Federal agencies have a software accumulation problem. The problem is not new, but it gets worse with each passing year. The issue stems from near countless options for software that agencies can choose from.
IT leaders routinely purchase and build out mission-specific environments that require software. However, when that software is no longer required in the agency’s toolset, they need to decide whether to replace the software or remove it altogether.
The risks of software that’s reached EOL
Another challenge is that vendors often discontinue support for the software. This is called end of life (EOL). At this stage of the software lifecycle, support costs and cyber risks drastically increase as vendors discontinue patches and updates.
Not all organizations make long-term plans for removal at EOL. Most assume they can coast — especially when the software’s contract is set for several years, and the tool is operating as planned.
And getting a new replacement tool isn’t always a rapid exercise. The federal procurement process is often lengthy.
When it comes time to replace an EOL application or tool, it can take months or years to gain approvals, negotiate contracts, install new software, train employees and ensure the safe removal of old software.
In a Nextgov article, I explain why agencies should implement a modern tool rationalization approach. This allows them to revisit their entire tool adoption process while also keeping networks protected.
Unsupported software is a target for malicious attackers
Take Adobe Flash Player as an example, a software that reached EOL in December 2020. At the height of its popularity, the software was installed on nearly one billion endpoints. Over the years, that number has dropped due to an increased reliance on HTML5 to deliver animation and interactive content.
When the vendor no longer supports software, it’s not a secret. Malicious attackers create and use zero-day exploits, vulnerabilities for which a patch doesn’t exist, whenever possible.
If you choose to continue running unsupported software, the only way to prevent zero-days from being exploited is by applying mitigation or standard defense in depth strategies — both of which do not guarantee success.
Malware creators stand by and aggressively target systems running old software the moment the opportunity presents itself — and they will likely target systems still running software they know will be vulnerable.
How to retire end of life software
When retiring EOL software, federal IT teams need real-time visibility into their environments. They need the ability to identify the endpoints that had the software installed, where it’s actively being used, and track any vulnerabilities and ongoing remediation efforts.
As time passes, the risk of exploitable vulnerabilities rises as vendors no longer provide fixes. Often, adversaries can gain access through a single endpoint — one that was still running the EOL software. In many cases, it went undetected by both IT security and operations teams because they lacked comprehensive endpoint visibility across their network.
Attackers only need access to a single endpoint, and organizations are only as secure as their weakest endpoint. One vulnerable endpoint puts an entire organization at risk.
Read the full GCN and Nextgov articles to learn more about how Tanium can help agencies navigate software EOL and protect endpoint devices and agency networks at the speed and scale of today’s threats.