In the Godfather Part II, Michael Corleone says, “There are many things my father taught me here in this room. He taught me: keep your friends close, but your enemies closer.” This lesson Vito Corleone taught his son Michael is just as applicable to IT security.
Today’s cyber threat landscape is extremely challenging. This is highlighted by the length of time it takes to detect a breach. The gap from a breach to detection is still lingering at 205 days, according to Mandiant. Two hundred and five days is nearly seven months, and that is a lot of time for your enemies to wreak havoc on your network.
So where does an organization start to “keep their enemies closer”?
Both the SANS Institute and the Council on Cybersecurity recommend here and here, respectively, that once you inventory your hardware and software, the most important security control is secure configurations.
But what is Security Configuration Management and why is it so important?
Attackers are looking for systems that have default settings that are immediately vulnerable. Once an attacker exploits a system, they start making changes. These two reasons are why Security Configuration Management (SCM) is so important. SCM can not only identify misconfigurations that make your systems vulnerable but also identify “unusual” changes to critical files or registry keys.
With a new zero-day threat revealed almost daily, signature-based defenses are not enough to detect the advanced threats. To detect a breach early, organizations need to understand not just what is changing on critical devices but be able to identify “bad” changes. SCM allows organizations to understand exactly what is changing on their key assets.
By setting a ”gold” standard configuration for your systems and continuously monitoring for indicators of compromise, organizations can quickly identify a breach. Early detection of a breach will help to mitigate the damage of an attack.
Using SCM to enforce a corporate hardening standard like CIS, NIST and ISO 27001, or a compliance standard like PCI, SOX, or HIPAA provides the ability to continuously harden systems to reduce the attack surface. Hardened systems provide less opportunity for the bad guys to launch a successful attack.
Many breaches were caused by misconfigurations, in fact, the Verizon Data Breach Investigations Report 2015 highlights that 60 percent of incidents resulted from errors made by internal staff.
Without SCM, the task of maintaining secure configurations even on a single server is daunting; there are well over a thousand of ports, services and configurations to track. If you multiply those same ports, services, and configurations across your entire enterprise of servers, hypervisors, routers, switches, and firewalls, the only way to track all of those configurations is through automation.
Using a corporate hardening standard and creating the baseline to identify changes to that standard is a great way to “keep your enemies closer”. Vito Corleone would be proud.
Title image courtesy of ShutterStock