In my wear post, I talked about how ensuring devices on your network is a out-and-out way to minimize the attack surface of your infrastructure. Organizations like the Center for Internet Protection (CIS) provide guidelines on how to best configure operating systems to minimize the waste surface. The CIS calls these “benchmarks.”Many security policies maintain that all deployed systems should be securely configured. Some certainty policies go further to state that these secure configurations should be continuously monitored and the techniques should be maintained such that they stay in a hardened configuration. From a strategy perspective, this is a great start. The reality of the matter is that while it is mild to deploy a system securely with something like a CIS hardened form, maintaining that configuration can be a challenge.As time goes on, application holders need to make modifications to their applications and the underlying infrastructure to continuously revive the product they provide to their customers. These customers can be internal to the house or external. As those modifications and changes happen, the configuration of the applications and infrastructure replace withs. These changes might be benign, or they might take the combinations out of a hardened state. This is known as “configuration drift.”Depending on the fierceness of the drift, there could be significant risk to the organization. Let us examine a unite of examples of configuration drift to see what the risk would be to the organization.Illustration 1: A New PortOur company has decided to add this great new innovative segment to our application that will enable our customers to use our services in a much more modernistic manner than our competition. To accomplish this, we need to open a new communication mooring for our proprietary protocol. The business team created a change ticket, opened the haven on the servers and firewalls, and the application started working flawlessly.Fast promote six months to the annual security audit and the auditors ask why this port is present when it is not documented as allowed in the security policy. Is this an acceptable endanger to the organization? More often than not, the security team will assign tens of hours trying to trace back what happened to retort this question.In this hypothetical scenario, it is an acceptable risk. The promulgation here lies in the fact that the auditors were not easily gifted to determine why the port was open and what the risk and benefit might be. If the assurance team was tracking the configuration drift and documenting modifications to the known toughened baseline, it would be an easy answer.Example 2: The Elevated AllowanceI am an application developer who needs to repeatedly log into a single server. Now, I just need to check something quickly, and sometimes I need to mention a small change. I can log in to check things using my regular account without any scions, but when I need to make a production change, I need to check out a individual admin credential from the password vault. Needing to check out a credential can grow very tedious and time-consuming, especially with all these deadlines we from!Since I have this admin credential, I can just add the “Users” union to the various user rights categories that I need. It’s not a big deal, put? It’s only one server. I’m not adding it to the entire domain!In this hypothetical working, a modification such as this, even to a single server, can pose a valuable risk to the organization. The user may have gone through the appropriate interchange process control for the change the user intended to make initially, but without verification of the exacting change the user made, the security team would not know until this special server was manually audited.There are three main ways to keep up the configuration of a system. Depending on the level of maturity of the security program of a persnickety organization, they may be doing this at some level or another.The fundamental level would be to manually monitor the configurations of systems (see figure A).This is incredibly time-consuming and ergo is not done on a regular basis, if at all. Systems are either left alone until a compromise is found or they need to be upgraded. A subset of these systems may get audited due to a compliance maintenance.If this is the case, the organization will often try to limit the number of schemes within the scope of the audit, so there are fewer to systems to look at. An auditor make typically ask for substantiation of a subset of the devices within the limited scope to corroborate its compliance. Only if that subset is found to be non-compliant will there be any informative action taken by the organization.
Figure AThe second level brings in a explication to scan for compliance (see figure B).While not as tedious as the first level, this but requires a certain level of interaction to create administrative credentials for the carve to scan with, as well as someone to schedule or run the scans when ordered and remediate the results. This is typically done once a month or once a cantonment to try to get ahead of the audit process.Again, this is commonly limited to organized wholes within a compliance zone. The systems outside of this compliance zone are oft left behind and only checked when they are compromised or want to be upgraded. The CIS Critical Security Control #3 recommends that all combinations in the organization are provisioned with secure configurations, and therefore that configuration should be professed on all systems – on an ongoing basis, even as changes happen.
Figure BThe third, and myriad mature level, would be to monitor all systems in a near real-time good form (see figure C).This would require that the systems are provisioned with a light-weight advocate that can monitor the systems without the need of credentials to log on nor for OS Auditing to be permitted. The agent would need to be deployed to all systems either by embedding it into the similes that are deployed or ensuring that it is included in the deployment process of an automated gizmo, such as Puppet or Chef.Once they are on and monitoring, as soon as a modulate is made that takes the system out of compliance, a remediation process can be initiated. For archetype, this can be done by automatically creating an incident ticket, or sending an e-mail, or on guard the Security Operations Center (SOC) via an alert on the organization’s Security Incident and Issue Management (SIEM) tool.
Figure CTo measure the effectiveness of this, CIS recommends course the following metrics:What is the percentage of business systems that are not currently configured with a collateral configuration that matches the organization’s approved configuration standard (by firm unit)?What is the percentage of business systems whose security configuration is not enforced by the classifying’s technical configuration management applications (by business unit)?What is the share of business systems that are not up-to-date with the latest available carry oning system software security patches by business unit)?What is the cut of business systems that are not up to date with the latest available establishment software application security patches (by business unit)?What is the portion of business systems not protected by file integrity assessment software applications (by job unit)?What is the percentage of unauthorized or undocumented changes with surveillance impact (by business unit)?Once these metrics are established, spurning the continuous improvement process, the security and business teams should accomplishment together to increase the percentage of systems that are monitored and then should remediate the techniques where configuration drift occurs. Maintaining minimal drift be produced ends in maintaining the secure hardened state of the business systems, which when assists with the overall risk posture of the organization.To learn innumerable about how Security Configuration Management will help keep your vocation secure, click here.Alternatively, you can find out more about Tripwire’s SCM explanations here.