Faster breach detectionToday’s cyber threat landscape is extremely challenging. This is highlighted by the length of time it takes to detect a breach. The gap from a breach to detection is still lingering at 212 days, according to IBM. 212 days is around seven months, and that is a lot of time for your enemies to wreak havoc on your network. So where does an organization start to “keep their enemies closer?” The SANS Institute and the Center for Internet Security recommend that once you inventory your hardware and software, the most important security control is secure configurations. Critical Security Control 4 says, “Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).”
What is Security Configuration Management?The National Institute of Standards and Technology (NIST) defines security configuration management (SCM) as “The management and control of configurations for an information system with the goal of enabling security and managing risk.” Attackers are looking for systems that have default settings that are immediately vulnerable. Once an attacker exploits a system, they start making changes. These two reasons are why security configuration management tools are so important. SCM can not only identify misconfigurations that make your systems vulnerable but can also identify “unusual” changes to critical files or registry keys. With a new zero-day threat revealed almost daily, signature-based defenses are not enough to detect advanced threats. To detect a breach early, organizations need to understand not just what is changing on critical devices but also be able to identify “bad” changes. SCM tools allow organizations to understand exactly what is changing on their key assets. By setting a gold standard configuration for your systems and continuously monitoring for indicators of compromise, organizations can quickly identify a breach. Early detection of a breach will help to mitigate the damage of an attack. Using SCM to enforce a corporate hardening standard like CIS, NIST and ISO 27001 or a compliance standard like PCI, SOX, NERC, or HIPAA provides the ability to continuously harden systems to reduce the attack surface. Hardened systems provide less opportunity for the bad guys to launch a successful attack.
Your Security Configuration Management Plan in ActionWithout a security configuration management plan, the task of maintaining secure configurations even on a single server is daunting; there are well over a thousand of ports, services and configurations to track. If you multiply those same ports, services and configurations across your entire enterprise of servers, hypervisors, cloud assets, routers, switches and firewalls, the only way to track all of those configurations is through automation. A good SCM tool automates those tasks for you and provides deep system visibility at the same time. The moment your system becomes misconfigured, you should be notified and offered detailed remediation instructions in order to bring the misconfiguration back into alignment. There are four key stages to robust SCM:
1. Device discoveryFirst, you’ll need to find the devices that need to be managed. Ideally you can leverage an SCM platform with an integrated asset management repository. You will also want to categorize and “tag” assets to avoid starting unnecessary services. Engineering workstations, for example, require different configurations than finance systems.
2. Establish configuration baselinesYou will need to define acceptable secure configurations for each managed device type. Many organizations start with the benchmarks from trusted establishments like CIS or NIST for granular guidance on how devices should be configured.
3. Assess, alert and report changesOnce devices are discovered and categorized, the next step is to define a frequency for assessments. How often will you run a policy check? Real-time assessments may be available but are not required for all use cases.
4. RemediateOnce a problem is identified, either it needs to be fixed or someone needs to grant an exception. You are likely to have too much work to handle immediately, so prioritization is a key success criterion. You will also need to verify that expected changes actually took place for the audit. Additional considerations you won’t want to overlook when considering your security configuration management plan are:
- Agent-based versus agentless scans: Avoiding blind spots in your IT environment typically involves a sophisticated combination of both agent-based and agentless scanning to make sure your entire environment is always configured properly.
- High-visibility dashboarding: You’ll want user-selectable elements and defaults for technical and non-technical users. You should be able to only show certain elements, policies, and/or alerts to authorized users or groups, with entitlements typically stored in the enterprise directory.
- Policy creation and management: Alerts are driven by the policies you implement in the system, so policy creation and management is also critical to adapt the solution to the unique requirements of your environment.
- Alert management: Time is of the essence during any response, so the ability to provide deeper detail via drill down then provide information to an incident response process is critical. This allows administrators to monitor and manage policy violations which could represent a breach.