System Hardening … Made EasySecurity Configuration Management Michael Betti, Sr. SE, Tripwire

IT SECURITY & COMPLIANCE AUTOMATION2

What Is It?

System Hardening is the act of reducing the attack surface in information systems and minimizing their vulnerabilities in accordance with:

• Recognized Best Practices

• Vendor Hardening Guidelines

• Custom Security Polices

• Industry Standards or Benchmarks

Security Configuration Management is an automated, security-focused set of capabilities that makes system hardening:

• Repeatable and enterprise-scalable

• Continuous, with real-time or periodic capabilities as needed

• Flexible, and aligned with business needs, workflows and exceptions

• Self-correcting and self-remediating

IT SECURITY & COMPLIANCE AUTOMATION3

“The management and control

of configurations for an

information system with the

goal of enabling security and

managing risk”

NIST says SCM is:

IT SECURITY & COMPLIANCE AUTOMATION4

SCM: Tripwire Definition

The ability to create, edit and manage

IT security hardening policies in a way that

fits real-world business processes and

continually balances risk and productivity

IT SECURITY & COMPLIANCE AUTOMATION5

On Many Short-term Buying Lists

© 451 Group 2013

IT SECURITY & COMPLIANCE AUTOMATION6

Gartner says SCM is the #1 priority in creating a server protection strategy

1

IT SECURITY & COMPLIANCE AUTOMATION7

Securosis says configuration hardening is the 2nd most effective

data security control

2

IT SECURITY & COMPLIANCE AUTOMATION8

SANS says SCM is the 3rd most important security control you can implement

3 (& 10)

IT SECURITY & COMPLIANCE AUTOMATION9

GCHQ’s New Cyber Security Guidance

GCHQ released new “10 Steps to CyberSecurity” in Fall 2012

Focused on executive

and board

responsibility

Names Secure

Configurations as one

of the most critical

steps to achieving

an objective measure

of cybersecurity

IT SECURITY & COMPLIANCE AUTOMATION10

What’s the Reality When It Comes to SCM? It’s Hard To Do:

IT SECURITY & COMPLIANCE AUTOMATION11

Configuration Drift Is A Constant Enemy

“Configuration drift is a natural condition in every data center environment due to the sheer number of ongoing hardware and software changes.” – Continuity Software blog

“In less than a week, all the configuration controls, permissions and entitlements that IT spends time testing are useless.” – ITPCG blog

IT SECURITY & COMPLIANCE AUTOMATION12

What Can You Do?

Monitors and assess critical configurations in:

• File systems

• Databases like MS-SQL, Oracle, IBM DB2 and Sybase

• Directory services and network devices

When?:

• Immediate detection of changes to critical, defense-dependant configurations

• Efficient, change-triggered configuration assessment

• Shorten time of system risk

Demonstrating Compliance:

• Document any waivers

• Document when tests went from failing to passing

• Alerted to tests going from passing to failng – within minutes or at least hours

IT SECURITY & COMPLIANCE AUTOMATION

Time

Secure& CompliantState

Sec

urity

Pos

ture

SECURITY POLICIES EFORCED…CONTINUOUSLY

Continuous Monitoring

13

Continually assess and remediate insecure configurations, insuring always-hardened,

always-ready information systems and network devices

www.tripwire.comTripwire Americas: 1.800.TRIPWIRETripwire EMEA: +44 (0) 20 7382 5420Tripwire Japan: +812.53206.8610Tripwire Singapore: +65 6733 5051Tripwire Australia-New Zealand: +61 (0) 402 138 980

System Hardening Made Easy, By Tripwire