Application Control Technologies for Essential 8: A Comparative Guide
Application control is a core component of the Australian Cyber Security Centre’s (ACSC) Essential 8 mitigation strategies. By restricting which applications can run in your environment, you significantly reduce the risk of malware infections and unauthorized software. Several technologies can be used to achieve this, including AppLocker, Windows Defender Application Control (WDAC), ThreatLocker, and Airlock Digital. This blog post will compare these solutions, explore which ones can meet Essential 8 requirements, provide a pricing guide, and evaluate both the implementation effort and the operational management involved.
The Essential 8 and Application Control
The Essential 8 framework defines three maturity levels for cybersecurity:
- Level 1: Basic cyber hygiene, designed to protect against opportunistic cyber threats.
- Level 2: Increased protection to defend against more targeted attacks.
- Level 3: Advanced protection, aimed at mitigating sophisticated cyber threats.
Application control is one of the primary strategies for each maturity level, becoming more stringent as you move from Level 1 to Level 3.
Comparing AppLocker, WDAC, ThreatLocker, and Airlock Digital
1. AppLocker
AppLocker is a built-in Windows feature that allows administrators to control which applications and files users can run. It operates by setting rules based on file attributes, such as file path, file publisher, and hash values.
Maturity Level Capability:
- Level 1: Meets Level 1 requirements by providing basic application whitelisting capabilities.
- Level 2: Meets Level 2 but requires more complex rule sets.
- Level 3: May struggle to meet Level 3 as it lacks the flexibility and advanced features found in other solutions.
- Pricing: Free with certain versions of Windows (Enterprise and Education).
- Implementation Effort: Moderate; rule creation can be time-consuming for large environments.
- Operational Management: Medium; once rules are in place, maintenance requires periodic updates but can be complex if you need to manage a large number of rules.
2. Windows Defender Application Control (WDAC)
WDAC is a more advanced application control feature also built into Windows. It provides stronger enforcement by using kernel-mode policies and supports richer rule sets.
Maturity Level Capability:
- Level 1: Meets Level 1 with ease.
- Level 2: Can meet Level 2, providing more comprehensive control than AppLocker.
- Level 3: Meets Level 3; WDAC offers a high level of security and customizability required for sophisticated environments.
- Pricing: Free with Windows 10/11 Enterprise.
- Implementation Effort: High; policy creation is more complex and requires a solid understanding of Windows security.
- Operational Management: High; managing WDAC policies can be challenging due to its deep integration with the Windows kernel. Updating and troubleshooting require a strong understanding of the system.
3. ThreatLocker
ThreatLocker is a third-party application control solution that uses default deny policies, allowing organizations to whitelist specific applications while blocking all others. It also provides endpoint protection features beyond just application control.
Maturity Level Capability:
- Level 1: Easily meets Level 1 with its default-deny approach.
- Level 2: Meets Level 2; provides more flexibility in policy creation.
- Level 3: Meets Level 3; offers granular control and the ability to handle sophisticated, targeted attacks.
- Pricing: Subscription-based model, starting around $5-$8 per endpoint per month.
- Implementation Effort: Medium; ThreatLocker provides an intuitive interface, but implementation still requires time for policy configuration.
- Operational Management: Medium; ThreatLocker is user-friendly, but ongoing management can become complex as new applications and updates are introduced into the environment
4. Airlock Digital
Airlock Digital is a specialized application whitelisting solution specifically designed for Essential 8 compliance. It provides a high degree of automation to simplify the process of whitelisting applications, especially in large and complex environments.
Maturity Level Capability:
- Level 1: Easily meets Level 1 with automated controls.
- Level 2: Meets Level 2; offers robust application control capabilities.
- Level 3: Ideal for Level 3; designed with a focus on high-level security, Airlock provides the sophisticated controls required to mitigate advanced threats.
- Pricing: Subscription-based, generally ranging from $10-$15 per endpoint per month, with enterprise pricing available for large environments.
- Implementation Effort: Low to Medium; Airlock is designed for ease of use with features like automatic application discovery, reducing setup time.
- Operational Management: Low; the automated nature of Airlock significantly reduces the day-to-day operational burden. It automatically manages software updates and new application requests.
Which Solutions Meet Essential 8 Levels?
AppLocker
- Essential 8 Level 1: Yes
- Essential 8 Level 2: Yes
- Essential 8 Level 3: Limited
WDAC (Windows Defender Application Control)
- Essential 8 Level 1: Yes
- Essential 8 Level 2: Yes
- Essential 8 Level 3: Yes
ThreatLocker
- Essential 8 Level 1: Yes
- Essential 8 Level 2: Yes
- Essential 8 Level 3: Yes
Airlock Digital
- Essential 8 Level 1: Yes
- Essential 8 Level 2: Yes
- Essential 8 Level 3: Yes
Pricing Guide Comparison
AppLocker
- Approximate Cost (Per Endpoint/Month): Free (included with Windows Enterprise/Education)
WDAC
- Approximate Cost (Per Endpoint/Month): Free (included with Windows Enterprise)
ThreatLocker
- Approximate Cost (Per Endpoint/Month): $5 – $8
Airlock Digital
- Approximate Cost (Per Endpoint/Month): $10 – $15
Implementation Effort Scale (1 = Minimal Effort, 5 = High Effort)
(1 = Minimal Effort, 5 = High Effort)
AppLocker
- Implementation Effort: 3
WDAC
- Implementation Effort: 5
ThreatLocker
- Implementation Effort: 3
Airlock Digital
- Implementation Effort: 2
Operational Management Scale (1 = Easy to Manage, 5 = Difficult to Manage)
(1 = Easy to Manage, 5 = Difficult to Manage)
AppLocker
- Operational Management: 3
WDAC
- Operational Management: 4
ThreatLocker
- Operational Management: 3
Airlock Digital
- Operational Management: 2
Conclusion
Each application control solution offers unique benefits and is suited to different levels of complexity and operational needs. AppLocker is a good entry-level solution but may struggle with more complex environments. WDAC provides stronger security but requires significant effort to manage. ThreatLocker offers robust application control with a balance between ease of use and flexibility. Airlock Digital is ideal for organizations looking for automation and seamless compliance with the Essential 8, especially for Level 3.
Choosing the right tool depends on your organization’s needs, resources, and the complexity of your IT environment. For those looking for easy management with advanced security, Airlock Digital is a great choice, while ThreatLocker and WDAC provide solid options for more custom environments. AppLocker, though free, may be limited for higher levels of maturity.
Element Digital offers IT Consulting Services in Hobart, dedicated to providing expert guidance and strategic planning for all your IT needs. Our Hobart-based IT Professional Services are tailored to meet the diverse requirements of businesses in Tasmania. For more insights and updates, follow us on LinkedIn and stay connected with #ElementDigital.
Leave A Comment