note of this. Hackers also have realized that traditional firewalls do a good job of mitigating connection-based attacks. Intrusion prevention and anti-malware systems also easily detect content-based threats. Today, attackers are now targeting known and unknown vulnerabilities in specific applications. It is more important now, than ever before, for organizations to take a close look at the applications traversing their network. Application control provides the necessary visibility and enforcement to reduce and secure additional threat vectors introduced by these applications.
Beyond improving network security, application control can boost employee productivity. There are many applications that decrease productivity simply by overuse. Social networking applications are one of the most common culprits here. When we look at the real productivity killer, it's downtime, help desk calls, loss of service and mitigation time as the result of exploitation. Application control supplies administrators the necessary tools to place restraints on potentially malicious applications that may be commonly used to carry exploits in or out of corporate networks. An example here is instant messenger (IM) applications. IM applications are commonly used as legitimate tools to communicate with coworkers, as well as external business partners. Unfortunately, IM is a vector that is difficult to police for most organizations. Application control has the ability to create policy allowing only approved IM applications, therefore decreasing the potential for exploitation.
To apply application control effectively, it's best to deploy role-based application control policies, rather than control applications at a network level, which all employees must adhere to. Disparate departments have different responsibilities, roles and needs. Thus, the need for role- or identity-based application enforcement is critical in maintaining a balance between security, productivity and business continuity. What's more, effective application control should "follow" a user regardless of their location – whether they reside on a wired network, wireless network, remote office or telecommuter office. Specifically, an effective application control policy should include a client-based solution that extends an organization's internal security policy to remote locations. This will become increasingly important as companies embrace bring-your-own-device (BYOD) initiatives. While BYOD brings many advantages from a cost and employee productivity perspective, this initiative also can open up potential security holes. It is imperative that application control solutions support remote devices – both on and off the network. The solution should also provide administrators with a centralized management tool to quickly react to necessary policy changes.
What the future holds
In the coming months, we will see a massive increase in application development, and with this increase we will see an influx of application vulnerabilities. We will also see an increase in available bandwidth. With the increase in applications and bandwidth we will start to see a vast array of new vectors that attackers will take advantage of.
With a change in application use, we will also see a change in hackers. There will be a paradigm shift in how security vendors respond to these changes. Application and threat identification based on signatures will no longer be a viable solution. The advent of a reputation-based detection will eventually surface. It is quite easy to look at a particular user and understand what the characteristics of their job entail. For example, a sales employee will typically make a number of calls via Voice over IP, use CRM applications, such as Salesforce, and a number of other sales-related applications. In the future we might see application control systems that have the capability to determine a specific user's role in an organization. Beyond this, application control systems will be able to dynamically create a baseline of their normal, as well as abnormal activity then react accordingly. For example, a sales person begins to deviate from their typical activity by one day navigating to an application housed in an export-controlled country. This abnormal behavior may trigger an alarm or "action," such as quarantining that user.
We also can see the dawn of “self-taught” application control technology, which can dynamically detect specific applications based on use patterns. This may be in the form of sandbox techniques, which could execute malicious applications and in real-time create application controls to enforce policy.