Derive, Report and Track Drift from an Approved System Image Baseline using Change Tracker Gen7

Understanding what the correct baseline configuration is for your IT system components is a keystone of security best practice. Compliance mandates, in particular, NERC CIP, require baselines of installed software, updates, and open ports to be captured and reported against.

Determining the optimum configuration state for an IT device will comprise both its:

Functional Requirements (Which applications does this system support? Which software packages does it need? What does the filesystem structure look like? What are the configuration settings needed for it to deliver its services?)

and its:

Security Posture (What is the hardened build for this system? What are the minimum services, ports, and functions required, and what can we disable as a result? What are the configuration settings needed to mitigate vulnerabilities known to affect this device?)

Change Tracker Gen 7 automates both functions using built-in templates and audit reports, combined with an intelligent discovery process to assign these to devices.

Each device resides within a group and each group has a range of Device Configuration Templates and Scheduled Reports (See previous Top Tip ‘Functional Specific Group – Inherited Monitoring and Reporting Templates’

 

dashboard

 

The Compliance Report conveys one definition of a baseline. We typically use CIS Benchmark reports to assess whether a device is within compliance of their Secure Configuration best practice, so the report itself encapsulates what the ideal configuration looks like from the point of view of security and scores the device against this. In other words, the baseline defined in the Compliance Report is pre-defined and ‘hard wired’ (although any rules and settings within the report can be edited or added to fit your own hardened build standard – talk to [email protected] for guidance)

By contrast, the Device Configuration Template establishes a baseline dynamically by taking a snapshot of the device configuration when enabled. This baseline can comprise any mixture of file attributes/file hash values, Windows registry, and security policy settings, installed software and updates, service and process lists, config file contents, user accounts and open port lists.

For direct host monitoring where an agent is being used, this baseline of initial states is held locally by the NNT Agent and is used to evaluate and report changes as they occur. For agentless monitoring, the baselines are held by the NNT Proxy Agent. In both instances, storing the baseline local to the monitoring agent distributes processing and storage resources and maximizes performance by performing differencing locally. In the case of the direct host monitoring agent, this also allows Live Tracking of changes for real-time detection.

This means that the baseline in this scenario is a point-in-time starting state for a device, with any drift over time recorded step-by-step as a sequence of change events.

 

New Baseline Reports – Centralized collation of Baseline states

 

With Change Tracker Gen7 and the new Gen 7 Agent, a third baseline perspective is now available, providing a hybrid of the two baseline options described previously.

Now any device being monitored can have its current configured state captured and used to dynamically generate a Baseline Report. The Baseline Report is of huge value because:

-          Can be used as a ‘hard copy’ record of a device baseline state

-          Can be used as a ‘Gold Standard’ baseline from which any configuration drift over time for the device can be exposed

-          Can be used to determine configuration differences between a ‘Gold Standard’ device and other similar devices

Any tracker or trackers specified in a Device Configuration Template can be enabled to issue Baseline Events. Just check the ‘Send Baseline Events’ box as below

 

Dashboard

 

Once enabled, this will allow a Baseline Report to be generated for the device for any tracker or mixture of trackers.

dashboard

 

Running a Baseline Report

 

Using Baseline Reports is then a simple case of running the report either Ad Hoc or Scheduled just like any other Compliance Report with results sortable by Pass/Fail as usual.

dashboard

 

And you can use the Compare Results function to see exactly what has changed from one report result to another-

 

dashboard

 

 

 

NNT has a range of training and managed service offerings to help you get the most of your solution.
Call (844) 898-8362 or click here to request more information.

Cloud and Container Security
Contact Us

Corporate Headquarters

Netwrix
6160 Warren Parkway, Suite 100
Frisco, Texas, 75034

Phone 1: 1-949-407-5125

Phone 2: 888-638-9749 (toll-free)


[email protected]
 

United Kingdom

Netwrix
5 New Street Square
London EC4A 3TW

Phone: +44 (0) 203 588 3023


 [email protected]
Information
SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Now Certified IBM Security
Copyright 2024, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.