Schedule a Demo

Preventing Cyber Threat with SCM

Picture of Pareto Cyber

Pareto Cyber

Cyber threats are real

Schedule a Demo

Subscribe newsletter

Secure Configuration Management

Once an organization has completed asset discovery, they can move on to security configuration management, or SCM. SCM is the management and control of secure configurations that enable security and mitigates risk.

Organizations that lack a robust CSM program typically have the following gaps:

  • A large number of open ports
  • Unused and/or outdated software,
  • Default passwords
  • Insecure communication protocols
  • Inadequate audit logs
  • A lack of regulatory compliance

Lacking a secure configuration program or having an ineffective program drastically increases an organization’s risk of suffering a successful attack, increasing the opportunities for even lower-skilled cybercriminals.

And when those attacks occur, the ability to understand and manage the threat is difficult, disruptive, and expensive.

 

 

Barriers To Implementing SCM

Mid-market and enterprise companies often struggle with deploying effective SCM due to a lack of knowledge, skill sets, and the effort required to transition systems to a hardened state, eliminating the risk of attack by patching vulnerabilities, turning off non-essential services, and configuring systems with standardized security controls.

As configuration debt builds up over time, the effort to correct it becomes increasingly more difficult. Also, as IT is dynamic in nature, most organizations transitioning to a secure state fail to configure new systems to the desired secure state, which starts a never-ending catch-up effort.

(On a positive note, organizations born in the cloud or migrating to the cloud are using this as an opportunity to move to secure configurations in parallel.)

Workstations

Developing a secure image for non-technical staff is the easiest area to focus on. These users do not have a need for altering configurations and most can complete their jobs with a simple configuration.

Much harder in the aspect of moving to a secure configuration is communication and getting buy-in from other leaders.

Network Infrastructure

Focusing on network infrastructure (firewalls, routers, switches, load balancers, etc.) provide value to protecting applications, but these devices typically have a large amount of technical debt – an implied cost of additional rework by choosing an easy solution now instead of a better solution that would take longer.

Besides Banking and Financial Services, most operations teams focus on creating rules for application access but do not go back and clean up legacy rules. Once the clean-up process is completed, organizations then can start by implementing a baseline across devices and monitoring.

Servers

The final and hardest area to focus on is servers that support applications.

For older organizations with a large amount of technical debt, teams will struggle to get buy-in from IT leaders. This is driven by a fear of operational downtime.

For organizations that align with agile methodologies, the process of moving to a secure state should be easier, as the ability to recover is much faster. For servers, start by changing controls that are known to have minimal impact. This will help increase trust across the organization and increase the speed of completion.

SCM Solutions

To develop, deliver, and manage an effective SCM program:

  • Organizations must focus on developing secure configurations to reduce the impact of breaches and increase the ability to identify an attack, focusing first on infrastructure devices and then servers responsible for applications.
  • Teams need to work together to define a secure baseline that balances business enablement, speed of change, and overall security.
  • Technologies and processes must be fully integrated.

Organization and Teams

Creating and maintaining security baseline standards is an ongoing process that requires the collaboration of several teams:

Cybersecurity

The Cybersecurity team is responsible for:

  • Reviewing the organization’s cyber risks and compliance needs.
  • Setting standards and holding all teams accountable.
  • Developing internal benchmarks or standards to ensure risk is being mitigated.

After these benchmarks and standards have been implemented by the IT Teams, monitors for expectations and, as needed, tracks expectations to internal standards.

In mid-market organizations, this is typically not a full-time role but is still a critical function to keep organizations protected.

For enterprises, the responsibility of designing and monitoring configurations is placed on the Threat and Vulnerability Management team.

IT Teams

The IT teams, including Infrastructure, Development, Help Desk, etc., are responsible for:

  • Implementing the standards developed by Cybersecurity and ensuring compliance.

If business enablement will be impacted, IT Operations will work with Cybersecurity to identify mitigating controls or track expectations to the standard.

Change Advisory Board

The Change Advisory Board is responsible for:

  • Approving changes to the baseline, understanding risk, and determining the impact changes will have on business enablement.

Executive Leadership

Executive leadership is responsible for:

  • Understanding business risk and establishing the organization’s risk tolerance.

That said, the collective team is responsible for collaborating to develop risk recommendations for executive leadership, enabling them to make sound decisions balanced between risk and security.

And when the risk is too great, an organization must determine how to eliminate the risk through a new system, architecture, or segmentation to limit overall exposure.

Technology Tools

There are four main tools leveraged by teams to monitor and control secure configurations.

For monitoring, most organizations are using a vulnerability scanner to ensure compliance with standards. These tools have the ability to import benchmarks (i.e. CIS Benchmarks), tailor them to your needs, and then monitor them.

To manage configurations, organizations are mainly using Active Directory, Azure Intune, or File Integrity Monitoring (FIM) to ensure devices meet the required standards. These solutions help manage device baselines and detect unauthorized changes to systems.

Process

For successful SCM, three main processes need to be in place:

  • System Build and Monitoring Management
  • Change Management
  • Exception Management

These processes allow leaders to understand risk and determine the next steps based on data or internal team knowledge.

Effective CSM is a critical piece of your organization’s cybersecurity. Pareto Cyber can help you protect your business with expert advice, holistic solutions, and proactive cybersecurity solutions.

Share

Related Articles

Cyber
Hygiene
Engineer
  • Responsible for data analysis and interpretation of required hygiene data sources; Vulnerability, Identity, Patching, Device Management, Cloud, and Networking. The role of the Cyber Hygiene Engineer is to provide prioritization of risks identified in the environment. Their overall goal is to rapidly reduce client risk related to Cyber Hygiene gaps.
Threat Hunters
& Red /
Purple Team
  • A cross-functional operations and engineering team responsible for developing threat use cases based on the technologies deployed and operations within a client. Our Threat Hunters are using the latest intel technologies to understand threat actor groups and motives targeting clients and provide use cases for SIEM implementation. Then our Red/Purple team provides our hunters and platform engineers with the latest tactics being used to help clients stay ahead of the latest threats.
Strategic
Cyber
Risk Advisor
  • Our Cyber Risk Advisors are focused on analyzing data integrated and correlated within the Cylemetry platform. This analysis allows our CRAs to provide clients with strategic and tactical recommendations on reducing overall cyber risks.
Customer
Success
  • Responsible for ensure all Pareto teams are meeting client expectations, service level agreements, and taking overall feedback for service improvement.
Platform
Engineer
  • Responsible for installation, configuration, and continuous improvement of client and Pareto support technologies used during service operations. Additionally, Platform Engineers provide content development, log source tuning, and security solution tuning support.
IR
Engineer
  • Responsible for using digital technologies available to assess total risk exposure of an incident / breach, provide in-depth Eradication, Remediation, Recovery, and Root Cause Analysis (RCA) services for clients that experience a successful attack.
Threat
Intel
Analyst
  • Collect, Process, Analyze and Report on enterprise and open-source threat intelligence to track threat actors, malware strains, or phishing campaigns that may affect our clients and their industry.
Threat
Detection
Analyst
  • Responsible for management of security alerts within security technologies, internal escalation of alerts to events or incidents, development of threat reports, threat surface analysis, and support of IR Engineering, Threat Intel, and Platform Engineering.
Threat
Detection
Lead
  • Accountable for daily operations, such as Threat Escalation Management, Remediation Approval, Service Level Agreements, Customer Communications, and Root Cause Analysis.
Penetration
Tester
  • Works alongside the Threat Hunter and Threat Intelligence Analyst to build and test SIEM alert rule content, based on the newest adversary tactics.
Threat
Hunter
  • Performs prescribed threat searches within the client’s environment, reporting any findings. This skill is also considered the SME of internal client IT operations and can determine legitimate client network traffic.