Freely subscribe to our NEWSLETTER

Towards this end, organizations are building security fortresses that incorporate people, processes and technology to defend against cybersecurity threats. While these fortresses are extremely sophisticated at keeping one step ahead of threat – it may come as a surprise that they are often being built on quicksand.

The Security Foundation: Know the Hardware & Software on Your Network

Security standards and requirements frameworks have been developed by myriad organizations over the years to address risks to enterprise systems and their critical data. The SANS Institute is one of the largest sources for information security training and security certification in the world. In 2008, SANS Institute led a consortium of US and international agencies and security experts to create a prioritized list of security controls that would have the greatest impact in improving organization’s risk posture against real-world threats.

The first of the prioritized Critical Security Controls identified by SANS focuses on the organization’s ability to actively manage (inventory, track and correct) all hardware devices on the network so that only authorized devices are given access. According to SANS, this control is critical because attackers are continuously scanning the address space of target organizations, waiting for unprotected systems to be attached to the network. They’re also looking for devices that come and go off the network (such as laptops), that can become out of synch with patches or security updates.

The second of the 20 SANS Critical Security Controls focuses on inventory of authorized and unauthorized Software. Organizations must actively manage (inventory, track and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. This is critical because, according to SANS, attackers continuously scan and target organizations looking for vulnerable versions of software that can be remotely exploited. For instance, if an employee using a vulnerable browser is directed to an untrustworthy website, attackers can compromise the employee’s machine by installing backdoor programs and bots giving the attacker long-term control of the system. Once a single machine has been exploited, attackers can use it as a staging point for collecting sensitive information from it and others connected to it. For these and other reasons, SANS explains that organization that don’t have complete software inventories cannot find systems running vulnerable or malicious software to mitigate problems or root out attackers.

Organizations’ ability to effectively inventory their IT assets to identify authorized versus unauthorized hardware and software serves, in effect, serves as the foundation for the other cybersecurity defenses. This is so because without this foundation, attackers can and will continually find new vulnerable machines and software as soon as existing, known vulnerabilities have been secured and fortified by the organization.

This was also the conclusion of a recent BSA/IDC report: Unlicensed Software and Cybersecurity Threats. According to that report, the more unlicensed software running on an organisation’s network, the greater the malware risk. The report concludes that the data’s obvious implication is that lowering the incidence of unlicensed software will lower cybersecurity risk.

Most Organizations Can’t Inventory Their Software

The ease with which unlicensed or unauthorized software can find its way onto company systems is staggering. Most employees can proactively go to the Internet and download software they may need to do their jobs – and often do so instead of putting in requests to their IT departments and waiting for reviews and approvals. Indeed, many employees also install non-work related applications onto their devices, such as music or video applications, which can have questionable provenance.

It may seem obvious that the ability to inventory hardware and software is critical to building a strong cybersecurity foundation. And it may seem like a foregone conclusion that most organizations would already have these inventory capabilities in place simply as a matter of sound IT Asset Management principle. Therefore it may come as a surprise that, in fact, most organizations do not have adequate software inventory capabilities in place – threatening the foundation upon which they are building their cybersecurity defenses.

According to a Flexera Software 2013-14 Key Trends in Software Pricing & Licensing Report, prepared jointly with IDC, only 36% of the report’s survey respondents said that they use automated commercial software to manage their software estates. The majority of respondents reported using a patchwork of methods — or doing nothing at all. For instance, 25% of respondents said they were managing software licenses using manual methods, such as spreadsheets, while 9% are using home grown systems. 18% are using tracking tools provided by their vendors, and 7% are simply not tracking their software licenses at all.

The Challenges Inventorying Software

Given the lack of broad-based software license management capabilities being implemented b, it begs the question: Why is inventorying IT assets such a complex and difficult task? There are actually many reasons.

For instance, with respect to desktop applications, different data sources on a device can be used to identify software applications. None of them provide enough data by themselves; they all must be considered to accurately inventory local installations. These data sources can include:
• Software Packaging data: The Add/Remove Programs (a.k.a. Programs and Features) entries found on Windows devices, RPM (RedHat Package Manager) on Linux, etc. On Windows devices packaging data provides a very accurate list of software applications installed on the computer. In some instances, additional data may be required to clearly identify the software applications, such as finding the edition installed.
• File data: Executable, dll, ini, jar manifest files, etc., on the hard drive. On the Windows platform, the file header sometimes provides information such as the publisher, the version and the name of the application. The size, name, checksum or content of a file can also be used to identify an application.
• Registry information on Windows devices: For instance, the Operating System description, version and edition can be found in the Windows registry.
• ISO tag files: The International Standardization Organization (ISO) 19770-2 is probably the best and most accurate way to identify a local software product on a device. It is supposed to provide the name, version and edition of the software product installed, as sold by the publisher. It may also contain the list of the software components and relationships between them. Only a few publishers such as CA, Adobe, Symantec, Flexera Software and Microsoft are using the ISO 19770-2 tag. It applies only to the latest releases of their products.

The raw data from these data sources needs to be filtered and processed to extract the commercial name of the products that require a license. This data represents up to 90% of all inventory data collected in many cases.

Many tools exist and are capable of performing inventory; the key issue is maintaining the accuracy of the inventory. New hardware machines are installed and old ones retired every single day, software products are installed, upgraded or removed on a regular basis. If an organization has 10,000 desktops and laptops for instance, with an average life time of three years, 15 computers are retired and 15 are provisioned every working day, on average.

A process is needed to remove or disable computers in the configuration management tool when it is physically retired. The same applies to computers not reporting inventory for a long period of time as they should be considered lost or stolen. In this case, the process must consider that users can be disconnected from the network for a long period of time, for instance when they are on leave, travelling or working remotely from their home. Inventory is not performed on all devices at once, but typically on a rolling basis: the picture of the inventory is never 100% accurate on any one day; the challenge is to limit this area of uncertainty.

If traditional desktop/laptop inventory can be resolved with inventory and configuration management tools, application and desktop virtualization technologies may require a different approach. In most cases, virtualized applications leave evidence on a device that can be tracked along with their related usage data from an agent. For instance, this is possible with the latest releases of Microsoft App-V. An alternative solution is to directly query the virtualization technology API and get either the relationship between virtualized applications and users, or the usage data, if available.

The biggest difficulty in a virtual desktop environment is to identify endpoint devices using the virtual machine. Again, for applications attached to a device based license metric, this information is needed. There are different techniques that can be used to get this data, but only a handful of tools are able to collect it. The last challenge is metering usage on applications running in the virtual desktop, some of which could be virtualized. In this case virtualized application usage data may need to be matched against the virtual desktop data to clearly identify the endpoint device. The usage monitoring tools for application virtualization typically report usage against the virtual desktop itself rather than the endpoint device.

Desktop inventory cannot rely solely on traditional configuration management or dedicated inventory tools. When virtualization technologies are used, these tools will likely fall short with regard to accurately reporting inventory or usage data in many scenarios. The solution is to use a combination of inventory tools and adapters to virtualization and cloud technology frameworks to gather data and merge it in a single IT asset management repository for consumption by a Software License Optimization tool.

Beyond inventorying desktop software, the datacenter environment has the benefits of being smaller and more stable. However, software license management in this environment requires additional data—from hardware properties to relationships between hosts, virtual machines, partitions and clusters. Some complex server license models require additional data. Software identification is also more challenging due to the heterogeneous nature of the datacenter and lack of standards.

Datacenter inventory is very different from the desktop world. Despite a smaller number of devices, it is a more complex and challenging environment due to the diversity of operating systems and technologies, the licensing metrics requiring additional data, and the emergence of hybrid (public-private) and private clouds. Different techniques must be used; a device based inventory will likely fall short of accurately reporting inventory and usage data. As in the case of the desktop world, only a combination of tools will provide the data required for license management and Software License Optimization.

Conclusion

While most organizations have multiple sources of software and hardware inventory data, they usually do not have a means to consolidate that data from across all their systems and environments to arrive at an accurate inventory that can provide high-level insight into what authorized versus unauthorized systems are running on the corporate network. And it is this lack of management-level insight that renders the very foundation of their cybersecurity fortress vulnerable.

Tools are available that can provide this level of insight. Software License Optimization solutions are already being deployed globally by organizations to help them ensure continual compliance with their software license agreements. These solutions are also being deployed to help ensure optimization of software spend by helping organizations buy only what they need and use what they have.

Some of these Software License Optimization solutions can also help organizations comply with their SANS Critical Security Controls for software and hardware inventory. By leveraging adapters to existing configuration management and inventory tools, access to virtualization data via APIs, and additional inventory capabilities delivered by the Software License Optimization tool, organizations should be in position to collect all of the necessary data. The best strategy is to understand what data sources are available within the organization and use them first. Then, deploy and use the additional features of the Software License Optimization tool to arrive at an accurate and update inventory.