IOA vs IOC for software allowlisting: how do you handle hash drift when new versions ship?
We're trying to decide between IOA and IOC rules for controlling a specific application in Falcon. IOC feels like the right call since it's hash-based, no path manipulation, no false positives from renamed executables. But the obvious problem is scale: every time the vendor ships a new version, the hash changes and we'd have to manually add it.
To make things worse, the vendor doesn't publish official hashes alongside their releases, so there's no authoritative source to pull from, we'd have to generate and verify them ourselves from each new installer, which obviously doesn't scale.
Does anyone have a workflow for keeping up with this automatically? A few options I've been considering:
- Scraping or monitoring the vendor's download page and auto-generating hashes from each new installer before deployment
- Using the Falcon API to bulk-upload hashes from an internally maintained list
- Building a pipeline where a test machine pulls the latest installer, hashes it, and pushes it to Falcon automatically
- Ditching IOC entirely and writing a custom IOA rule that keys on behavior/process name rather than hash
The IOA route is more resilient to version changes and doesn't require chasing hashes, but it feels less precise and easier to spoof. Curious how others are handling this, especially when the vendor gives you nothing to work with out of the box.