Security configuration management is the cybersecurity process of ensuring systems are properly configured to meet security and compliance standards, reducing cyber risk in the process. The practice of detecting and remediating misconfigurations combines elements of integrity monitoring, configuration validation, vulnerability assessment, and system remediation.
"The reliability of (Tripwire Enterprise) gives us the confidence to fulfill just about any reporting request coming from our stakeholders and auditors, which makes our audits goes very smoothly and quickly."
— IT Vice President, Fortune 500 Financial Services Company
With thousands of ports, services and settings, tracking configurations on even a single server can be a big task. If you multiply those same ports, services and settings across your entire enterprise of servers, hypervisors, routers, switches and firewalls, the only way to track all of those configurations is through automation.
Your SCM console will collect data from these numerous endpoints and can be used to detect problems and remediate issues based on the compliance policies of your choice. The components of your particular SCM solution may differ, but architecturally there will be a console of some sort that is used to manage, configure and report SCM data. There will be a backend database that will store all of the baseline, change, and compliance information.
Without SCM in place, organizations are more likely to suffer security oversights (such as weak passwords or protocols) that can put sensitive data within cybercriminals’ reach. SCM provides two critical types of benefits to an organization: security and compliance.
SCM for Security
Misconfigurations create entry points for hackers. This is why properly configured systems are so critical for reducing the chance of a breach. Before new misconfigurations can be identified, a secure configuration baseline must be defined. Then, deviations from this baseline result in test failures in the assessment process, and security teams remediate back to the secure baseline. This is the basis of what SCM looks like in action.
SCM for Compliance
Configuration security is so crucial that almost all industry standards and regulations incorporate some version of an SCM mandate for specifying how configurations should be set up. SCM tools substantially reduce the time it takes to prepare for an audit, and speed up the actual audit process as well. SCM can serve to enforce hardening frame- works such as the Center for Internet Security’s CIS Controls, as well as compliance standards enforced by audits, such as the Payment Card Industry Data Security Standard (PCI DSS).
SCM and File Integrity Monitoring
To detect breaches early, you first need to detect the changes that make them possible. You must consistently determine which changes are bad from a security or compliance standpoint. File integrity monitoring (FIM) goes hand-in-hand with SCM to quickly detect and assess the impact of all suspicious change events.
FIM is the security process that monitors and detects changes in your environment to alert you to cybersecurity threats and helps you remediate them. FIM data is the engine that drives SCM success—you can’t have one working optimally without the other. Whereas SCM focuses specifically on assessing whether the current configuration is consistent with a predefined policy or expected state, FIM detects changes to files and system attributes that deviate from their prior baseline, including changes to servers, network devices, databases, virtual images, cloud service accounts, and more.
Considerations for Complex Environments
The configurations on network devices, databases, directory servers, POS terminals, workstations, laptops, tablets, operating systems, and applications aren’t secure by default. In fact, default settings on new devices are often set with ease-of-installation in mind, not for robust security. Configuration changes that leave systems vulnerable often occur inadvertently through what’s called “configuration drift.” Configuration drift can take many forms, including privilege escalation, open communication ports, or open AWS (Amazon Web Services) S3 bucket access.
Adding to this complexity is the fact that organizations have these assets dispersed across office locations, home offices, distributed data centers, and even multiple cloud vendors. Even a small, seemingly innocuous change to a router configuration can disconnect entire networks and prevent employees from performing their tasks. That is why it is critical to have a clear understanding about SCM best practices not only for the traditional on-prem office setting, but also for cloud and remote environments.
The key on-prem SCM practice of your security teams should be monitoring device and application configuration settings to keep them in a known and trusted state. This must be done as a continuous practice rather than an occasional project. Even organizations that routinely assess their configurations or pass audits may be secure for only a moment in time. Risk increases every second that passes after an audit or assessment. And after each second, the known and trusted configuration state becomes less of a reality and more of a belief, inviting the conditions for a breach to take place.
Today, the typical modern enterprise uses a mixture of on-prem and cloud computing resources. These hybrid environments—while invaluable in terms of IT benefits such as scalability, cost savings, and granular infrastructure customization—do expand your attack surface. It’s also common for hybrid organizations to use multiple cloud providers in order to take advantage of a wider array of cloud services. It’s important to know the clear delineations of how your security responsibilities fit in with your providers’. You’re required to protect your data and applications, but you are also responsible for man- aging the configurations of your cloud accounts. A worthwhile SCM tool will work across multi-cloud environments.
The surge in remote work and its associated tools introduces new configuration management concerns. Shifting from a majority office to a majority remote workforce drastically changes the network perimeter and expands the attack surface. Supporting a sizable and widely-distributed remote workforce isn’t just about giving people laptops and permissions. There is a host of infrastructure required to provide supporting services like remote access, authentication, and helpdesk. In order to effectively implement SCM in a remote working environment, you must start by inventorying the systems involved in delivering that capability. With an inventory in hand, you can then deploy SCM to all the components involved.
What is “Checkbox” SCM?
Checkbox SCM products are ones that may provide just enough functionality to pass an audit if the auditor doesn’t dig too deep, or provide a limited library of policy content focused on generic standards but not more specialized policies such as NIST or PCI. Other vendors may offer products that have lots of content but do not scale well across your enterprise, or that lack the reporting capabilities you need. Make sure you select a solution or vendor that meets all your requirements—resist the temptation to simply check a box.
The Four Pillars of Strong SCM
Device discovery, the establishment of configuration baselines, change management, and remediation are the four integral processes of SCM. A worthwhile SCM tool automates those tasks for you and provides deep system visibility as a result. The moment your system becomes misconfigured, you should be notified and offered detailed remediation instructions in order to bring the misconfiguration back into alignment.
- Device Discovery: You can’t manage what you don’t know. First, you’ll need to find the devices that need to be managed.
- Establish Your Baseline: In order to establish a secure baseline, you need to define acceptable configurations for each managed device type.
- Manage Changes: Your SCM tool should get to work identifying and alerting on changes once your base-line is defined.
- Remediate: Identified problems either need to be fixed or granted an exception. For audits, you will also need to verify that expected changes actually occurred.
The Tripwire Approach to SCM
Tripwire provides fully-integrated solutions for policy, file integrity, and remediation management. Organizations use Tripwire for a complete end-to-end SCM program to address today’s pressing security and compliance challenges—while building a foundation that positions them to address tomorrow’s. Tripwire has the largest and broadest library of supported policies and platforms, with over 2000 policies covering an array of platform OS versions and devices. Get deep, unparalleled visibility into the security system state and to always know your current security posture. Tripwire’s remediation capability automates and guides you for rapid repair of security and compliance misconfigurations.
"I know Tripwire Enterprise is reliable to pick up changes on my devices. We have worked hard to set up a good notification scheme, and it works well to let us know when configuration files, software, or other key information about large amounts of devices change."