SEI Insights

Insider Threat Blog

Real-World Work Combating Insider Threats

Establish and Maintain Whitelists (Part 5 of 7: Mitigating Risks of Unsupported Operating Systems)

Posted on by in

Software whitelists, part of an organization's software policies, control which applications are permitted to be installed or executed on an organization's devices and network. In this post, I describe how whitelisting and real-time monitoring of log data can reduce the organization's exposure to cyber attack.

Unsupported operating systems can expose your network to attack. This blog series outlines five actions your organization can take now, including defining risk tolerance; using software inventory management; upgrading, retiring, or replacing software; implementing whitelists; and establishing long-term software maintenance policies. These actions ensure your organization's cybersecurity.

One way to address potential attacks is to create and strictly control the whitelists that allow software applications to be installed. If your organization decides, based on its defined risk tolerance, to run unsupported software, it is critical that you create software whitelists, keep them up to date, and run them in enforcement mode. Enforcement mode prompts the user or administrator to accept any executable file that is not whitelisted.

In addition to strict whitelisting, organizations should use real-time monitoring of log data on devices running unsupported operating systems. However, real-time monitoring is a tradeoff because it requires dedicated resources. Quantify the cost and residual risk of real-time log monitoring to compare them to your organization's defined risk threshold. As part of your organization's risk management program, compare the cost of real-time monitoring to the cost of upgrading or retiring the operating system altogether. The result gives you the data you need to make the best decision for your organization.

What You Can Do

  1. Create, maintain, and strictly control whitelists.
  2. Run whitelists in enforcement mode.
  3. Use real-time monitoring of log data on devices running unsupported operating systems.
  4. Compare the cost of real-time monitoring to the cost of upgrading or retiring software to determine which is more cost effective.

For more information about whitelists, see the Guide to Application Whitelisting (NIST SP 800-167).

Check back next week to read about creating a policy to manage unsupported software, or subscribe to a feed of the Insider Threat Blog to be alerted when a new post is available.

More from Katie C. Stewart

Posts


View other blog posts by Katie C. Stewart.