Whitelisting has been for sure a relatively standard and sometimes as a hardening security measure but it depends how we implement and maintain it and where it is initially enforced.
Whitelisting could be against you if setup at the wrong spot or with inadequate supportive elements. I highly recommend whitelisting behavior rather than whitelisting elements like applications, IP addresses, emails, domains, users…
One of the most obvious negative usage of whitelisting is where we unintentionally give more opportunity to file-less malware attacks and all sort of insecurities around anything whitelisted among operating system without being supported by enough factors and elements of validation. This is simply when we rather focus on behavior than solely origination of a file for example.
Blind whitelisting, that what I call when we just filter based on one factor, is highly prone to be defeated. It is vulnerable to forgery and easily bypassed because there is no support. File-less malware heaven is actually a traditional whitelisting approach.
What is so effective and almost undefeatable is behavioral whitelisting where we filter a set of elements even considering order of execution. For your information, almost all EDR solutions in the market currently either lacking behavioral whitelisting, or they solely rely on traditional one-stop whitelisting which is really dangerous and totally against the nature of an EDR.
