IT SECURITY & COMPLIANCE AUTOMATION2
What Is It?
System Hardening is the act of reducing the attack surface in information systems and minimizing their vulnerabilities in accordance with:
• Recognized Best Practices
• Vendor Hardening Guidelines
• Custom Security Polices
• Industry Standards or Benchmarks
Security Configuration Management is an automated, security-focused set of capabilities that makes system hardening:
• Repeatable and enterprise-scalable
• Continuous, with real-time or periodic capabilities as needed
• Flexible, and aligned with business needs, workflows and exceptions
• Self-correcting and self-remediating
IT SECURITY & COMPLIANCE AUTOMATION3
“The management and control
of configurations for an
information system with the
goal of enabling security and
managing risk”
NIST says SCM is:
IT SECURITY & COMPLIANCE AUTOMATION4
SCM: Tripwire Definition
The ability to create, edit and manage
IT security hardening policies in a way that
fits real-world business processes and
continually balances risk and productivity
IT SECURITY & COMPLIANCE AUTOMATION6
Gartner says SCM is the #1 priority in creating a server protection strategy
1
IT SECURITY & COMPLIANCE AUTOMATION7
Securosis says configuration hardening is the 2nd most effective
data security control
2
IT SECURITY & COMPLIANCE AUTOMATION8
SANS says SCM is the 3rd most important security control you can implement
3 (& 10)
IT SECURITY & COMPLIANCE AUTOMATION9
GCHQ’s New Cyber Security Guidance
GCHQ released new “10 Steps to CyberSecurity” in Fall 2012
Focused on executive
and board
responsibility
Names Secure
Configurations as one
of the most critical
steps to achieving
an objective measure
of cybersecurity
IT SECURITY & COMPLIANCE AUTOMATION11
Configuration Drift Is A Constant Enemy
“Configuration drift is a natural condition in every data center environment due to the sheer number of ongoing hardware and software changes.” – Continuity Software blog
“In less than a week, all the configuration controls, permissions and entitlements that IT spends time testing are useless.” – ITPCG blog
IT SECURITY & COMPLIANCE AUTOMATION12
What Can You Do?
Monitors and assess critical configurations in:
• File systems
• Databases like MS-SQL, Oracle, IBM DB2 and Sybase
• Directory services and network devices
When?:
• Immediate detection of changes to critical, defense-dependant configurations
• Efficient, change-triggered configuration assessment
• Shorten time of system risk
Demonstrating Compliance:
• Document any waivers
• Document when tests went from failing to passing
• Alerted to tests going from passing to failng – within minutes or at least hours
IT SECURITY & COMPLIANCE AUTOMATION
Time
Secure& CompliantState
Sec
urity
Pos
ture
SECURITY POLICIES EFORCED…CONTINUOUSLY
Continuous Monitoring
13
Continually assess and remediate insecure configurations, insuring always-hardened,
always-ready information systems and network devices