Configuration Security Monitoring
Locking down and properly configuring security parameters on servers has long been a best practice. This typically includes securing local services and applications, setting permissions on files and directories, improving access control parameters such as SSH, limiting privileged user access, and tweaking many other specific settings. This is valuable for the following reasons:
- To avoid breach. If you look through Verizon’s Data Breach Investigations Reports over the past few years, you will see that poor configuration management was a factor in most data breaches. Government regulations and industry standards are recognizing this, which explains the recent influx of security configuration management requirements.
- To comply with best practices. Configuration security monitoring is one of the “twenty critical security controls” that are promoted by the Center for Internet Security. As the CIS report states: “Developing configuration settings with good security properties is a complex task beyond the ability of individual users, requiring analysis of potentially hundreds or thousands of options in order to make good choices. Even if a strong initial configuration is developed and installed, it must be continually managed to avoid security “decay” as software is updated or patched, new security vulnerabilities are reported, and configurations are “tweaked” to allow the installation of new software or support.”
- To comply with government regulations and industry standards. Dozens of government and industry regulations affect commercial enterprises and government agencies, and configuration security monitoring can help organizations comply with many of them. The most important are PCI DSS, HIPAA, NERC CIP, FISMA, SOX, NIST SP 800-53, and ISO 27001.
Rather than start from scratch, IT security practitioners can leverage publicly developed, vetted, and supported benchmarks from sources such as:
- The Center for Internet Security (CIS) Benchmarks Program (www.cisecurity.org)
- The Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG)
- The National Institute of Standards and Technology (NIST) National Checklist Program (checklists.nist.gov)
Configuration security monitoring tools have existed for years. However, tools that were designed for traditional data center environments typically perform poorly in agile environments because these tools have heavy agents that sap server resources. Also, these tools are not able to scale quickly because the tools were built for static environments. Each agent needs to be separately provisioned and configured.
Halo Protect solves these problems. Halo uses an ultra-lightweight agent that can be deployed automatically in any combination of data centers, private clouds or public clouds. With Halo, every workload is instantly provisioned with an agent, and every workload can be automatically compared to the proper configuration standards, based on policy.
Halo Protect is easy to use. It contains pre-built configuration checks based on CIS and NIST benchmarks. These benchmarks contain hundreds of configuration checks, such as:
- Removal of unused user accounts
- Configuration of user privileges
- Closure of unused network ports
- Enforcement of password policy
- Removal of unwanted services
You can also develop your own custom configuration checks using Halo’s built-in policy editor. This is typically used when you want to assess the configuration of custom-developed applications.
Software Vulnerability Assessment
In addition to configuration mistakes, software vulnerabilities are the principal way that attackers gain control over systems. While “zero day” vulnerabilities capture most of the attention in the popular press, well-known vulnerabilities are the ones that enterprises should be more concerned with. In June 2016, Gartner predicted that “through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.” (“Gartner Essentials: Top Security Predictions/SPAs 2016”, analyst John Wheeler, Gartner Security and Risk Management Conference, Washington D.C.).
In addition to maintaining strong security, vulnerability assessment is often required by regulations. For example, all US Federal agencies have to produce monthly inventories of all assets on their networks. (See NIST 800-137 for further details.) All of this is well understood by IT security practitioners, which is why software vulnerability assessment is a staple of security for most large enterprises. However, tools that were designed for traditional data center environments typically perform poorly in agile environments because, once again, these tools have heavy agents that sap server resources. Also, these tools are not able to scale quickly because the tools were built for static environments. Each agent needs to be separately provisioned and configured.
CloudPassage Halo Protect solve these problems. Halo uses an ultra-lightweight agent that can be deployed automatically in any combination of data centers, private clouds or public clouds. With Halo, every workload is instantly provisioned with an agent, and every workload can be automatically scanned for vulnerabilities. Halo Protect is delivered as a service, so it’s on-demand, extremely fast and easy to deploy, built for automation and works at any scale, anywhere – whether protecting bare metal servers or VMs in data centers, or cloud workloads in private and public clouds.
Server Account Management
The third essential protection to reduce your attack surface is to closely manage who can login to your servers and what functions they can perform. Attackers often leverage poorly managed user accounts in order to gain control over high-value servers. The servers themselves are usually not the first attack point, it is more likely an end-user workstation. By escalating privileges and moving from one system to the next, an attacker eventually finds and compromises the server that contains the data that the attacker wants to steal.
Server account management is a well-understood function, but it can become tedious to manage when you are operating in multiple environments such as traditional data centers, public clouds and private clouds. Utilizing a different tools for each environment wastes time and can be a source of mistakes.
CloudPassage Halo Protect has been purpose-built to solve these problems. Halo uses an ultra-lightweight agent that can be deployed automatically in any combination of data centers, private clouds or public clouds. Halo Protect lets you identify:
- who has accounts on which workloads,
- what privileges they operate under
- how accounts are being used.
Halo Protect provides a single online management console where you can monitor your workloads in public, private and hybrid cloud environments. The convenient user interface makes it easy for you to identify accounts that should have been removed.