CIS Safeguard 2.5: Allowlist Authorized Software

CIS Safeguard 2.5: Allowlist Authorized Software

By Steve Gold
Posted in Security
On January 21, 2025

Written with contributions from Bryon Singh, Director of Security Operations, RailWorks Corporation

Ensuring that only trusted software can run on your systems is like casting a powerful spell to ward off dark forces. CIS Safeguard 2.5, "Allowlist Authorized Software," is akin to the protective enchantments used at Hogwarts School of Witchcraft and Wizardry to keep out dark magic.

The Sorting Hat of Software

Think of the allowlist as the Sorting Hat at Hogwarts. Just as the hat sorts students into houses based on their qualities, the allowlist sorts software into trusted and untrusted categories. Only the trusted, pre-approved applications are allowed to run, much like how students are assigned to the house that best suits them.

Enchanting the Gates

Hogwarts is protected by numerous magical wards and enchantments that prevent unauthorized access. Similarly, an allowlist acts as a digital ward, blocking any unauthorized software from executing. This safeguard ensures that only the software you trust, and have vetted, can operate within your network, much like the enchantments that keep Hogwarts safe from dark wizards.

Constant Vigilance

In the magical world, vigilance is key to maintaining security. The allowlist needs regular updates to ensure new, trusted software is added and potential threats are excluded. This ongoing vigilance ensures your network remains as secure as Hogwarts, where the defenses are constantly monitored and reinforced.

To implement CIS Safeguard 2.5: Allowlist Authorized Software effectively, organizations should follow these key practices:

  1. Define Authorized Software: Establish a clear policy for approved applications and set up a process for requesting new software.
  2. Use Centralized Tools: Deploy centralized allowlisting tools like Microsoft AppLocker or an EDR solution to enforce allowlists across devices.
  3. Tailor by Role: Create role-based allowlists to ensure users only access the tools they need for their jobs.
  4. Review Regularly: Schedule reviews to update the allowlist, removing outdated software and adding new approved applications.
  5. Enable Logging: Log unauthorized software attempts to monitor for potential threats and identify gaps in the allowlist.
  6. Educate Users: Inform employees about the allowlist process to ensure smooth workflows and adherence to policy.
  7. Test Allowlist: Test allowlisting in a controlled environment to prevent disruptions when fully implemented.

By combining allowlisting with other security layers, organizations enhance protection against unauthorized software while maintaining operational efficiency.

Resources

Here’s a link to the Software Asset Management Policy Template for CIS Control 2 provided free of charge from the fine folks at the Center for Internet Security:

Looking for even more detail? Here you go. If this still doesn’t satisfy your curiosity, DM me.

CIS Control 2 – Inventory and Control of Software Assets

Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

CIS Safeguard 2.5 - Allowlist Authorized Software

Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.

Steve Gold

Steve Gold

Steve Gold is the Cybersecurity Practice Director at Gotham Technology Group (Gotham). He is responsible for providing the vision and thought leadership to expand Gotham’s legacy of success and build a world-class cybersecurity practice. He works closely with Gotham’s customers, industry partners, and subject matter experts to develop relevant solutions for Gotham’s clients and prospects.

Prior to joining Gotham, Steve worked with the Center for Internet Security (CIS), where he expanded the global reach, revenue, and impact of the CIS Benchmarks, CIS Controls, and CIS Hardened Images. He led the efforts to promote the CIS portfolio of low-cost and no-cost cybersecurity products and services that help private and public organizations stay secure in the connected world. He grew a team of security specialists from 12 to over 40 to assist organizations with implementing security best practices in their continual journey of cybersecurity maturity.

During his more than 20-year career, Steve led teams responsible for developing and implementing technology solutions at some of the industry’s most recognized companies such as Varonis, VMware, Dell & Wyse Technology

Steve is a frequent speaker/moderator at industry conferences and webinars, covering a wide array of information security topics. He resides and works remotely in Baltimore, MD.