Security intelligence through configuration auditing
Posted on 08 August 2013.
Modern systems have a multitude of configuration elements that, ideally, meet the IT business requirements of the organization. The danger of having poorly configured systems in place is real, due especially to their increasing complexity.

Managing a large number of servers without a configuration auditing solution becomes nearly impossible. Imagine having to deal manually, one at a time, with all the applications and databases on your network? And that's just the tip of the iceberg.

"Unauthorized change that has not been identified in the right time and addressed properly leads to the situation when someone on your network gains access to sensitive data. In a worst-case scenation, this would lead to a security breach, when the data is stolen or disclosed," according to Michael Fimin, CEO at Netwrix.

There are many types of threats and attacks, and configuration hardening makes a variety of exploits harder to do.

Ron Gula, CEO and CTO at Tenable Network Security comments: "The ultimate form of configuration management is patching and controlling the software that is installed. For remote exploits, a good configuration policy will not have external services running that aren't being managed or aren't authorized. For running services, a good configuration policy should limit exposure to the system if they were compromised. For client side exploits, good configuration management can not only limit the chance of a user having the exploit, but hardening the system can prevent exploits altogether."

Different security standards and regulations mandate different auditing best practices and requirements. For example, HIPAA compliance (for healthcare organizations in the US) is all about protection of protected health information (PHI). That means everything related to patient records has to be audited (file servers, Active Directory, e-mail, databases etc), and this includes access, logins, changes, configuration state etc.

The more you audit the better you are covered in case of security breach or audit. But of course the amount of storage grows proportionally and you have to balance it with the needs. Generally you should have at least one year of audit data available. Some regulations, like SOX and HIPAA, require up to seven years of audit data availability. Your auditor may have different requirements.

The most important benefits that a proper configuration auditing solution provides are transparency and intelligence. Imagine yourself being a banker. A good banker would want the internal processes of a bank to be as transparent as possible so that he could know exactly who sent the money to whom, who has access to sensitive information about his clients and so forth.

The same concept applies to the IT infrastructure. IT managers have a need to know ‘who has access to what?’ and ‘who did what, when and why?’. Configuration auditing software is there to help IT managers deliver transparency and control over the critical processes in the infrastructure with just a few clicks of a mouse.

A proper configuration auditing solution has to have a variety of features, Fimin offers a list of five that are essential:

1. Functionality

A quality configuration auditing solution should have all the functions for proactive systems auditing such as real-time alerts, scheduled report delivery, ability to remediate changes instantly and to see the current and past configurations for all changes, long-term data storage capability.

2. Simplicity

The setup and initial configuration of the solution should be simple, quick and intuitive. In no way running the software should affect any business processes of an organization.

3. Efficiency

A good configuration auditing solution should support the most complete set of audited systems and applications and provide the same high-level auditing mechanism for each of them. Ideally the solution will not only audit the systems that produce logs, but also those that don’t provide enough insight into what was done by looking at other sources (including recorded Citrix or RDP sessions of user activity).

4. Scalability

The solution should fit the scale of your business and be flexible enough to deal with increasing complexity as your company grows.

5. Support and Maintenance quality

This is not a feature, but rather an aspect that is definitely worth considering. The ability to respond quickly to the customer needs and address any questions that the end user might have are sometimes even more important than fancy functionality. The location and availability of support team is also important. For example, if you are an American company, US-based support would be the best option.


Social threat intelligence

There's been an explosion of companies that realized threat intelligence was the next frontier. ThreatStream talks about threat intelligence, how it works, and what we can expect in the near future.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, May 5th