Written with contributions from Bryon Singh, Director of Security Operations, RailWorks Corporation
Keeping an accurate and up-to-date inventory of software is essential. CIS Safeguard 2.4, "Utilize Automated Software Inventory Tools," ensures that this task is handled with the precision and efficiency reminiscent of Tony Stark's (a.k.a. Iron Man) technological prowess from the Marvel Universe.
Stark's Inventory Management
Imagine Tony Stark, surrounded by his multitude of Iron Man suits and high-tech gadgets. Each piece of technology is meticulously cataloged and tracked by J.A.R.V.I.S., his AI assistant. Similarly, automated software inventory tools act as your own J.A.R.V.I.S., continuously monitoring and recording the software running on your network. This automated process provides real-time visibility into your software assets, much like Stark’s ever-watchful AI.
Real-Time Updates
Tony Stark’s technology is always evolving, with constant updates and modifications. Automated software inventory tools work in the same way, ensuring your inventory is always current. Whether it's a new software installation or an update to an existing application, these tools capture every change, maintaining an accurate inventory without manual intervention.
Efficient and Effective
Just as Stark's high-tech systems allow him to focus on innovation and defense, automated software inventory tools free up valuable IT resources. Instead of manually tracking software, your team can concentrate on more strategic initiatives, confident that the inventory is always accurate and up-to-date.
The Reality
Relying solely on automation for software inventory, as suggested in CIS Safeguard 2.4, is tempting, but it shouldn’t be the end-all solution. Automated software inventory tools are invaluable for efficiency, speed, and accuracy, offering a real-time snapshot of all applications running across an organization’s network. However, these tools have limitations. Automated tools may miss applications that are deeply embedded or only intermittently active or overlook legacy software that isn't well-documented. By combining automation with periodic manual reviews, cross-referencing with IT asset management records, and engaging with end users to identify any unreported software, organizations can build a more complete and accurate inventory. This layered approach ensures that nothing falls through the cracks, enhancing the effectiveness of the CIS safeguard and strengthening overall security posture.
Resources
Here’s a link to the Software Asset Management Policy Template for CIS Control 2 provided free of charge from the fine folks at the Center for Internet Security:
Looking for even more detail? Here you go. If this still doesn’t satisfy your curiosity, DM me.
CIS Control 2 – Inventory and Control of Software Assets
Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
CIS Safeguard 2.4 - Utilize Automated Software Inventory Tools
Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software.