Story image

Three steps to compliance for end-of-life systems

03 May 16

Each time a vendor terminates support for an operating system or solution, a broad spectrum of organisations are put at risk of failing to meet regulatory and compliance mandates.

These mandates involve high levels of security that legacy systems are not equipped to meet. Systems that solution vendors (and their integration partners) no longer support are particularly vulnerable because they no longer receive security patches from the maker.

Consider the Microsoft Windows family. Windows XP, W2K3, and most recently Windows XP Embedded, have gone end-of-life (EOL). Industry analysts expect this trend to continue during the next few years.

Regardless of how many devices are running or are connected to these unsupported systems, EOL systems should be a critical area of focus for compliance and risk professionals. There is substantial risk to any organisation that continues to operate them.

Often, these systems are running critical business functions and are in scope for many of the regulations that govern the security controls to ensure security (e.g., – PCI Data Security Standard). These systems can be easily infiltrated since they lack any type of patch management or effective antivirus/malware protection.

Here are three high-level steps compliance specialists should consider to help ensure proper compliance and security coverage on unsupported systems and applications:

1 – Long-term focus

It is essential to focus on the long term when assessing unsupported systems in order to disrupt the pattern of EOL-created risks. When scoping systems for security and compliance, aim to gain active insight. Point-in-time scanning and polling security solutions constantly miss threats and are typically only useful in identifying already known threats, not the stealthy attacks used by today’s threat actors.

Security solutions that record activity in real time deliver both visibility and historical intelligence and provide a constant pulse on security and compliance posture. This is especially important for unsupported systems.

2 – Move to threat mitigation

This can be achieved by taking control and defending the gaps in security on EOL systems. Compliance and risk professionals can help disrupt the way attackers target unsupported systems by shifting the security strategy from passive, negative (only already known-bad files) security to active threat mitigation via policy. When systems go EOL, they no longer have security patches. As a result, vulnerabilities that have existed or are newly created on those systems won’t be fixed by the maker.

Assessing systems using an enforcement policy that controls and monitors endpoints based on what’s ‘allowed to happen’ greatly enhances the ability to keep systems protected and compliant. Much of that enforcement policy can be driven by the regulatory and compliance policies that are set very early in the business cycle. 

Technologies such as application control and next-generation whitelisting (mixed with active security monitoring) are popular tools that can place unsupported systems into enforced postures.

3 – Utilise available knowledge

Leveraging the wealth of threat knowledge available within the security community and uniting security risk policy on EOL systems is critically important.

Regulatory, compliance, and security communities (as well as the extended business community) have a wealth of threat intelligence. Hackers and attackers are prolific at sharing knowledge and attack expertise within their own communities, so it is imperative for shared business communities to collaborate to offset this advantage.

For unsupported systems, continuous compliance is the most critical way to ensure that systems are in check and protected.  All professionals should take advantage of sharing and consuming the various threat intelligence feeds available to gain further insight on vulnerable systems.

Artile by Kane Lightowler, Managing Director Asia Pacific + Japan, Carbon Black

SAP provides partners with free access to their cloud platform
“Now that over 3,700 SAP partners have joined our cloud strategy, the free resources will help them accelerate application development."
Gartner names Proofpoint Leader in enterprise information archiving
The report provides a detailed overview of the enterprise information archiving market and evaluates vendors based on completeness of vision and ability to execute.
WatchGuard appoints new channel distributors in A/NZ
The appointments will enable WatchGuard to expand its regional channel reseller footprint.
Tensions on the rise after Huawei CFO arrest
“Recently our corporate CFO, Meng Wanzhou, was provisionally detained by the Canadian authorities on behalf of the United States of America."
Why the future of IT infrastructure is always on and always available
As more organisations embrace digital business, infrastructure and operations leaders will need to evolve their strategies and skills to keep up.
Juniper simplifies data integration to improve threat detection
Updates to the Juniper Advanced Threat Prevention Appliances leverage third-party firewalls and security data sources.
WatchGuard's global reseller survey finds ransomware top customer fear for 2017
A global survey by WatchGuard has shown that more than 80% of resellers believe their customers are most worried about ransomware and its effects.
IDC: Tablets stay dead, notebooks keep head above water
An IDC report predicts a soft personal PC market, slipping into further decline with the exception of notebooks, gaming PCs, and business PC upgrades.