Posted on by Insider Threatin
Software whitelists, part of an organization's software policies, control which applications are permitted to be installed or executed on an organization's devices and network. In this post, I describe how whitelisting and real-time monitoring of log data can reduce the organization's exposure to cyber attack.
Unsupported operating systems can expose your network to attack. This blog series outlines five actions your organization can take now, including defining risk tolerance; using software inventory management; upgrading, retiring, or replacing software; implementing whitelists; and establishing long-term software maintenance policies. These actions ensure your organization's cybersecurity.
One way to address potential attacks is to create and strictly control the whitelists that allow software applications to be installed. If your organization decides, based on its defined risk tolerance, to run unsupported software, it is critical that you create software whitelists, keep them up to date, and run them in enforcement mode. Enforcement mode prompts the user or administrator to accept any executable file that is not whitelisted.
In addition to strict whitelisting, organizations should use real-time monitoring of log data on devices running unsupported operating systems. However, real-time monitoring is a tradeoff because it requires dedicated resources. Quantify the cost and residual risk of real-time log monitoring to compare them to your organization's defined risk threshold. As part of your organization's risk management program, compare the cost of real-time monitoring to the cost of upgrading or retiring the operating system altogether. The result gives you the data you need to make the best decision for your organization.
For more information about whitelists, see the Guide to Application Whitelisting (NIST SP 800-167).
Visit the SEI Digital Library for other publications by Katie.