Security configuration management (SCM) is all about making sure your security systems do what you think they’re doing.
In tennis, there is something called an unforced error. This is when a player loses points for a mistake they made themselves, not due to the skill of the other opponent. In a big way, security misconfigurations are those unforced errors on the security side or instances in which we give attackers a free win. Let’s stop that.
What is Security Configuration Management?
The National Institute of Standards and Technology (NIST) defines security configuration management (SCM) as “The management and control of configurations for an information system with the goal of enabling security and managing risk.”
In other words, it is the practice of keeping your security configurations in top shape, making sure any changes are monitored, ensuring they are still optimized after taking in new services, and generally maintaining them so they remain comprehensive and effective – so they do what they’re intended to do.
The SANS Institute and the Center for Internet Security (CIS) both recommend that once you inventory your hardware and software, the most important security control is secure configurations. Critical Security Control 4 says, “Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).”
SCM Benefits You May (and May Not) Expect
The obvious upside to security configuration management is that you’re not caught unaware when an attacker threads their way through a defense you thought was secure. But there are some other neat benefits as well.
Threat Detection | Attackers are looking for systems that have default settings that are immediately vulnerable. Once an attacker exploits a system, they start making changes. These two reasons are why security configuration management tools are so important.
- SCM can not only identify misconfigurations that make your systems vulnerable but can also identify “unusual” changes to critical files or registry keys. With a new zero-day threat revealed almost daily, signature-based defenses are not enough to detect advanced threats. To detect a breach early, organizations need to understand not just what is changing on critical devices but also be able to identify “bad” changes.
- SCM tools allow organizations to understand exactly what is changing on their key assets. By setting a gold standard configuration for your systems and continuously monitoring for indicators of compromise, organizations can quickly identify a breach. Early detection of a breach will help to mitigate the damage of an attack.
Compliance | Using SCM to enforce a corporate hardening standard like CIS, NIST, and ISO 27001 or a compliance standard like PCI, SOX, NERC, or HIPAA provides the ability to continuously harden systems to reduce the attack surface. Hardened systems provide less opportunity for the bad guys to launch a successful attack.
Your Security Configuration Management Plan in Action
Without a security configuration management plan, the task of maintaining secure configurations on even a single server is daunting. After all, there are well over a thousand ports, services, and configurations to track. If you multiply those ports, services, and configurations across your entire enterprise of servers, hypervisors, cloud assets, routers, switches, and firewalls, the only way to track them is through automation.
A good SCM tool automates those tasks for you and provides deep system visibility at the same time. When your system becomes misconfigured, you should be notified and offered detailed remediation instructions to bring the misconfiguration back into alignment.
There are four key stages to robust SCM:
1. Device discovery
First, you’ll need to find the devices that need to be managed. Ideally, you can leverage an SCM platform with an integrated asset management repository. You will also want to categorize and “tag” assets to avoid starting unnecessary services. Engineering workstations, for example, require different configurations than finance systems.
2. Establish configuration baselines
You will need to define acceptable secure configurations for each managed device type. Many organizations start with benchmarks from trusted establishments like CIS or NIST for granular guidance on how devices should be configured.
3. Assess, alert, and report changes
Once devices are discovered and categorized, the next step is to define a frequency for assessments. How often will you run a policy check? Real-time assessments may be available but are not required for all use cases.
4. Remediate
Once a problem is identified, it needs to be fixed, or someone needs to grant an exception. You are likely to have too much work to handle immediately, so prioritization is a key criterion for success. You will also need to verify that the expected changes actually took place for the audit.
Additional considerations you won’t want to overlook when considering your security configuration management plan are:
- Agent-based versus agentless scans: Avoiding blind spots in your IT environment typically involves a sophisticated combination of both agent-based and agentless scanning to make sure your entire environment is always configured properly.
- High-visibility dashboarding: You’ll want user-selectable elements and defaults for technical and non-technical users. You should be able to show only certain elements, policies, and/or alerts to authorized users or groups, with entitlements typically stored in the enterprise directory.
- Policy creation and management: Alerts are driven by the policies you implement in the system, so policy creation and management are also critical to adapting the solution to the unique requirements of your environment.
- Alert management: Time is of the essence during any response, so the ability to provide deeper detail via drill down and then provide information to an incident response process is critical. This allows administrators to monitor and manage policy violations, which could represent a breach.
Conclusion
The security configuration management process is complex. But if you’re using the right SCM tool, the bulk of the work will be handled for you through automation. Using a corporate hardening standard and creating the baseline to identify changes to that standard is a great way to stay ahead of attackers and avoid any “unforced errors.” If they’re going to get in, make them work for it – don’t let it be on your account.
To learn more about how Tripwire can help you with Security Configuration Management:
- Check out this video: Tripwire for Security Configuration Management
- Download our Security Configuration Management Buyer’s Guide
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.
