Put End-of-Life Software to Rest

COMMENTARY

When you've bought a haunted house, the worst thing you can do is decide to just live with it. Yet in every horror movie, there's always that one person — usually the father — who doesn't want to leave. Plates are flying off the shelves, blood is erupting from the sink, and Dad is ignoring all of it while pruning the ficus in the living room. 

Dad doesn't last long in those movies, and it's because he's ignoring one universal truth: Denying that a threat is real won't protect you from it. 

You'd think security-minded organizations would have learned that lesson by now. Unfortunately, many are just like Dad, resigned to an IT infrastructure that's lousy with ghosts. 

Here's one ghost we can vanquish right now: obsolete software. End-of-life (EOL) software is surprisingly common; nearly two-thirds of companies still rely on applications that no longer receive security updates from their vendors. This leaves critical systems exposed, making it a problem no business can afford to ignore. 

The Terrors of EOL

So, if EOL software is so scary, why is it so pervasive? Before we start berating companies — like a horror movie audience yelling at the characters onscreen to make better choices — let's try and understand what makes obsolete software so challenging to manage.  

Cost

Budget is undoubtedly the biggest reason companies use unsupported legacy applications. Sometimes, this is understandable — for instance, plenty of healthcare providers simply can't afford to replace their very expensive and specialized legacy tools. 

But let's be honest: A lot of companies just don't want to pony up the cash needed to maintain their tech stack properly. Updating or replacing software can be costly and disruptive. Who wants to take on that challenge, especially when the danger of inaction seems hypothetical?  

But this logic is (fatally) flawed. Any money you save by clinging to EOL software will be swallowed by the inevitable cost of a data breach. And that cost is likely to be higher if you're running outdated software, with no support to get your compromised systems back online.  

Shadow IT

EOL software has such a long afterlife that admins frequently aren't aware of it.  

Occasionally, vendors fail to adequately communicate when software is no longer supported ("Why … that program's been dead for over 40 years."). And sometimes, EOL software takes the form of shadow IT.  

Our 2023 study showed that 47% of companies allow employees to access resources from unmanaged devices. That means any individual user could have EOL (or simply unpatched) software on their device, and admins would have no way of knowing.  

Put EOL Software to Rest

Hopefully, by now, you're convinced that EOL software is a problem and you're sharpening stakes and smelting silver bullets.  

But while it's straightforward enough to update the legacy systems you know about, what are you supposed to do about all the EOL software you don't know about? How do you fight what you can't see? 

Monitor EOL Status

Start with a complete audit of all the work-related software in your organization. That includes not just the company-wide, big-ticket items but every end user's device (even BYOD). If you find a user still running, say, Big Sur, stop them from accessing company resources until they update to a supported version.  

Manually, keeping up with EOL dates is a tall order. But there are tools, like this API from endoflife.date, that can alert you when software becomes obsolete. A purpose-built agent like osquery can help discover the presence of installed EOL software across your fleet. 

From there, you need to establish ownership of EOL remediation so it's not just a game of whack-a-mole for the security team. Instead, make it a part of your existing patch management and compliance strategy and check in regularly. 

Banish EOL Software From Your Systems

Anyone dreading the approach of Windows 10 EOL in 2025 knows that these transitions require a lot of care and planning, and you can expect resistance from leadership and end users alike.  

The only way to overcome the fears around EOL software is to face them through clear communication. That starts by getting leadership buy-in and extends to communicating with end users when you find EOL shadow IT. Once you've set a policy, use a device trust solution to block devices running EOL software. But use blocking as a chance to explain the dangers of this software. Then, instruct users on how to fix the problem themselves. 

Everyone knows that in horror movies "Let's split up, gang!" is a recipe for disaster. When you're fighting to clear up a companywide problem, you need collaboration at a companywide level. So when you start diving into the scary world of EOL software, my advice is: Don't go it alone.