System drift and how to prevent IT environments from becoming vulnerable.
How best to analyze system drift between your application control policy rules and the applications that run in your environment. Depending on the severity of the drift, there could be a significant risk to the organization. Even more troublesome is the fact that security teams can spend tens of hours trying to trace back what happened. So instead, scan your endpoints and detect the deviations in system settings to identify the non-compliant devices in real-time and remediate to reduce security gaps.
Today’s cyber hygiene requirements have never been more crucial in advancing the process for assessing industry compliance. Configuration drift and lack of visibility into critical security metrics mean CISO’s will push for more advanced security software/tools. In addition, enterprise reporting will continue to replace legacy reporting tools. The end goal, of course, for any contractor is to have the best cyber hygiene practices in place to be awarded a contract.
Continuously maintaining a hardened systems state is challenging because the combination of tools, techniques, and best practices to reduce vulnerability must change rapidly as new threats develop. Security compliance baselines are a moving goalpost with different kinds of threats emerging each time software and hardware is replaced or updated. Threat actors are also more persistent in attacking organizations as cybercriminals actively seek to exploit system weaknesses now more than ever before.
The Center for Internet Security (CIS) provides guidelines on configuring operating systems best to minimize vulnerabilities. Organizations can also use Secure Technical Implementation Guides (STIGs) to set system hardening baselines.
CIS controls were developed to document industry best practices for cyber defense. These controls prioritize system configurations by importance so organizations can create secure implementations. This allows organizations to mature their cybersecurity programs over time while maintaining an optimally efficient configuration along the way.
CIS controls have three stages of implementation for organizations to mature their cybersecurity configurations. Within these implementation groups are additional CIS control categories:
- Basic CIS controls
- Foundational CIS controls
- Organizational CIS controls
Cybersecurity configurations are ideally always aligned to a known and secure baseline state. However, these configurations must be maintained throughout:
- Product improvements,
- Application modifications,
- Infrastructure upgrades,
- Other significant system changes.
Any user within an organization can also contribute to minor changes that deviate away from the secure baseline configuration. Maintaining a secure configuration means knowing immediately about every change, every time.
What is Configuration Drift, and how does it occur?
Configuration drift often occurs in complex environments and makes maintaining secure baseline configurations challenging.
What is system drift?
Configuration drift means undocumented modifications that move system environments away from a hardened state over time. Minor alterations to hardware and software configurations occur naturally in organizations when changes are made but not recorded.
Even hardened systems experience configuration drift due to:
- Manual changes,
- Undocumented updates
- General entropy.
Configuration drift also causes an environment to differ from its backup kept for disaster recovery, which can cause production downtime.
What causes system drift?
Infrastructure changes result in configuration drift across environment servers. Despite close adherence to the best cybersecurity practices, many legitimate and unavoidable business demands cause such configuration gaps to occur.
Critical package updates that have a security vulnerability may be replaced with a different package or version without following standard procedures. Developers manually change configurations to debug their applications but might forget to change the configuration back.
Teams anticipating peak load times may want additional resources or more robust server configurations but don’t document or plan the changes. As a result, configuration drift ends up happening through these kinds of manual, ad-hoc alterations.
What are the best methods to maintain the configuration of a system?
One way to avoid configuration drift is by employing configuration management controls to maintain and enforce asset consistency. Automating configuration management prevents configuration drift because it scans environments then remediates any problems found.
Using Security Technical Implementation Guides (STIGs)
STIG compliance gives organizations a way to ensure secure configurations. More stringent than CIS Controls, STIGs established a more robust secure configuration management strategy. For organizations that don’t need to be STIG compliant by mandate, using STIGs can seem like an unnecessary challenge.
However, even within commercial spaces, STIGs are becoming a best practice. For example, the IRS recently required that a national tax preparation service use STIGs to harden systems to comply with privacy requirements. Meanwhile, the Department of Education required a student loan company to substitute STIGs for CIS benchmarks.
Leverage Automation to Continuously Monitor Configurations
Continuously monitoring configurations gives you visibility into your security posture. However, maintaining security configurations manually becomes cumbersome and time-consuming when considering the number of devices and applications involved within an organization. Continuously monitoring and maintaining these security configurations can be achieved much more manageable through automation. Security Content Automation Protocols (SCAP) validated tools enable
- Continuous monitoring
- Patch management
- Security automation
- Testing and validation
- Vulnerability management
By using a standardized method, SCAP-validated solutions allow organizations to automate security configuration for applications, operating systems, and devices across different technology stacks.
Document activities for consistency and compliance
As part of a strong security and compliance program, you should be documenting processes. All compliance requires documentation proving that an organization follows internally and externally required processes and procedures. Additionally, documentation ensures that you can replicate the practices and processes in place, ensuring continued security even if you have staffing changes.
How can your organization correct the IT process or security process so that an endpoint that has been remediated remains remediated?
Identifying critical system vulnerabilities and mitigating the impact of security flaws helps companies create secure, resilient environments. Risk-based decisions around remediation always occur when an organization installs or upgrades:
- Applications, or
However, system complexity often makes scanning the environment and remediating vulnerabilities time-consuming. Automating remediation mitigates security risks and ensures system stability over time.
Will utilizing dashboards for cyber security reporting be enough to maintain a secured, hardened state and overall risk posture for the organization?
Cybersecurity reporting dashboards can be utilized to update an organization’s Board of Directors on emerging security threats. Additionally, they help show how risks are being mitigated, and vulnerable assets are being protected.
An effective cybersecurity dashboard aggregates important and relevant risk information across the organization and presents only the most critical information. This lets security teams share information with business leaders to make more informed security decisions.
SteelCloud: Dashboarding for visibility into configurations system drift
SteelCloud’s ConfigOS hardens an endpoint’s unique “Application Stack” per the DISA STIG/CIS benchmark policy standards. As a result, ConfigOS reduces the effort to harden an endpoint by 90% and remediate and maintain an endpoint 70%.
ConfigOS generates a small JSON report each time it scans or remediates an endpoint. An enterprise that remediates thousands of endpoints will generate a tremendous number of reports in a short period. Analyzing these reports is essential to detect when one or more endpoints drift. However, interpreting these reports manually is not possible.
ConfigOS DashView automates the analysis of these reports. DashView ingests the JSON reports and immediately identifies endpoints that have drifted. As a result, IT and security teams can investigate and correct the process that caused an endpoint to drift. The result is that endpoints that have been hardened remain hardened. The result is that enterprise infrastructure risk is minimized.
Learn more on how DashView will help simplify and keep your business secure.