Three steps to compliance for end-of-life systems

By Kane Lightowler, Managing Director Asia Pacific + Japan, Carbon Black

Each time a vendor terminates support for an operating system or solution, a broad spectrum of organisations are put at risk of failing to meet regulatory and compliance mandates.

These mandates involve high levels of security that legacy systems are not equipped to meet. Systems that solution vendors (and their integration partners) no longer support are particularly vulnerable because they no longer receive security patches from the maker.

Consider the Microsoft Windows family. Windows XP, W2K3, and most recently Windows XP Embedded, have gone end-of-life (EOL). Industry analysts expect this trend to continue during the next few years.

Regardless of how many devices are running or are connected to these unsupported systems, EOL systems should be a critical area of focus for compliance and risk professionals. There is substantial risk to any organisation that continues to operate them.

Often, these systems are running critical business functions and are in scope for many of the regulations that govern the security controls to ensure security (e.g., – PCI Data Security Standard). These systems can be easily infiltrated since they lack any type of patch management or effective antivirus/malware protection.

Here are three high-level steps compliance specialists should consider to help ensure proper compliance and security coverage on unsupported systems and applications:

1 – Long-term focus

It is essential to focus on the long term when assessing unsupported systems in order to disrupt the pattern of EOL-created risks. When scoping systems for security and compliance, aim to gain active insight. Point-in-time scanning and polling security solutions constantly miss threats and are typically only useful in identifying already known threats, not the stealthy attacks used by today’s threat actors.

Security solutions that record activity in real time deliver both visibility and historical intelligence and provide a constant pulse on security and compliance posture. This is especially important for unsupported systems.

2 – Move to threat mitigation

This can be achieved by taking control and defending the gaps in security on EOL systems. Compliance and risk professionals can help disrupt the way attackers target unsupported systems by shifting the security strategy from passive, negative (only already known-bad files) security to active threat mitigation via policy. When systems go EOL, they no longer have security patches. As a result, vulnerabilities that have existed or are newly created on those systems won’t be fixed by the maker.

Assessing systems using an enforcement policy that controls and monitors endpoints based on what’s ‘allowed to happen’ greatly enhances the ability to keep systems protected and compliant. Much of that enforcement policy can be driven by the regulatory and compliance policies that are set very early in the business cycle.

Technologies such as application control and next-generation whitelisting (mixed with active security monitoring) are popular tools that can place unsupported systems into enforced postures.

3 – Utilise available knowledge

Leveraging the wealth of threat knowledge available within the security community and uniting security risk policy on EOL systems is critically important.

Regulatory, compliance, and security communities (as well as the extended business community) have a wealth of threat intelligence. Hackers and attackers are prolific at sharing knowledge and attack expertise within their own communities, so it is imperative for shared business communities to collaborate to offset this advantage.

For unsupported systems, continuous compliance is the most critical way to ensure that systems are in check and protected. All professionals should take advantage of sharing and consuming the various threat intelligence feeds available to gain further insight on vulnerable systems.


Join the CSO newsletter!

Error: Please check your email address.

Tags compliancecompliance specialistsW2K3PCI data security standardend-of-lifeEOL Windows systemssolution vendorslegacy systemsvendorswindows xp

More about Microsoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kane Lightowler

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place