System Hardening is the act of reducing the attack surface in information systems and minimizing their vulnerabilities in accordance with: Recognized best practices; vendor hardening guidelines; custom security polices; industry standards or benchmarks.
Security Configuration Management is an automated, security-focused set of capabilities that makes system hardening: Repeatable and enterprise-scalable; continuous with real-time or periodic capabilities as needed; flexible and aligned with business needs, workflows and exceptions; self-correcting and self-remediating.
Here's where the rubber meets the road...
4. NIST says SCM is:
“The management and control
of configurations for an
information system with the
goal of enabling security and
managing risk”
5. The ability to create, edit and manage
IT security hardening policies in a way that
fits real-world business processes and
continually balances risk and productivity
10. GCHQ’s New Cyber Security Guidance
GCHQ released new
“10 Steps to Cyber
Security” in Fall 2012
Focused on executive
and board
responsibility
Names Secure
Configurations as one
of the most critical
steps to achieving
an objective measure
of cybersecurity
11.
12. “Configuration drift is a natural condition in every data
center environment due to the sheer number of ongoing
hardware and software changes.” – Continuity Software blog
“In less than a week,
all the configuration
controls, permissions
and entitlements that
IT spends time testing
are useless.”
– ITPCG blog
13. Tripwire’s solution monitors and assesses critical configurations in:
• File systems of all kinds: Windows, Linux, Solaris, AIX, HP-UX
• Databases like MS-SQL, Oracle, IBM DB2 and Sybase
• Directory services and network devices
Tripwire’s SCM is built on the world’s best integrity solution, assuring:
• Immediate detection of changes to critical, defense-dependant configurations
• Efficient, change-triggered configuration assessment
• Continuous risk reduction
Tripwire’s system hardening solutions are enterprise-scalable, with:
• Automated deployment and setup
• A complete system of waiver and workflow management
• Automated or assisted remediation options for failed or weak configurations
• The industry’s largest , most customizable policy library
14. Tripwire’s solutions continually assess and
remediate insecure configurations, insuring
always-hardened, always-ready information
systems and network devices
Time
Gartner, “How To Design a Server Protection Strategy.” December, 2011
Securosis Data Security Survey, Sept 2010 https://securosis.com/blog/the-securosis-2010-data-security-survey-report-rates-the-top-5-data-securit
SANS 20 Critical Security Controls v3.1, 2012: http://www.sans.org/critical-security-controls/
----- Meeting Notes (5/9/12 00:19) -----We invest a lot of time building servers correctly & securelyYet, we struggle to keep them in a known & trusted stateWhy? one word…CHANGE1000s of changes ROUTINELYIts natural…its business
----- Meeting Notes (5/9/12 00:19) -----We invest a lot of time building servers correctly & securelyYet, we struggle to keep them in a known & trusted stateWhy? one word…CHANGE1000s of changes ROUTINELYIts natural…its business
Over 10,000 best practice-based configuration rules and policy tests