Software Asset Management: Continuous Monitoring

Summary

Businesses can’t protect what they don’t know they have.
 A successful software asset management (SAM) system can help organizations take inventory and assess the state of installed software across their IT systems, providing accurate, timely information about the current state of the software installed, authorized, and used on the computing devices that access organizational resources and support critical business functions. Businesses that automate collection and secure exchange of software inventory data can automate common business processes to authorize the execution of software, and better understand which patches and software updates are needed to minimize software vulnerabilities, and what software configurations need to be applied to ensure compliance with organizational configuration policies.

The software lifecycle has several stages from release to installation, to maintenance with patches and updates, to uninstallation when the product is no longer of use. Managing these milestones requires a variety of business processes: licenses are tracked and purchased as needed as part of a license management process; software media is acquired as part of a supply chain; software is updated to take advantage of new features as part of a change management process; and patches are applied to fix security and functional flaws as part of vulnerability and patch management processes. In many organizations, SAM processes are either manual or are supported by a collection of proprietary solutions. Proprietary solutions often lack integration with other operational and security systems, are aligned with specific product families, and provide different informational views into the software they manage.  

A standardized approach to software asset management is needed so that an organization has an integrated view of software throughout its lifecycle. The project idea includes: 

  • authorization and verification of software installation media that verifies that the media is from a trusted software publisher and that the installation media has not been tampered with
  • software execution whitelisting that verifies that the software is authorized to run and has not been tampered with
  • publication of installed software inventory to an organization- wide database
  • software inventory-based network access control that dictates a device’s level of access to a network based on what software is or is not present on the device and whether its patches are up-to-date

The Project Description with the technical description of this challenge has been revised according to feedback from the public. A two-page fact sheet is also available.

Questions? Comments? Email the project team at conmon-nccoe@nist.gov.

 

 

Join Our Community of Interest

Interested in joining the Software Asset Management: Continuous Monitoring Community of Interest? Contact us!

A Community of Interest is a group of professionals and technical advisors convened to support the cybersecurity resiliency of the U.S. economy. Read More.

News and Events