application whitelisting can be considered to be more effective in stopping unknown malwares, however it comes at the risk of allowing adversaries to exploit the known good system applications like powershell to carry out bad activities. Would like to discuss with you guys here on whether application whitelisting is still a feasible strategy when there is an EDR solution in place.
my personal view configuring EDR solutions to its recommended best practice is the best method to strike a balance between having good security and smooth ops as most EDR solution is basing one MITRE framework to detect malicious behaviors and block such activities. To whitelist will mean opening potential backdoors to adversaries and will increase the inherent risk.
what are your thoughts on this?
