Controlling Software in Your Enterprise for GRC and Security Benefits

By Eric Noonan • October 28, 2015

Note: This is the second in a series of blog posts in which CyberSheath GRC consultants specifically describe how the RSA Archer GRC Solution can assist with the adoption of the Critical Security Controls for Effective Cyber Defense.  Each post of this series will focus on one of the 20 Critical Security Controls. Click here to access the first post of this series.

CyberSheath has worked with many customers who are just beginning their GRC journey.  As security consultants first, the initial steps we take when building out GRC efforts for any organization align with the Critical Security Controls for Effective Cyber Defense.  These controls, formerly known as the SANS 20 Critical Security Controls, focus on prioritizing actionable and pragmatic security functions that are effective against advanced attacks.

20 Critical Security Controls

Control 2: Inventory of Authorized and Unauthorized Software

The second Critical Control, Inventory of Authorized and Unauthorized Software, tells us that organizations should “Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.”  To accomplish this, companies need to maintain a list of authorized software, by version, which is required in the enterprise, preferably through an automated software inventory tool.  The control also recommends deploying application whitelisting that allows systems to run software only if it includes don the whitelist and prevents the execution of all other software on the system.

This control is high on the list of priorities because attackers exploit vulnerable versions of legitimate software as well as uncontrolled software that contains malware.  By inventorying software that is necessary for business purposes and whitelisting only those, attack risks are minimized.

To actively manage your software inventory, Archer can receive data feeds from Software Change Management tools, Vulnerability Management scanners, Application Whitelisting software, and Configuration Compliance tools.  These sources can be fed into the “Applications” database in Archer, which tracks all relevant information on software name, version, ownership, etc.  No other product collects and rationalizes application data from multiple sources like Archer.

Managing software inventory is an accomplishment in itself, but tying the data into other parts of Archer is where we start to see real GRC context and meaning.  Mapping software to the system it resides on, the business process it supports and the business units it belongs to can help us visualize our IT infrastructure like no other tool can.  Without a GRC platform to relate records, our inventories are just individual siloes of lists.

When organizations do attempt to tackle application whitelisting, Archer can be the single tool with which users can request permission to have new software approved.  CyberSheath has worked with several customers who are using software such as BeyondTrust PowerBroker to manage whitelisting.  Using an Archer “on-demand application”, we created a process where employees identified the software, its business need, and created an approval process that included supervisor escalation and workflow.  Archer became the inventory for not only all enterprise applications but also for the requests that were linked to each new software approved.

Building out the Enterprise Management module in Archer is always a top priority for organizations beginning a GRC journey.  So it is no coincidence that the goals of the GRC program often align with those of a pragmatic security framework like the Critical Security Controls.  Application inventory and whitelisting is a smart initiative for all companies to tackle early, and Archer provides the visibility to manage the process with clarity, structure, and transparency.

Watch for our next post as we discuss how Archer can assist with the third Critical Control, Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers, coming soon.

CyberSheath Blog

How to Safeguard Your Company from Phishing

Email is so ubiquitous in our everyday lives that it can be a challenge to always be on guard when receiving messages. Each day it’s not unheard of for each member of your team to have hundreds of messages land in their inbox. How do you make sure that none…

3 Tools to Help Defend Your IT Infrastructure from Threats

With the continually evolving threat landscape and the prevalence of team members working from home, it is more important than ever to be proactive with how your company is protecting itself from cyberattacks.  CyberSheath can help. We offer services to build on all the great work you have already done…

DNS Filtering for Additional Protection of IT Systems

Phase one of securing your IT infrastructure should include protecting your endpoints and safeguarding your employees from phishing attempts. After you have implemented these controls, the next logical step is to launch a DNS filtering solution.   What is DNS filtering and why do you need it? Domain name server…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO