What is SCM? Well, let’s start with what it stands for. Generally, it represents "Security Configuration Management," but it is also referred to as "Secure Configuration Management." Both are equally acceptable and mean the same thing. SCM exists at the point where IT Security and IT Operations meet. It’s a software-based solution that aims to reduce security risk by ensuring systems are properly configured, or hardened, to meet internal standards or regulatory security and compliance. SCM has evolved over the years from a "nice-to-have" to a "must-have" solution. The main components consist of a Console, which is the primary interface; a Database, which is the repository for data analysed by the SCM solution and which can be housed with or as a separate component; and Agents on the endpoint, which can monitor the configuration state and the integrity of key files. Any reputable SCM solution should monitor at least five types of endpoints, or 'nodes':
- File Systems, including Windows, Unix or Linux operating systems;
- Databases, including physical and virtual platforms that can monitor changes in the schema as well as content;
- Directory services, or applications such as Lightweight Directory Access Protocol (LDAP), Active Directory, etc;
- Virtual Infrastructures, including components of a virtual environment, such as the VMs, hypervisors, and virtual switches; and
- Network devices, including routers, switches, firewalls and other devices.
File Integrity Monitoring (FIM)
One part of the SCM solution is File Integrity Monitoring (FIM), which is the process of validating the integrity of OS and application software files by comparing the current state of the files with their ‘known-good’ baselines. According to the 2015 Verizon Data Breach Investigation Report (DBIR), in 60 percent of cases, the attackers were able to compromise an organisation within minutes. Verizon also states that one of the primary challenges in the security industry is the growing "detection deficit" between attackers and defenders. Having a good SCM solution in place that includes FIM will help detect deviations from the baseline, that is, help identify abnormalities in the configuration of the system in question. FIM is an important component of SCM. What if a system’s OS or critical configuration has already been weakened, either by accident or maliciously? How would you know? SCM helps prevent attacks by creating a known and trusted state for your endpoints, or ‘nodes.' FIM will automatically detect changes in this state and alert you to a potential threat. When it comes to FIM solutions, there are vendors out there who offer agentless solutions. Whilst these solutions may be good enough for certain compliance requirements, fully agentless solutions lack the depth of agent-based solutions or hybrid solutions using both methods. Furthermore, agentless solutions do not operate in real time. The data is only valid at the last active scan, which is often not performed frequently enough. https://www.youtube.com/watch?v=rLuC5lnpThU&feature=youtu.be
Policy
A SCM policy is a collection of standards to which monitored systems on your organisation's network must conform in order to comply with either internal or external regulations. As such, a good SCM solution will allow you to import a number of policies and create your own based on these policies. Each policy will have the following four components:
- tests that check the state of a specific configuration setting;
- scores, a measurement the overall conformance of a system or device;
- weights that indicates the relative importance of a test; and
- thresholds that set the color and a score ranging from the lowest to the highest to separate urgent failures from less urgent ones.
When it comes to achieving regulatory compliance, the SCM solution will need to cater to common regulations, the most popular one being PCI DSS. Founded in 2004 by the PCI Security Standards Council, PCI DSS covers 12 high-level requirements and 221 sub requirements that are applicable to every major information security domain. When a monitored node can’t meet an SCM policy requirement or is out-of-scope, the solution should be able to grant a temporary or permanent policy waiver. This helps calculate and report on compliance.
Putting It All Together
I have covered two major components to SCM: FIM and Policy. But there are other features that SCM vendors add to compliment their solutions. These include third-party integrations, reconciliation and remediation, and other products within that vendor's portfolio integration. Before purchasing a solution, though, it’s a good idea to do some research first. The following points should be considered:
- Scope – Ensure you are acquiring from the right systems, including servers, virtual infrastructures and network devices.
- Administration – Identify who would need access to your SCM solution, such as system administrators, auditors, analysts and consumers.
- Hardware – Ensure you gather the system requirements from the SCM vendor. It’s advisable to over-scope the system rather than meet the minimum requirements so that it gives you opportunity to expand on existing infrastructure.
Once you have purchased your SCM solution, it’s time to deploy it. The SCM solution would generally consist of a central console to which data will be sent back and agents that would be deployed on the endpoint. Not all monitored nodes will support agents, such as routers, network switches and firewalls, so you will need to configure your SCM solution to scan these on a periodic basis. Once you have it installed and deployed to your environment, it’s easy to get carried away and start monitoring everything. At best, this practice adds a lot of unnecessary work to your workload; at worst, it causes you to miss a critical change to a file amidst a slew of false positives. A good SCM solution should provide an ‘out of the box’ recommendation on what files it would consider as ‘critical’ to give you a good start. It’s then down to fine-tuning and optimising the reports and dashboards. To aid with identifying potential threats on your endpoint, look for a SCM solution that gives you plenty of options to integrate with third-parties, such as threat intelligent sources, automated remediation scripts and ticketing systems. Finally, it’s down to training the users on how to use the system in order to ensure the benefits of your investment. Sometimes, this is often an afterthought, so consider including this when you budget for a SCM solution. Most vendors offer excellent training. I hope this article has given you some understanding of what a good SCM product looks like and what to look for. If you're looking to learn more, please attend this webcast on March 16 titled, “Simplifying SCM”. Tripwire Enterprise is Tripwire's award-winning leading Security Configuration Management and Integrity Monitoring solution that helps IT security teams:
- Instantly assess the strength of their system and network configurations
- Harden systems to organisational security policies, standards and guidelines
- Provide on-demand technical and executive-level reports and dashboards
- Communicate the overall security posture in ways the business understands.
I hope you will join us for our webcast on March 16th! Title image courtesy of ShutterStock
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.
