Any user’s actions, however big or small, that result in a given configuration deviating away from one that is considered necessary or secure can have potentially severe consequences and detrimental effects on an organization. Systems that have fallen victim to configuration drift that are part of an environment where it has gone un-noticed and unrectified are particularly vulnerable; vulnerable to system outages, application issues caused by misconfiguration and both insider and outsider attacks.
It’s a Friday evening, a system engineer is about to leave the office for the weekend but one of his colleagues has notified him that there is an issue with one of the organizations key applications. He can’t afford to leave it until Monday to resolve the issue but is keen to get it sorted as quickly as possible. He frantically begins to change the application’s configuration in an attempt to restore its normal functionally. At this time, he makes the vital mistake of not recording what changes have been made and after finding the root cause, he blindly reverts back the settings he ‘thinks’ were changed while carrying out his troubleshooting. Unfortunately for him, he’s forgotten to revert a piece of configuration that was originally put in place to take care of a well-known vulnerability and has therefore left the application wide open for anyone looking to exploit it. With no monitoring in place to pick up on this change, this could potentially go undetected until it’s too late.
To ensure that configuration drift within an environment is kept to a minimum or prevented altogether, there are a number of key areas that organizations need to pay close attention to and processes that they must put in place.
When looking at different security frameworks, they often reference the fact that an organization needs to ensure that their systems are securely configured both when they are deployed and thereafter, by manually auditing systems or by using some form of monitoring tool to ensure that configuration does not drift. Using guidance from industry leaders like the Center for Internet Security (CIS) and NNT, you can quickly establish a ‘Gold Standard’ image/baseline that you can apply to your systems and then monitor them for configuration drift with ease.
The CIS’s mission is to ‘make the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats’. They do this by providing guidelines/benchmarks on how to configure a system to ensure that it’s not left exposed to well-known vulnerabilities.
As a CIS Certified Vendor, NNT can ingest the benchmarks that the CIS provide and this allows our customers to evaluate their systems against the CIS’s recommendation. Once a suitable build image or ‘Gold Standard’ has been established, an organization can then monitor their systems for change in configuration on either an ad-hoc or scheduled basis. You can access these benchmarks by visiting our CIS Benchmark library.
Apply – a ‘Gold Standard’ image to your systems.
Notify – a user when drift is identified.
Rectify – the issue by re-instating the settings that were changed.
Different security standards suggest that organizations should run scheduled checks against their systems – time-frames range anywhere between once a week to once a quarter, but is that really enough? Here at NNT, we don’t think so. We believe that leaving large periods of time between scans allows for configuration drift to go unnoticed, while giving a user the opportunity to exploit any vulnerabilities that appear as a result of the drift. Having some form of tool constantly monitoring the key areas of your systems or applications is imperative to keeping on top of the issue at hand and using a piece of software like NNT Change Tracker Gen7 R2 will enable you to do just that.
By deploying our light-weight agents onto your systems, you can control what areas of the system you want to monitor and rest easy knowing that at any point in time, when a change is made to the system, we’ll be there to report it. As our agents have the ability to automatically update their baselines whenever a change is made, it ensures we are always working with the most up to date information. Whilst doing this, our agents also have the ability to generate both current and historical baseline events that help put together a change ‘timeline’ i.e. what changed, when it changed and who changed it, all of which is fully automated and can prove to be extremely helpful if any issues occur further down the line and root cause analysis needs to take place.
Historical Baseline – established once a monitoring template is applied to a system.
Change – is detected when a user alters a file or specific area of a system.
Current Baseline – written to the agent’s baseline so it knows what to monitor moving forward.
As we mentioned at the beginning of this blog, configuration drift occurs when unrecorded or unplanned changes are made, so while it’s important to establish a baseline and monitor it for change, it’s also just as important to know whether or not the change was meant to happen to begin with. The easiest way to do this is to ensure that some level of change management is in place. This means that all necessary testing has taken place before changes are pushed out to production systems, helping ensure that changes are not going to invoke unwanted side effects or new issues. It also allows for an organization to specify what changes should be happening, during what time and on what systems. Anything that falls outside of that allotted window can then be identified as an unplanned change and potential configuration drift.
With NNT Change Tracker, you have the ability to connect the application to your existing IT Service Management (ITSM) tools which as a result combines the ability to correlate changes within your environment with an approved ticket or set of intelligent change rules, which in turn helps to prevent and protect against all forms of breach as well as gaining full control of changes for security and compliance. Learn more about our integration capabilities by visiting our ITSM Integrations webpage.