Why Security Configuration Management (SCM) Matters
Security configuration management (SCM) is all about making sure your security systems do what you think they’re doing.
In tennis, there is something called an unforced error. This is when a player loses points for a mistake they made themselves, not due to the skill of the other opponent. In a big way, security misconfigurations are those unforced errors on the security side or instances in which we give attackers a free win. Let’s stop that.
What is Security Configuration Management?
The National Institute of Standards and Technology (NIST) defines?security configuration management (SCM) as “The management and control of configurations for an information system with the goal of enabling security and managing risk.”
In other words, it is the practice of keeping your security configurations in top shape, making sure any changes are monitored, ensuring they are still optimized after taking in new services, and generally maintaining them so they remain comprehensive and effective – so they do what they’re intended to do.
The SANS Institute and the Center for Internet Security (CIS) both recommend that once you inventory your hardware and software, the most important security control is secure configurations.?Critical Security Control 4 says, “Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).”
SCM Benefits You May (and May Not) Expect
The obvious upside to security configuration management is that you’re not caught unaware when an attacker threads their way through a defense you thought was secure. But there are some other neat benefits as well.
Threat Detection | Attackers are looking for systems that have default settings that are immediately vulnerable. Once an attacker exploits a system, they start making changes. These two reasons are why?security configuration management tools are so important.
Compliance | Using SCM to enforce a corporate hardening standard like CIS, NIST, and?ISO 27001 or a compliance standard like?PCI,?SOX,?NERC, or?HIPAA provides the ability to continuously harden systems to reduce the attack surface. Hardened systems provide less opportunity for the bad guys to launch a successful attack.
Your Security?Configuration Management Plan in Action
Without a?security configuration management plan, the task of maintaining secure configurations on even a single server is daunting. After all, there are well over a thousand ports, services, and configurations to track. If you multiply those ports, services, and configurations across your entire enterprise of servers, hypervisors, cloud assets, routers, switches, and firewalls, the only way to track them is through?automation.
A good SCM tool automates those tasks for you and provides deep system visibility at the same time. When your system becomes misconfigured, you should be notified and offered detailed remediation instructions to bring the misconfiguration back into alignment.
There are four key stages to robust SCM:
1. Device discovery
First, you’ll need to find the devices that need to be managed. Ideally, you can leverage an SCM platform with an integrated asset management repository. You will also want to categorize and “tag” assets to avoid starting unnecessary services. Engineering workstations, for example, require different configurations than finance systems.
2. Establish configuration baselines
You will need to define acceptable secure configurations for each managed device type. Many organizations start with benchmarks from trusted establishments like CIS or NIST for granular guidance on how devices should be configured.
3. Assess, alert, and report changes
Once devices are discovered and categorized, the next step is to define a frequency for assessments. How often will you run a policy check? Real-time assessments may be available but are not required for all use cases.
4. Remediate
Once a problem is identified, it needs to be fixed, or someone needs to grant an exception. You are likely to have too much work to handle immediately, so prioritization is a key criterion for success. You will also need to verify that the expected changes actually took place for the audit.
Additional considerations you won’t want to overlook when considering your security configuration management plan are:
Conclusion
The security configuration management process is complex. But if you’re using the right SCM tool, the bulk of the work will be handled for you through automation. Using a corporate hardening standard and creating the baseline to identify changes to that standard is a great way to stay ahead of attackers and avoid any “unforced errors.” If they’re going to get in, make them work for it – don’t let it be on your account.?
To learn more about how Tripwire can help you with Security Configuration Management:
This article was written by Jeff Moline and first published: https://www.tripwire.com/state-of-security/why-security-configuration-management-matters