The Path to Effective Vulnerability Mgmt: Secure Configuration

Process Overview – Secure Configuration Management (SCM) 

Once all assets are identified, Cyber teams must focus on managing the secure configuration of devices. Some organizations, such as the NSA, consider patch management and SCM to be the same. I believe they are two separate processes that are interconnected in protecting an organization. SCM is a process of ensuring devices are setup/configured in a manner to protect them. For example, determining to turn off certain communication protocols, SMBv1/2 (Server Message Block), you are performing SCM. I am not stating these two activities are not connected, but I do believe to be effective, separation of the processes is critical.  

For the purpose of this article, SCM will focus on the process of configuring systems and software to reduce risk. While this might sound like a daunting task, Microsoft research shows that 80% of a security baseline (i.e. CIS Benchmarks) aligns with an organization’s requirements. The other 20% are unique requirements based on functional or sectoral needs.  

Why do IT organizations struggle with Secure Configuration Management? 

Our clients typically struggle with secure configuration, due to a lack of knowledge, skill sets, and/or overall level of effort to transition systems to a hardened state. Additionally, as configuration debt builds up over time, the effort to correct it becomes increasingly more difficult.  Also, IT is dynamic in nature and most organizations transitioning to a secure state fail to configure new systems to the desired secure state, which starts a never-ending catch-up effort. On a positive note, organizations born in the cloud or migrating to the cloud are using this as an opportunity to move to secure configurations in parallel.  

What are the risks of not having or having an ineffective secure configuration management program? 

Lacking a secure configuration program or having an ineffective program drastically increases an organization’s risk of suffering a successful attack. Organizations that lack a program typically have the following gaps: large number of open ports, unused and/or outdated software, default passwords, insecure communication protocols, inadequate audit logs, and lack of regulatory compliance. When an organization has these types of gaps it increases the opportunities for lower-skilled cyber criminals. And when those attacks occur, the ability to understand and manage the threat is difficult.  

Who is responsible for the secure configuration program? 

If you have read parts 1 and 2 of this series, there is a common theme. To successfully secure an organization, there is a great need for collaboration between IT (Infrastructure, Development, Help Desk, etc.) and the Cybersecurity teams. For secure configuration management, this is a joint effort between all teams with the following responsibility: 

• Cybersecurity teams are responsible for reviewing the organization’s cyber risks and compliance needs. Based on this analysis, this team will need to develop internal benchmarks or standards to ensure risk is being mitigated. Post implementation by the IT teams, Cybersecurity will then monitor for exceptions and, as needed, will track exceptions to internal standards.  
• IT Support teams are responsible for implementing the standards developed by security and ensuring compliance. If business enablement will be impacted, IT Operations will work with Cybersecurity to identify mitigating controls or track exceptions to the standard.  
• Change Advisory Board is responsible for approving changes to the baseline, understanding risk, and determining the impact changes will have on business enablement.  
• Executive Leadership is responsible for understanding business risk and establishing the organization’s risk tolerance. That said, the collective team is responsible for collaborating to develop risk recommendations for executive leadership, enabling them to make sound decisions balanced between risk and security.  When the risk is too great, an organization must determine how to eliminate the risk through a new system, architecture, or segmentation to limit overall exposure.  

What does an effective secure configuration program look like? 

• People – In most organizations, the Cybersecurity team will be responsible for setting standards and holding teams accountable. This is typically not a full-time role, especially in the mid-market, but must be considered part-time to protect organizations. For enterprises, the responsibility of designing and monitoring configurations is placed on the Threat & Vulnerability Management team.  
• Technology – There are three main tools leveraged by teams to monitor and control secure configurations. For monitoring, most organizations are using a vulnerability scanner to ensure compliance with standards. These tools have the ability to import benchmarks (i.e. CIS Benchmarks), tailor to your needs, and then monitor them. To manage configurations, organizations are mainly using Active Directory, Azure Intune, or File Integrity Monitoring (FIM) to ensure devices meet the required standards. These solutions help manage device baselines and detect unauthorized changes to systems.  
• Process – The main processes organizations need in place to be successful with secure configuration management are System Build & Monitoring Management, Change Management, and Exception Management.  These processes allow leaders to understand risk and determine the next steps based on data or internal team knowledge.  

How should organizations start to implement a secure configuration management program?

• Network Infrastructure – Focusing on network infrastructure (Firewalls, Routers, Switches, Load Balancers, etc.) provide value to protecting applications, but these devices typically have a large amount of technical debt. Besides Banking and Financial Services, most operations teams focus on creating rules to application access but do not go back and clean up legacy rules. Once the clean-up process is completed, organizations then can start by implementing a baseline across devices and monitoring.  
• Workstations – Developing a secure image for non-technical staff is the easiest area to focus on. These users do not have a need for altering configurations and most can complete their jobs with a simple configuration. The hardest aspect of moving to a secure configuration is communication and getting buy-in from other leaders.  
• Servers – The final and hardest area to focus on is servers that support applications. For older organizations with a large amount of technical debt, teams will struggle to get buy-in from IT leaders. This is driven by a fear of operational downtime. For organizations that align to agile methodologies, the process of moving to a secure state should be easier, as the ability to recover is much faster. For servers, start by changing controls that are known to have minimal to impact. This will help increase trust across the organization and increase the speed of completion.  

In Summary 

• Organizations must focus on developing secure configurations to reduce the impact of breaches and increase the ability to identify an attack.  
• Teams need to work together to define a secure baseline that balances business enablement, speed of change, and overall security.  
• Integrating technologies and processes will drastically improve the effectiveness of SCM.  
• When starting a program, organizations should focus on infrastructure devices and then servers responsible for applications.   

Key Questions Leaders Should Ask: 

• Does my organization have a golden/secure image? 
• Can my Security Operations Center (SOC) identify configuration changes? 
• Does my organization have security involved in change control? 
• How does my organization track exceptions?