Tools to Implement the SANS Top 20 Part 2

September 16, 2015  |  Rich Johnson

This is Part 2 of a 'How-To' in an effort to compile a list of tools (free and commercial) that can help an IT administrator comply with the Security Controls. In Part 1 we looked at Inventory of Authorized and Unauthorized Devices. The controls (ordered 1-20) are in order of importance. In other words, completing Control 1 will reduce the threat risk greater than completing control 2. This is in no way meant to be a complete list, therefore I invite you to add tools you find useful to the comments below!

Now we'll move on to Inventory of Authorized and Unauthorized Software

2-1 - Deploy application whitelisting technology

Free Tools

RunAsSPC - While not an application whitelist, it can allow users to run applications which require elevation

Commercial Tools

2-2 - Devise a list of authorized software and version that is required in the enterprise for each type of system, including servers, workstations, and laptops of various kinds and uses. This list should be monitored by file integrity checking tools to validate that the authorized software has not been modified.

This item goes hand-in-hand with control 2-1. Your whitelist of software will be your list of authorized software.

Free Tools

  • Spiceworks - Scans for software (Inventory > Software) but not for whitelisting or application control. Can be configured to alert you if it detects potentially unwanted software.
  • AlienVault OSSIM - Can monitor file system changes and alert you when something is accessed, changed, or tampered with.

Commercial Tools

  • AlienVault USM - Commercial version of OSSIM, provides persistent logging for SIEM.
  • Tripwire - Develop secure system baselines and monitor changes to file systems.

2-3 - Perform regular scanning for unauthorized software and generate alerts when it is discovered on a system. A strict change-control process should also be implemented to control any changes or installation of software to any systems on the network.

Free Tools

Know of any?

Commercial Software

  • Nessus - This dashboard tracks assets that have unauthorized software installed on them. It also lists the most common types of software, services and the frequency of software installations.

2-4 - Deploy software inventory tools throughout the organization covering each of the operating system types in use, including servers, workstations, and laptops. The software inventory system should track the version of the underlying operating system as well as the applications installed on it. Furthermore, the tool should record not only the type of software installed on each system, but also its version number and patch level.

Free Tools

  • Spiceworks - does this pretty well.

Commercial Tools

  • LAN Sweeper - Audit and find software, but also centrally deploy software.

2-5 - The software inventory systems must be integrated with the hardware asset inventory so that all devices and associated software are tracked from a single location.

Many of the tools listed above can do this.

2-6 - Dangerous file types (e.g., .exe, .zip, .msi) should be closely monitored and/or blocked.

Many of the tools listed above can do this.

2-7 - Virtual machines and/or air-gapped systems should be used to isolate and run applications that are required for business operations but based on higher risk should not be installed within a networked environment.

Free Tools

2-8 - Configure client workstations with non-persistent, virtualized operating environments that can be quickly and easily restored to a trusted snapshot on a periodic basis.

This control specifically states "virtual environments". While we cannot all jump to VDI, nor see the need to, these are alternatives that I believe can meet the core requirements of the control

Free Tools

  • FOG - while not exactly what the control specifies, it can offer a clean slate in the need of a restore. Centralized server, based on PXE booting.

Commercial Tools

  • ShadowProtect - Backup software that has the ability to revert to previous snapshots/save points across any hardware/VM platform.
  • DeepFreeze - protects endpoints by Freezing a snapshot of a workstation’s desired configuration and settings set by the IT Admin. With an instant reboot, any unwelcome or unwanted changes are removed from the system, restoring it to its pristine frozen state.

2-9 - Deploy software that only provides signed software ID tags. A software identification tag is an XML file that is installed alongside software and uniquely identifies the software, providing data for software inventory and asset management.

Tools

Know of any?

Share this with others

Tags:

Get price Free trial