For most practical uses today, a combination of hardening and vulnerability detection is required to secure even the most basic digital environment.

In each area it is important to see the progress you’re making in these competencies so that you can improve and build on the work you and your team have done over time. But with so many assets in your digital environment, how do you score the effectiveness of these security measures?

In this article, I’d like to explain to you how Tripwire has approached this common need.

Let’s start with hardening and compliance.

There are many different security standards and benchmarks such as PCI, NIST, SOX, HIPAA and others, that each carry their own industry focus. Each standard or benchmark enforces the appropriate hardened setting for a digital environment based on countless hours of research. Each benchmark consists of a list of tests which tie to a specific setting that ensures the remote system is secure, enforcing the settings that are mandated is a way to harden the environment. How well your environment enforces the settings supplied by the security benchmark is what decides your compliance percentages. Choosing the appropriate standard and remediating the failures found in your own environment is key to ensuring you and your team are focused on securing the most important for the industry you reside in.

That being said, it’s always been a challenge to keep track of the compliance percentage across a wide range of assets and to know the specific details about the remaining work that’s needed to reach your compliance percentage goal. With an administrator just implementing hardened settings for each device, there is no way to validate the new setting and reflect this confirmation across the environment to see your overall and individual compliance percentage.

(Read more...)