SANS Control 2—”Inventory and Control of Software Assets”
The Core Principle
The same Golden Rule that applies to hardware applies to software: know what you have. No user on your systems should be able to install an executable onto a company device without the approval of security. This may seem like a draconian policy (and a short-circuit process does have to be in place for certain technology-heavy teams like R&D or the dev team), but it’s necessary.
Whitelists work, whereas blacklists do not: every day, there’s going to be a new sketchy software that comes out, and you can’t possibly keep up.
Now in order for whitelisting to not slow down the business, there has to be a way to easily approve valid software, and the standard here doesn’t need to be extraordinarily high: the idea here is to keep out sketchy software, not slow down the pace of business.
Transcending the Control
First unpatched software, no matter how legitimate, should be treated as seriously as a malware incident. The barrier of entry to exploit a known vulnerability is so low that anything but a no-tolerance policy for unpatched software is a death wish for a CISO. How do you handle legacy software that may be end-of-life or irrevocably stuck on an old version, with the people who know about it long gone? That’s the topic of one of the other controls!
Secondly, the last post covered the necessity of a comprehensive and automated system inventory in place, the same thing is true of software inventories, but it’s even more crucial to have an automated system in place because software receive updates incessantly: no systems administrator can keep up via manual means.
Looking ahead 3 years, whereas the growth of hardware will be mostly flat, there’s going to be a lot more software:
For the CISO, this means investing heavily in ways to keep track of a growing list of software products, not to mention web-based and mobile-based apps.
This is not easy. For traditional software, invest in a good Mobile Device Management and Endpoint management solutions that have highly-curated app whitelisting features that allow you to whitelist large swathes of common business and productivity applications.
When it comes to SaaS offerings, which are increasingly going to dominate discussions around software inventory management, to be honest, there aren’t any great solutions out there. My current thinking on this is that while unauthorized SaaS is technically Shadow IT, it should actually be encouraged, because on the whole, SaaS has these things going for it:
- high business value. never forget that at the end of the day, your business needs to run profitably. Don’t be the security leader who forgets that we do risk management, not risk elimination.
- SaaS is hosted in the cloud, on modern infrastructure, not your old, seedy infrastructure.
- SaaS usually runs in the browser, which overall means less sensitive data sitting on endpoints.
- SaaS will automatically update, because it’s part of all SaaS products’ core value proposition (i.e. if it doesn’t auto update, I’m skeptical that it’s SaaS).
- Because SaaS is so valuable, you can usually get some great security concessions (like 2FA) out of the users, because they’ll desperately want to use the tool.
Don’t be the security leader who forgets that we do risk management, not risk elimination.
The best way I’ve found to handle SaaS is to construct your policies so that individual business units are responsible for the security of their SaaS tools that don’t touch sensitive data.
Security can help them lock it down, security can conduct audits, but if they use it, they’re responsible for it. This enables business agility while making accountability clear.
The next article will talk about the third core principle: Continuous Vulnerability Management