Controlling Software in Your Enterprise for GRC and Security Benefits
Note: This is the second in a series of blog posts in which CyberSheath GRC consultants specifically describe how the RSA Archer GRC Solution can assist with the adoption of the Critical Security Controls for Effective Cyber Defense. Each post of this series will focus on one of the 20 Critical Security Controls. Click here to access the first post of this series.
CyberSheath has worked with many customers who are just beginning their GRC journey. As security consultants first, the initial steps we take when building out GRC efforts for any organization align with the Critical Security Controls for Effective Cyber Defense. These controls, formerly known as the SANS 20 Critical Security Controls, focus on prioritizing actionable and pragmatic security functions that are effective against advanced attacks.
20 Critical Security Controls
Control 2: Inventory of Authorized and Unauthorized Software
The second Critical Control, Inventory of Authorized and Unauthorized Software, tells us that organizations should “Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.” To accomplish this, companies need to maintain a list of authorized software, by version, which is required in the enterprise, preferably through an automated software inventory tool. The control also recommends deploying application whitelisting that allows systems to run software only if it includes don the whitelist and prevents the execution of all other software on the system.
This control is high on the list of priorities because attackers exploit vulnerable versions of legitimate software as well as uncontrolled software that contains malware. By inventorying software that is necessary for business purposes and whitelisting only those, attack risks are minimized.
To actively manage your software inventory, Archer can receive data feeds from Software Change Management tools, Vulnerability Management scanners, Application Whitelisting software, and Configuration Compliance tools. These sources can be fed into the “Applications” database in Archer, which tracks all relevant information on software name, version, ownership, etc. No other product collects and rationalizes application data from multiple sources like Archer.
Managing software inventory is an accomplishment in itself, but tying the data into other parts of Archer is where we start to see real GRC context and meaning. Mapping software to the system it resides on, the business process it supports and the business units it belongs to can help us visualize our IT infrastructure like no other tool can. Without a GRC platform to relate records, our inventories are just individual siloes of lists.
When organizations do attempt to tackle application whitelisting, Archer can be the single tool with which users can request permission to have new software approved. CyberSheath has worked with several customers who are using software such as BeyondTrust PowerBroker to manage whitelisting. Using an Archer “on-demand application”, we created a process where employees identified the software, its business need, and created an approval process that included supervisor escalation and workflow. Archer became the inventory for not only all enterprise applications but also for the requests that were linked to each new software approved.
Building out the Enterprise Management module in Archer is always a top priority for organizations beginning a GRC journey. So it is no coincidence that the goals of the GRC program often align with those of a pragmatic security framework like the Critical Security Controls. Application inventory and whitelisting is a smart initiative for all companies to tackle early, and Archer provides the visibility to manage the process with clarity, structure, and transparency.
Watch for our next post as we discuss how Archer can assist with the third Critical Control, Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers, coming soon.