Last time, I discussed how network security begins with asset discovery. This foundational control advises organizations to develop an inventory of all authorized and unauthorized devices and software. Using that information, IT security personnel can track and correct all authorized devices and software. They can also deny access to unauthorized and unmanaged products as well as prevent unapproved software from installing or executing on network devices.

Once enterprises have discovered all their assets, they can move on to security configuration management (SCM).

IT security and IT operations meet at SCM because this foundational control blends together key practices such as vulnerability assessment, automated remediation, and configuration assessment. Organizations can therefore leverage a software-based SCM solution to reduce their attack surfaces by proactively and continuously monitoring and hardening the security configurations of their environment’s operating systems, applications, and network devices. Compliance auditors can also use security configuration management to monitor an organization’s compliance with mandated policies. These standards range from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for organizations that collect medical information to the Payment Card Industry Data Security Standard (PCI DSS) for just about anyone who handles branded credit cards.

Security configuration management consists of four steps. The first step is asset discovery. Next, organizations should define acceptable secure configurations as baselines for each managed device type. They can do so using guidance published by the Center for Internet Security (CIST) or the National Institute of Standards and Technology (NIST). From there, they assess their managed devices according to a pre-defined frequency policy. Finally, they should make sure someone fixes the problem or grants it an exception.

Many SCM solutions come with additional features that organizations can use to better protect their networks. Here are a few of which enterprises (Read more...)