Using BigFix for Security Configuration Management

Configuration Management was defined in 1991 as the management of change, specifically in the software engineering arena.  By 2011, the National Institute of Standards and Technology (NIST) was using the term Security-focused Configuration Management, which was regarded as an essential element of IT security[1]

Security Configuration Management is now a formal discipline with methods and tools to identify, control and monitor functional, physical or status changes to controlled items[2].

The goal of Security Configuration Management is to reduce the attack surface of systems by identifying misconfigurations, remediating them, and monitoring them so that they don’t change. The result is a baseline configuration that is enforced as the security standard in our organizations. It’s the way to make sure that our systems perform as they are expected to as changes are made over time. By effectively managing configuration settings, we manage change, so change doesn’t manage us.

With BigFix Configuration Management, organizations have a set of tools that provides the IT Security Operations with continuous visibility into vulnerabilities and provide the IT Operations the tools required to respond to those vulnerabilities. BigFix gives organizations the ability to maintain continuous compliance, not just at the enterprise level, but on every endpoint.

This blog is aimed at addressing the need for systems security, the actions to take to protect our systems, and the tools and resources available to enforce this protection.  The goal is to provide relevant information to help enhance systems security posture and ensure continuous compliance.

Remote Work Exacerbates Security Risk

In the not too distant past, most employees worked in an office, and the office door was secured with locks and a network firewall. Day after day, bad actors would try to get through that firewall with, hopefully, no success.

Today, we have many more doors into the enterprise because every endpoint used by a remote worker is a target. These mobile endpoints are not protected behind the corporate network firewall, and they are continuously under attack. While the “mobile workforce” is not a new concept, it has grown considerably during 2020 as the global pandemic has forced workers to stay home. In a survey conducted by CSO Magazine, at the beginning of 2020, 16.5% of employees worked from home a majority of the time. By the end of March, that number had climbed to 77.7%[3].  Bad actors haven’t taken a break from their exploits and have probably stepped up their attacks during the pandemic, exploiting every angle they can.

It’s important to note that remote work in and of itself is not a bad thing or inherently insecure.  The biggest problem seems to be with outdated equipment and configuration on the home network.  Many home networks employ modems and routers supplied by their ISP and have little knowledge of how to configure or update them. Other home networks use consumer-level equipment that, once installed has never been updated, including the default passwords which are easy to look up and exploit. Given this layer of insecurity on the networks used day-to-day, it’s that much more important to ensure the systems connected to it are as secure as we can make them.

Fortunately, there is valuable guidance on how to keep our endpoints secure.  One of these resources is the Center for Internet Security, a community-driven nonprofit responsible for publishing Controls and Benchmarks – globally recognized best practices for securing IT systems and data.

What Are CIS Controls?

CIS Controls are a series cybersecurity best practices that can help you identify, prioritize, implement and maintain good security hygiene in your organization.  The controls are divided into three groups:  Basic, Foundational and Organizational. The Center for Internet Security has conducted studies that show implementing only the first five of the Basic Controls is enough to protect organizations against 85% of all cyberattacks.

What Are CIS Benchmarks?

While CIS Controls are best practices, CIS Benchmarks are specific guidelines about how to secure vulnerabilities.  Some benchmarks are regulatory mandates.  Each Benchmark is a checklist that contains a series of application or operating system specific checks, for items like password lengths, port access, and protocol settings which are vulnerable to exploit. By applying these Benchmarks, organizations can identify vulnerabilities in their environment.

A Look at Basic CIS Controls

As mentioned earlier, implementing only the first few back controls are enough to protect organizations against a large majority of cyberattacks.  Here I will list the Basic CIS controls – the first six – that are important to most organizations in their efforts to secure endpoints.

CIS Control Number 1

This control deals with Inventory and Control of Hardware Assets. The control requires that organizations know what systems are on the network.  Simply put, organizations don’t want people accessing their network – wired or wirelessly – who aren’t supposed to be there.  Someone on the network potentially has access to everything on your network.  Organizations must control who has access, what they have access to, and what they can do.

Control number 1 also says that organizations should be able to control configuration settings of the hardware assets on the network.  Without this visibility, there is really no way to even begin to secure the endpoints in the organization.  That is why it is Control Number One.

CIS Control Number 2

This control deals with Inventory and Control of Software Assets and necessitates the ability to “actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.”

Software assets cost money. That is why we inventory software licenses and collect information about usage. But we also inventory software assets to identify unauthorized software and software that poses a security risk to our organization. We want to inventory software so we can see what’s installed, to identify approved and unapproved software. If you can whitelist software, all the better. Remember, a whitelist is a list of approved stuff, and if it’s not on the list, it’s not approved. Software doesn’t have to be risky to pose a risk.

CIS Control Number 3

This control governs Continuous Vulnerability Management. This is the ability to continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.

The first requirement is automated patching of operating systems and applications, preferably on a regular schedule, to remediate known software vulnerabilities that could be easily exploited. The control also recommends the use of automated vulnerability scanning tools, a risk-rating process to prioritize vulnerability remediation, and a comparison of scan results over time.

It is important to mention that Vulnerability Management does not mean discovery alone, but discovery and remediation. Simply discovering and prioritizing vulnerabilities is known as Vulnerability Assessment, which is a valuable component of Security Configuration Management, but does not satisfy all the requirements of Continuous Vulnerability Management.

CIS Control Number 4

This control covers the Controlled Use of Administrative Privileges, and includes the processes and tools used to track, control, prevent and/or correct the use, assignment, and configuration of administrative privileges on computers, networks and applications.

System administrator often take short cuts to save time and energy. Why should a sys admin log in with their user account when they are already logged into their admin account? Why should sys admins limit users access knowing they will call me when they can’t do something? And the list of short cuts that cause security exposures goes on and on.

Administrators cannot control everything that happens in the enterprise so it is important that organization control the use of admin privileges and audit the actions of those who use them. Today’s operating systems were built for ease of use, not security, so organizations must secure them by limiting who has administrative privileges and by auditing what actions they take.

CIS Control Number 5

This control covers Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers. The first part of this control mandates implementing a change control process to control configuration management, and the second part covers the enforcement of this process to prevent attackers from exploiting vulnerable services and settings.

Implement the process first, then find a tool that supports that process – and not the other way around.  If we build our processes around tools, like the ones we use to patch systems and deliver software, we are not able to adjust our processes beyond the capabilities of the tool.

Our processes should support the business, and our tools should be capable of supporting the process.

CIS Control Number 6

This control focuses on the Maintenance, Monitoring and Analysis of Audit Logs. Organizations should collect, manage, and analyze event logs in order to detect, understand, or recover from an attack.

In a perfect world where our organization has implemented the first five controls, there would be no reason to check audit logs.  But the world’s not perfect, so organizations need to monitor and analyze logs on a regular basis.  If they don’t, important events and changes may be missed and organizations are destined to respond to the same problems repeatedly.

There are a few things to remember. First, logging has to be turned on; without it, there is no visibility.  Second, use synchronized time sources so that timestamps in logs are consistent. Next, be sure the systems that store logs have adequate space. Finally, review the logs on a regular basis and look for anomalies and understand what normally occurs in the environment. In this regard, a System Information & Event Management (SIEM) and log analysis software can help.

For more information on how to expedite CIS Controls using BigFix, download Implementing CIS Controls with BigFix. The white paper discusses the top 20 CIS Controls and how BigFIx can be leveraged to effectively implementation of many of the top controls.

Security Configuration Management with BigFix

BigFix can help you be proactive, not reactive in protecting your endpoints by keeping them in a constant state of compliance.  BigFix provides solutions that enable the IT Security manager continuous visibility into vulnerabilities and provides the IT Operations team the tools required to respond to these vulnerabilities. With BigFix, you can implement the appropriate CIS Checklists on every endpoint in your environment, even the ones that are off the corporate network.  By doing this, BigFix gives you the ability to maintain continuous compliance, not just at the enterprise level, but on every endpoint as well.  Here’s how we accomplish it:

Vulnerability Assessment

BigFix contains thousands of pre-configured, out-of-the-box checks, including the CIS Benchmarks.  When the checks are applied to the managed endpoints, you gain visibility into the compliance state of those endpoints. BigFix does a great job at providing visibility into vulnerabilities in your environment by utilizing an intelligent agent that continuously assesses the endpoint’s compliance status and reporting the status the BigFix Server.

Vulnerability Remediation

It might seem like a simple solution to just apply every patch to every endpoint, thereby ensuring all vulnerabilities were addressed. The problem is, if you cannot see whether an endpoint is vulnerable, you won’t be able to tell when – or if – it is remediated.  It would be like taking medicine every day that you didn’t need, just in case you ever developed a symptom that the medicine addresses.  Second, some patch installations will fail if the content is not applicable.  This leaves you troubleshooting failed installations – did the patch fail because it wasn’t applicable, or for some other reason? Additionally, some patches and configurations can be applied, even if they are not applicable, which can potentially break something. Fortunately, patches and conditions for relevance or applicability are built into BigFix content, ensuring the patches are installed only where they are needed.

Although organizations could use different tools for vulnerability assessment and vulnerability remediation, the integration of these two capabilities in BigFix streamlines vulnerability management across the enterprise, reducing the effort of both IT Security and Operations teams.

Continuous Enforcement

After identifying and remediating vulnerabilities, an organization has to ensure it they stay that way, to maintain compliance. Unlike other tools that require repetitive vulnerability scans and reporting to accomplish the assessment and remediation processes, BigFix integrates enforcement so that endpoints are continuously compliant.

The BigFix Agent runs continuously in the background on the managed endpoint, analyzing patch status and configuration settings – settings like those found in the CIS Checklists.  If the setting is different than what you’ve prescribed, it changes the setting on the system to the value you’ve indicated.  Once the configuration is set or the patch is applied, BigFix will monitor the system to ensure the value for that configuration item remains the same.  And if it should change for some reason, BigFix will change it back to the setting you prescribed in your checklist.

BigFix Compliance Integrates Visibility, Response and Enforcement

There are many compliance management products on the market that support one or more related IT processes. BigFix is the only solution that provides visibility, response, and enforcement, enabling you to identify, remediate and maintain continuous compliance.  BigFix is a solution that provides continuous visibility into your environment, enabling organizations not only to spot vulnerabilities but respond to them. And equally as important, BigFix allows organization to maintain continuous compliance across all endpoints, wherever they may be.

Check out the next, related blog post, BigFix Compliance awarded CIS Security Software Certification for CIS Benchmarks.

Visit us at www.bigfix.com and find out more about keeping you’re your endpoints patched and compliant.

[1] Jackson, W. (2011, August 16). NIST offers tips on security configuration management. Retrieved from Government Computer News: https://gcn.com/articles/2011/08/16/nist-configuration-security-rules.aspx

[2] Johnson, A., Dempsey, K., Ross, R., Gupta, S., & Bailey, D. (2011 (Updated 10-10-2019)). NIST Special Publication 800-128: Guide for Security-Focused Configuration Management of Information Systems. US Department of Commerce.

[3] Bragdon, B. (2020, April 1). Pandemic impact report: Security leaders weigh in. Retrieved from CSO: https://www.csoonline.com/article/3535195/pandemic-impact-report-security-leaders-weigh-in.html