So many times, we hear companies say, “Our tools are just like Tripwire’s,” “We do configuration management just like Tripwire” and “We can push out policy just like Tripwire.”
But as we say, this just ain’t necessarily so.
You might be able to do configuration management using a “Tripwire-like” tool. You might configure it and use it set up a policy or a configuration of a system. This configuration needs to stay the way it is, and if it ever drifts from that, then the tool will alert the organization and help to reconfigure and fix it in a timely manner.
All that’s true. What’s more, this flow can be very exciting, as people love the idea that they don’t have to stay on top of their configurations.
However, there are two problems:
- How do you know that the particular setting that you’ve chosen for your configuration is appropriate for your organization’s security needs?
- Are all of your changes going to go through this tool? Do some environment changes take place outside of this tool? If so, how do you manage those?
That second point is very important. If your tool isn’t accounting for all of your organization’s changes, then every single change enters into “break/fix mode.”
What is break-fix mode?
The term “break/fix” or “break’n fix” refers to the fee-for-service method of providing information technology (IT) services to businesses. It’s a reactionary paradigm through which an organization waits to fix something until it actually breaks.
Using this method, an IT solutions provider performs services as needed and bills the customer only for the work that’s been done. This type of model can save organizations money initially. But in the absence of preventative maintenance and other proactive work, organizations might inadvertently allow small issues to balloon into big problems that end up costing them at some point in the future.
The break/fix model also doesn’t pair well with “Tripwire-like” configuration management tools. When you got to get your systems back up and running after something has broken, for instance, you’re going to have to take the time to go through and make every single change that you make in production with this tool.
Think about that. We have two different types of actors who can make changes in production: the folks that set the policies and the admins who make a change after the fact. How is the “Tripwire-like” tool going to keep track of changes that weren’t made through it?
Any administrator can log on to your systems directly and make changes, after all. That’s game over in our book.
Ultimately, you need somebody watching those changes made by the other actor, as your tool won’t have any knowledge of those changes. You also need to obtain independent verification that what you’re pushing hasn’t resulted in an insecure configuration.
Don’t forget the need to compare, either. The company needs the ability to compare changes that have been made. For example, if you’ve got five servers that should be exactly alike, as they were originally configured, how are these changes compared? What exactly changed, as compared to the golden image/baseline configuration? You need to be able to compare those changes and see where they’re different and what has changed.
Changes made after the fact
Other configuration management tools can help you vet your changes. Now, obviously you’re going to have security controls regarding who can make those changes, etc. And you might have a change that went through your change management process that was appropriately vetted by everybody involved. The change was appropriately documented through the change management solution, in other words.
Lo and behold, but when the change is implemented, it turns out that it causes several problems for the security of your configuration that you now need to consider after the fact.
How is this possible?
Because someone else made changes after the fact. These are approved changes that went through your tool, but they end up with a bad configuration, and your tool is not going to tell you that. So now what?
Tripwire to the rescue
You need a tool like Tripwire to help you.
Regardless of who’s making the change, whether it’s a person, a process or tool, you need to make sure that those are the right changes, and you need to make sure that the resulting state is one that is correct, secure and supportive of the company’s business needs.
As the industry’s leading Secure Configuration Management (SCM) solution, Tripwire helps reduce your attack surface and risk exposure with proper system hardening and continuous configuration monitoring. Tripwire enables you to maintain a secure baseline configuration and monitor assets for deviations while automating and guiding security teams to rapid repair of non-compliant systems and misconfigurations.
You can learn more about Tripwire’s approach to configuration management here.