The coronavirus 2019 (COVID-19) pandemic shifted the cybersecurity landscape. According to a PR Newswire release, the FBI tracked as many as 4,000 digital attack attempts a day during the pandemic. That’s 400% more than what it was prior to the pandemic. In response to these attacks, 70% of CISOs told McKinsey that they believed their security budgets would shrink by the end of 2020 but that they’d be asking for significant increases in 2021.
These findings beg the question: where should CISOs be directing their security asks for 2021 and beyond?
Foundational Controls as an Answer
Network security begins with asset discovery. This foundational control advises organizations to develop an inventory of all authorized and unauthorized hardware, software and other devices. Using that information, IT security personnel can track and correct all authorized devices and software. They can also deny access to unauthorized and unmanaged products as well as prevent unapproved software from installing or executing on network devices.
Where Security Configuration Management Comes In
Once enterprises have discovered all their assets, they can move on to security configuration management (SCM). NIST’s SP 800-128, entitled “Guide for Security-Focused Configuration Management of Information Systems,” explains that organizations use SCM to ensure the integrity of their products and systems. This security control accomplishes that aim by establishing, managing and remediating deviations from configurations for those assets.
IT security and IT operations meet at SCM because this foundational control blends together key practices such as mitigating known security weaknesses using vulnerability assessments, evaluating authorized hardware and software configurations as well as using security processes and controls to automate remediation. Towards that end, organizations can leverage a software-based SCM solution to reduce their attack surfaces by proactively and continuously monitoring and hardening the security configurations of their environment’s operating systems, applications and network devices.
Security configuration management and Compliance
Security configuration management doesn’t just serve organizations’ digital security requirements. Compliance auditors can also use security configuration management to monitor an organization’s compliance with mandated policies. These standards range from international standards such as the ISO 27000 series to industry-specific requirements like the Payment Card Industry’ Data Security Standard (PCI DSS), a regulation which applies to just about anyone who handles branded credit cards or government regulations like the United States’ Sarbanes-Oxley Act (SOX) or the Monetary Authority of Singapore (MAS).
Security configuration management consists of four steps. The first step is asset discovery, as I described above. Organizations can use active discovery to manually try to find all of their connected hardware and software, but this method of discovery doesn’t account for the possibility of shadow IT. Consequently, organizations should consider using passive discovery to discover assets that might be otherwise hidden from the IT department.
Next, organizations should define acceptable secure configurations as baselines for each managed device type. They can do so by referring to their security policies. Alternatively, they can consider using guidance published by the Center for Internet Security (CIS) or the National Institute of Standards and Technology (NIST).
From there, they can assess their managed devices according to a predefined frequency that’s specified in their security policy. It’s not enough for organizations to determine that there’s an issue with their assets’ security configurations, however. When they spot a deviation from an approved secure baseline, organizations then need to make sure there are processes in place in order to make sure someone fixes the problem or grants it an exception on a timely basis.
Strategic security configuration management
Many SCM solutions come with additional features that organizations can use to better protect their networks. Here are a few considerations of which enterprises should remain aware:
- OS and Application Support: If they intend to get the most out of security configuration management efforts, companies must make sure their solution provides support for every operating system and application they use in their environment. Failure to do so could leave some of their assets uncovered. This would undermine organizations’ visibility of the network, thereby impeding their ability to prevent attackers from abusing a misconfiguration for malicious purposes.
- Policy Flexibility: The best types of SCM solutions offer numerous policies and configurations. Such options allow organizations to adjust the tool to their own evolving requirements as they continue to undergo their digital transformations. Along that same vein, companies should also have the option of customizing preset policies, defining new policies and adding new baseline configurations and/or benchmarks as their needs change.
- Scalability: Organizations should make sure they can customize the frequency, impact and scope of their security configuration management solution’s scanning protocols. That flexibility should include the ability to strategically distribute scanners around the network so as to not needlessly tax their endpoints and to prioritize their security efforts. It should also come with the ability to manage remote devices such as by issuing alerts when one product requires assessment but has not connected to the network in some time.
- Closure of the Operational Loop: Companies can choose to manually act on their SCM’s solutions by reporting configuration issues to the help desk. Even so, it’s advantageous for a company to invest in a solution that automatically reports those issues and in so doing closes the operational loop. Otherwise, organizations could neglect to report an issue and leave themselves open to attackers exploiting a misconfiguration. Organizations should also look for functionality that reduces false positives such as when someone has granted an authorized exception. The last thing organizations want to do is waste time on investigating an issue that doesn’t constitute a digital threat as well as neglect committing time and resources to actual security problems.
SCM from Tripwire
To help companies with security configuration management, Tripwire has created the Configuration Compliance Manager. This agentless solution profiles and discovers all assets on the network, assesses and audits the compliance of network infrastructure devices and other key systems as well as yields crucial data about what patches are still missing on both IT and OT devices. In doing so, the solution can reduce organizations’ audit readiness costs by up to 40%.
To learn more about Tripwire’s Configuration Compliance Manager, click here.
Additional information on SCM can be found in this free e-book. You can also learn about some of the other foundational network security controls you should look for when purchasing a new solution by downloading this whitepaper.