Device Hardening & Continuous Compliance Monitoring
NNT Change Tracker™ addresses all your device hardening requirements.
Trusted by hundreds of organizations around the world, NNT Change Tracker™ will automatically audit your entire estate – Servers, Database systems, Firewalls and network devices – against auditor-verified hardening checklists. Within just a few minutes you can have a full assessment of how secure your IT estate is, what needs to be done to address any vulnerabilities and how security can be improved further.
Where NNT Change Tracker™ provides a significant advantage over traditional scanning solutions is that configuration changes are monitored in real-time and on a continuous basis. This means that not only is the initial hardening process greatly simplified, but the on-going maintenance of a hardened build standard is now straightforward too. Scheduled, automated reports as well as real-time alerts will identify any weakening of security, but also show how newly introduced vulnerabilities can be mitigated.
Simple to deploy, any compliance report run via Change Tracker - even those imported from SCAP or OVAL content - will also generate a non-stop, continuous monitoring template to give real-time protection to all devices, so much more secure than the monthly snapshot approach provided by a vulnerability scanner.
Better still, Change Tracker provides a further significant advantage over scanning solutions: Systems are also protected with a real-time, host intrusion detection system (HIDS) function, so that even if the worst case scenario arises and your systems are breached, you can take immediate action.
Importance of Configuration Hardening
Using a server, database or network device with default settings in place is an open door to automated computer attack programs. It is vital therefore that a comprehensive security hardening checklist be applied to all devices in your estate.
The good news is that there are numerous reference sources for such checklists – The SANS Institute, NIST, the Center for Internet Security, Microsoft and Oracle all publish hardening best practise checklists, and there are numerous other guides and forums across the internet to help.
The problem is that the checklists are long, complex to understand and time-consuming to implement, even for one server, let alone a whole estate. A typical checklist for an operating system like Windows or Linux will run into hundreds of tests and settings.
Even then, once a hardened build standard has been implemented, the need to regularly – ideally continuously – verify that the server, database or device is being maintained within compliance of your hardened build standard is vital if security is to be enforced.
NNT Change Tracker™ combines unique device configuration and vulnerability auditing with ongoing real-time change detection. Any changes that affect the secure and compliant state of IT systems are tracked and alerted immediately. Better still, with NNT Change Tracker™, an intelligent Change Management operation makes it easy to separate planned from unplanned changes to minimize false positives.
NNT Change Tracker™ allows you to define your own Hardened Build Standard for all devices, combining best practise in security configuration with your organizations’ specific application and operational requirements.
The solution provides:
- Out of the box PCI DSS, NIST 800-53, ISO 27000, SOX, NERC CIP, HIPAA compliance reports
- SCAP and OVAL support provides access to hundreds of additional compliance checklists such as DISA STIGs, USGCB and FDCC Configuration Baselines
- The ability to create your own hardening template and apply it easily across your estate
- Continuous automated vulnerability auditing
- Easy to read assessment reports, on-demand or as part of a scheduled emailed report
- Compliance score sheet per device or for groups of devices, with drill-down option to see exactly where vulnerabilities exist
- The facility to track any changes to the state of IT systems with planned versus unplanned change reporting
- Compliance reports combined with extended templates to monitor the health, performance, set up, file and registry integrity along with local security policies, installed software and user accounts
- The capability to schedule planned changes with the reassurance of a ‘closed loop change management system’ that reports on ‘what actually changed’ and who made the changes
NNT covers all popular platforms such as:
- Windows, all versions
- Linux, all versions, including Ubuntu, SUSE, CentOS, RedHat
- Unix, all versions including Solaris, HPUX, AIX
- VMWare, all versions including ESXi
- Database Systems, including Oracle, SQL Server, DB2, PostgreSQL, My SQL
- Network Devices and Appliances, all types and manufacturers, including routers, switches and firewalls, from Cisco, Nortel, Juniper and Checkpoint
Security Standards and Corporate Governance
All security standards and Corporate Governance Compliance Policies such as PCI DSS, GCSx CoCo, SOX (Sarbanes Oxley), NERC CIP, HIPAA, HITECH, ISO27000 and FISMA require Windows and Unix servers, workstations, firewalls, routers and switches to be secure and configured properly in order to protect and secure confidential data. NNT Change Tracker™ ensures that systems remain in a secure state at all times with an evolving baseline linked to each properly executed planned change.
A hardened system is one that is fundamentally secure and rendered hack-proof. Hardening a device requires known security ‘vulnerabilities’ to be eliminated or mitigated. A ‘vulnerability’ is any weakness or flaw in the software design, implementation or administration and configuration of a system, which provides a mechanism for a threat to exploit the weakness of a system or process.
Security best practise (as an example, the PCI DSS), determines that all ‘within scope’ sites are scanned for vulnerabilities every quarter. This gets expensive in a large scale, multi-site estate, as well as being a time-consuming management overhead. Perhaps the biggest issue is that the results of any scan are only accurate at that point in time – any configuration changes made after the scan could render devices vulnerable and in a worst case scenario, devices could be left vulnerable to attack for a 3 month period.
Fortunately the solution is readily available – NNT Change Tracker™ will continuously track configuration changes, which is the only real way to guarantee the security of your IT estate is maintained. At any time you can see the Compliance Score of any server, database or network device and also, which settings need to be changed to re-harden the configuration. Any changes made will be reported, including Planned Changes, which are handled using NNT Change Tracker™ unique ‘Closed Loop Change Management’ process.
The FIM portion of NNT literally saved my company last week. By monitoring the IT estate with NNT, we were able to identify a threat that the Firewall failed to protect against and the AntiVirus software wasn’t able to detect. NNT’s real-time FIM alerted us to the altered system dll files amongst the multitude of file changes taking place, pinpointing the offending Root Kit and enabling us to deal with the malicious malware before it could wreak havoc - I would rate NNT’s contribution to our security initiative as absolutely invaluable!
David McKnight, Data and Network Security Officer, Public Interest Communications Inc.
Device Hardening Articles
- PCI DSS Version 3 and File Integrity Monitoring – New Standard, Same Problems
- Server Hardening Checklist - Which Configuration Hardening Checklist Will Make My Server Most Secure?
- Server Hardening Policy - Examples and Tips
- Cyber Threat Sharing Bill and Cyber Incident Response Scheme – Shouldn’t We Start with System Hardening and FIM?
Device Hardening Press
Read: IT security basics are being overlooked
"Recent breaches have revealed that not only are many security experts guilty of focusing on the bright shiny new products while overlooking the more mundane evolutionary upgrades of traditional defences. Of course, security threats are constantly changing – but is that a reason to ignore the first principles of IT security: assessing vulnerabilities, hardening the infrastructure, and checking for unexpected changes?"