ClearArmor CSRP - 01.01 SOFTWARE BASED VULNERABILITIES
- 1. CYBER RISK REDUCTION SERIES 01.02 SOFTWARE END OF SUPPORT Overview Fact: Unpatched software is vulnerable software. Even when no known vulnerabilities exist for software, if must continuously be monitored for newly discovered vulnerabilities. ClearArmor ClearArmor™ Corporation 519 Easton Rd. Riegelsville, PA 18077 info@cleararmor.com http://www.cleararmor.com +1-(610) 816-0101 Risk increases when software is allowed to remain in an organization past End of Support (EOS). Why? Unsupported software will not have patches created by their publisher. How is this allowed to occur? Sometimes due to a lack of visibility. Other times due to misplaced frugalness for the purposes of cost reduction. The result is increased vulnerabilities, an increased attach surface area, and risk to the organization. ClearArmor CyberSecurity Resource Planning (CSRP) provides the structured process through the Momentum Methodology (M2) and the technology through the Intelligent CyberSecurity Platform (ICSP) to mitigate this risk. Step 1 – Accept that no risk reduction is sustainable possible without a structured CyberSecurity program. That Program must be based on a recognized standard. The most accepted standard is the NIST CyberSecurity Framework (CSF). Step 1- Structure and Standards are foundational to CyberSecurity Step 2 – A structured CyberSecurity program requires process, technology, and governance. ClearArmor CyberSecurity Resource Planning (CSRP) is the only solution that truly aligns organizations to the NIST CSF. This is achieved through ClearArmor CyberSecurity Resource Planning. An integration of Methodology and technology. Step 2 - Process, Technology, and Governance are foundational to CyberSecurity
- 2. 2 Copyright © 2019 Clear Armor Corporation. All Rights Reserved Step 3 – Assign Ownership to all NIST CSF Functions, Categories, and Sub- Categories. These are the ‘Things’ that organizations must do to ensure ‘CyberSecurity’. Ownership requires a Responsible Role (Responsible for Doing) and an Accountable Rile (Responsible for Auditing). By assigning ownership, organizations are able to comply with guidance provide by the NIST CSF. Step 3- Assignment of Accountable and Responsible Roles are foundational to CyberSecurity Step 4 – Policy - establish your organizations software patching, upgrade policy. A subset of this will include maximum durations for remediations to reach production, testing guidance, and methods to distribute software patches. Step 4 – Creation of clearly defined policy is foundational to CyberSecurity Step 5 – Discovery your entire network. This includes, but is not limited to, all hardware, software, configuration information, used ports, utilization, etc. This requires technology and process that are complete. Only the ClearArmor Discovery, Classification, Identification (DCI) process achieves a level of insight into your organizations networked assets, software, hardware, utilization that is instrumental to a significant number of NIST CSF sub- categories. Step 5 – Discovery is foundational to CyberSecurity Step 6 – The ICSP consumes date from IT-Pedia®, the Comprehensive IT Product Data Library. Amongst others are two critical data points instrumental in combating EOS caused risk. 1) Software End of Service Data 2) NIST Vulnerability Database information. This data is refreshed daily and part of a continuous EOS detection process Step 6- Automated identification of software past EOS Step 7 – Automated population of historical EOS data allows for continuous monitoring of the organizations progress in combatting this risk. This allows up to the date dashboard views of where the organization is now and the success of their continued remediation progress or other details are identified in the wild, we bring that information down into your installation of the ICSP. Step 7- Daily evaluation of EOS Dashboard Information Step 8 – Automated delivery of precise EOS data to the organizations teams that can remediate the problem. This includes the ability to 1) Prepare for software set to be EOS in the future 2) Software currently past EOS
- 3. 3 Copyright © 2019 Clear Armor Corporation. All Rights Reserved 3) And in the way that is needed by the organization to directly take action Step 8- Delivery of EOS data to teams that remediate EOS software Step 9 – Plan your upgrades to target the remediations based on your organizations policy (example: most critical systems first, largest installed base) Step 9- Upgrading Operating Systems and Software can have long lead times, plan early Step 10 – Remediate your problem, and measure your progress Step 10 – A Structured approach to risk reduction ClearArmor CSRP is CyberSecurity See your Active EOS Distribution See the affected endpoints
- 4. 4 Copyright © 2019 Clear Armor Corporation. All Rights Reserved CyberSecurity Resource Planning CSRP = Methodology + Technology A structured approach to CyberSecurity