The Four Integral Processes of SCMNo one wants their organization’s systems to become misconfigured. But when that does happen, you want to make sure you automatically receive a notification that offers detailed remediation instructions on how you can return that asset to its secure baseline. It’s therefore important for your security team to go with a SCM tool that automates the following four processes:
- Device Discovery: Security teams can’t protect an IT asset if they don’t know about it. If the organization’s SCM program is to be successful, security professionals need to make sure they have an up-to-date asset inventory that contains everything that’s installed on the network. It’s not always easy to make such an inventory manually. Employees from other departments might be able to add new assets onto the organization’s IT infrastructure, for instance, which would make discovery difficult. That’s why it’s important for security teams to invest in an SCM tool that ideally comes with an integrated asset management repository. Such a capability will help security team members to discover assets automatically and to then categorize/tag them appropriately.
- Establish Your Baseline: Once they know what’s on the network, security team members need to come up with a secure baseline for each asset. Security professionals can use benchmarks from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) to get started in defining these configurations. They should also leverage existing security policies and business requirements to focus in on the assets that matter most to the organization.
- Manage Changes: With a baseline provided for the organization’s systems, the SCM solution can get to work monitoring for and alerting on changes to that baseline. Security teams have the option of conducting real-time assessments so that they can receive notifications on an ongoing basis. However, this might not be necessary for some of their use cases, so they should decide upon a frequency that works best for them.
- Remediate: It’s important that security teams have the ability to receive notifications for when a change to the baseline occurs. A notification should include essential information including what remediation steps can be taken to return the asset to its secure configuration. Using that information, security teams can verify for an auditor that an expected change took place. It’s therefore important that security professionals have an SCM tool that enables them to prioritize what information is coming through.
Four Other Important SCM ProcessesDevice discovery, establishing a baseline, change management and remediation all form the foundation of an organization’s SCM foundation. But there’s more to do from there. In particular, security professionals need to pay special focus towards maintaining their policy libraries, monitoring for change, creating remediation workflows as well as using reports and dashboards as part of their SCM program.
Maintaining Policy LibrariesPolicies form a crucial part of a successful SCM program. They contain standards with which monitored systems on the organization’s network must comply. To make it easy for themselves, organizations should make sure that whatever SCM tool they’re using has built-in policy content so that they can test against security benchmarks such as the CIS Controls and PCI DSS. To get the most out of their solution, however, they also need to make sure that their policy content is accurate and current. They should therefore invest in a solution that enables them to import policies as well as to create their own. That solution should also allow the organization to grant waivers to certain assets based upon a business requirement, apply multiple policies to devices and tag their assets to streamline the SCM process across certain parts of the network.
MonitoringWell-defined processes and policies are crucial to an effective SCM program. But they’re useless unless they help organizations to monitor their critical assets for change. They can do this using two different types of deployments:
- Agents: Organizations install a piece of technology on the asset. This type of deployment provides detailed information because the agent monitors the asset directly.
- Agentless: Organizations use remote access to monitor the asset from afar. This type of deployment is less disruptive than agent-based monitoring, as it accounts for unique network elements on which agents might not work.