Last time, I discussed how network security begins with asset discovery. This foundational control advises organizations to develop an inventory of all authorized and unauthorized devices and software. Using that information, IT security personnel can track and correct all authorized devices and software. They can also deny access to unauthorized and unmanaged products, as well as prevent unapproved software from installing or executing on network devices.
Once enterprises have discovered all their assets, they can move on to security configuration management (SCM).
IT security and IT operations meet at SCM because this foundational control blends together key practices, such as vulnerability assessment, automated remediation and configuration assessment. Organizations can, therefore, leverage a software-based SCM solution to reduce their attack surfaces by proactively and continuously monitoring and hardening the security configurations of their environment’s operating systems, applications and network devices.
Compliance auditors can also use security configuration management to monitor an organization’s compliance with mandated policies. These standards range from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for organizations that collect medical information to the Payment Card Industry Data Security Standard (PCI DSS) for just about anyone who handles branded credit cards.
Security configuration management consists of four steps. The first step is asset discovery. Next, organizations should define acceptable secure configurations as baselines for each managed device type. They can do so using guidance published by the Center for Internet Security (CIST) or the National Institute of Standards and Technology (NIST).
From there, they assess their managed devices according to a pre-defined frequency policy. Finally, they should make sure someone fixes the problem or grants it an exception.
Many SCM solutions come with additional features that organizations can use to better protect their networks. Here are a few of which enterprises should remain aware:
- OS and Application Support: If they intend to get the most out of security configuration management, companies must make sure their solution provides support for every operating system and application they use in their environment.
- Policy Flexibility: The best types of SCM solutions offer numerous policies and configurations, thereby allowing organizations to adjust the tool to their own requirements. Along that same vein, companies should also have the option of customizing preset policies, defining new policies, and adding new baseline configurations and/or benchmarks.
- Scalability: Organizations should make sure they can customize the frequency, impact, and scope of their security configuration management solution’s scanning protocols. That flexibility should include the ability to strategically distribute scanners around the network so as to not needlessly tax endpoints. It should also come with the ability to manage remote devices, such as by issuing alerts when one such product requires assessment because it has not connected to the network in some time.
- Closure of the Operational Loop: Companies can choose to manually act on their SCM’s solutions by reporting configuration issues to the help desk. Even so, it’s advantageous for a company if their solution automatically reports those issues and in so doing closes the operational loop. Organizations should also look for functionality that reduces false positives such as when someone has granted an authorized exception.
To help companies with security configuration management, Tripwire has created the Configuration Compliance Manager. This agentless solution profiles and discovers all assets on the network, assesses and audits the compliance of network infrastructure devices and other key systems, and yields crucial data about what patches are still missing on both IT and OT devices.
In so doing, the solution can reduce organizations’ audit readiness costs by up to 40 percent.
To learn more about Tripwire’s Configuration Compliance Manager, click here.
Additional information on SCM can be found in this free e-book. You can also learn about some of the other foundational controls you should look for when purchasing a new solution by downloading this whitepaper.