Security configuration management (SCM) involves maintaining a secure baseline configuration for an organization’s systems and monitoring those assets for deviations from that baseline. This fundamental control pairs well with other elements of an organization’s security strategy. As such, SCM enables security teams to harden their organization’s cloud workloads, industrial environments and other IT assets against digital threats.
There’s just one question: how can security teams best implement SCM in practice?
This blog post will begin by discussing the four integral processes of SCM. Next, it will dive into four other elements of SCM which security teams should know about. Understanding these eight components will give security teams a foundation on which they can both create and strengthen their organization’s SCM program.
The Four Integral Processes of SCM
No one wants their organization’s systems to become misconfigured. But when that does happen, you want to make sure you automatically receive a notification that offers detailed remediation instructions on how you can return that asset to its secure baseline. It’s therefore important for your security team to go with a SCM tool that automates the following four processes:
- Device Discovery: Security teams can’t protect an IT asset if they don’t know about it. If the organization’s SCM program is to be successful, security professionals need to make sure they have an up-to-date asset inventory that contains everything that’s installed on the network. It’s not always easy to make such an inventory manually. Employees from other departments might be able to add new assets onto the organization’s IT infrastructure, for instance, which would make discovery difficult. That’s why it’s important for security teams to invest in an SCM tool that ideally comes with an integrated asset management repository. Such a capability will help security team members to discover assets automatically and to then categorize/tag them appropriately.
- Establish Your Baseline: Once they know what’s on the network, security team members need to come up with a secure baseline for each asset. Security professionals can use benchmarks from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) to get started in defining these configurations. They should also leverage existing security policies and business requirements to focus in on the assets that matter most to the organization.
- Manage Changes: With a baseline provided for the organization’s systems, the SCM solution can get to work monitoring for and alerting on changes to that baseline. Security teams have the option of conducting real-time assessments so that they can receive notifications on an ongoing basis. However, this might not be necessary for some of their use cases, so they should decide upon a frequency that works best for them.
- Remediate: It’s important that security teams have the ability to receive notifications for when a change to the baseline occurs. A notification should include essential information including what remediation steps can be taken to return the asset to its secure configuration. Using that information, security teams can verify for an auditor that an expected change took place. It’s therefore important that security professionals have an SCM tool that enables them to prioritize what information is coming through.
Four Other Important SCM Processes
Device discovery, establishing a baseline, change management and remediation all form the foundation of an organization’s SCM foundation. But there’s more to do from there. In particular, security professionals need to pay special focus towards maintaining their policy libraries, monitoring for change, creating remediation workflows as well as using reports and dashboards as part of their SCM program.
Maintaining Policy Libraries
Policies form a crucial part of a successful SCM program. They contain standards with which monitored systems on the organization’s network must comply. To make it easy for themselves, organizations should make sure that whatever SCM tool they’re using has built-in policy content so that they can test against security benchmarks such as the CIS Controls and PCI DSS.
To get the most out of their solution, however, they also need to make sure that their policy content is accurate and current. They should therefore invest in a solution that enables them to import policies as well as to create their own. That solution should also allow the organization to grant waivers to certain assets based upon a business requirement, apply multiple policies to devices and tag their assets to streamline the SCM process across certain parts of the network.
Well-defined processes and policies are crucial to an effective SCM program. But they’re useless unless they help organizations to monitor their critical assets for change. They can do this using two different types of deployments:
- Agents: Organizations install a piece of technology on the asset. This type of deployment provides detailed information because the agent monitors the asset directly.
- Agentless: Organizations use remote access to monitor the asset from afar. This type of deployment is less disruptive than agent-based monitoring, as it accounts for unique network elements on which agents might not work.
Organizations have another decision to make. Regardless of whether they use agents, they need to determine how often to conduct SCM assessments. For instance, they can apply real-time change detection to their dynamic environments so as to receive alerts about modifications as soon as possible. But routers, network switches and firewalls don’t need that type of monitoring, thereby allowing organizations to monitor those assets for changes on a more periodic basis.
Organizations need to know which assets are out of compliance with their secure baselines. But once they’ve found a deviation, they need to be able to correct it on a timely basis. They should therefore consider investing in a SCM solution whose policy content provides guidance on how security teams can remediate configuration issues. It should be able to integrate with an automated change management solution to further streamline the remediation process.
Reports and Dashboards
It’s important for security teams to figure out how they want to receive technical and higher-level information collected by the SCM solution. In particular, they should investigate what capabilities the tool offers in terms of prioritizing data and generating reports. They should also look into the dashboarding features so that the solution can help all interested parties, including non-technical employees, drill down into the SCM tool’s results for the purpose of fulfilling their work-related duties..
For more recommendations on how to strengthen your organization’s SCM program, download Tripwire’s eBook here.
FURTHER READING ON SCM:
- SCM: Understanding Its Place in Your Organization’s Digital Security Strategy
- 3 Areas of Your IT Infrastructure that SCM Can Help to Secure