In my last post called If We Know How Breaches Happen, Then Why Aren’t We Doing Something?, I addressed a recent post by Rich Mogull in the Securosis blog called “We Know How Breaches Happen” where Mogull rightfully asked if we know that security configuration problems are at the root of a significant number of breaches, then why more isn’t being done to enforce essential security configuration practices.
In my post I ended by noting that a better method of automating enforcement of security configurations was needed as most security configuration management tools on the market today are a derivation of patch management techniques and processes. They rely on the application of pre-written scripts for remediation that are pushed out like patches. Some tools literally have tens of thousands of these pre-written remediations. If a new problem is detected, someone – either internally or the vendor – has to write a new script which is then pushed out. This effort can be non-trivial as new scripts must be handled the same way that a new patch must be tested and managed. The application of these scripts is very brute force and non-specific. If someone gets sick (one computer) then everyone has to take the pill (the script).
That is why an alternative is required. patch management, or the lack thereof, is constantly cited as a contributing problem to security and specifically, security configuration management. If security configuration management tools rely on what essentially is the patch management process, why would we expect those solutions to solve the problem?
Triumfant Resolution Manager takes a decidedly different approach to security configuration management. It continuously enforces security configurations and policies by scanning every computer, every day, detecting when a machine is non-compliant, building a remediation on the fly for the specific problem for each specific machine and applying these remediations to return non-compliant machines to compliance. There are no scripts to write, no scripts to be pushed out to every machine. Triumfant has automated the process of detection, analysis and remediation. You start every day with every machine audit ready and at the highest state of security readiness.
So how does Triumfant learn the desired security configurations to enforce? The first way is that it learns the rules from the environment by taking thousands of attributes from every machine and correlating them into the rules that compose what we call the Adaptive Reference Model. The model is a normative baseline of all of the correlated attributes across the endpoint environment expressed as rules for specific configuration settings. Essentially, Resolution Manager will learn what is normal and then enforce that normal. For more insight into the grouping and correlation performed by the Adaptive Reference Model please see this previous post.
Obviously many environments are in a state where there is no satisfactory normal. The learned option still works, but requires some finesse and is dependent on having a set of machines that can serve as a golden image of your desired configuration. In this case, you would simply start by pointing Resolution Manager at these machines first, allowing the Adaptive Reference Model to be built with the rules learned from these machines. Then as you add other machines to the model, they will be assessed against the rules learned from the golden image machines and remediated to be brought into compliance with those rules.
Seldom is the world as tidy as a golden image. There are the “except fors” and special cases that keep IT security teams busy. So the second way to establish security configurations is through explicit rules and policies that are created within a simple wizard driven interface. These can apply to all machines in the endpoint population or to specific groups, making it simple to accommodate the requirements of groups or job functions. Rules are extremely flexible and can be extremely precise and specific or employ generic filters to cover broader subject matter. Using this approach, organizations can deploy security configurations that are both practical and appropriate.
The beauty of Triumfant Resolution Manager is that you can employ a hybrid model. You can explicitly state the configuration rules that are most important, and Resolution Manager will extend the explicit rules with learned rules to cover the rest. No other tool can provide this two phase approach, effectively extending the reach of security configuration management well beyond that which is explicitly defined.
The ability of Triumfant Resolution Manager to continuously and automatically enforce security configurations creates enormous benefit for our customers. This capability provides all of the advantages of security configuration management with less human interaction and extends the capability far beyond the explicit configuration rules. The end result is lower risk and increased security readiness. While it is the ability of Resolution Manager to detect the malicious attacks that evade other endpoint security software certainly garners a lot of attention, the ability to ensure that the endpoint population begins every day properly configured is equally critical in securing any organization.
Click here to subscribe
[...] Attacks get through because the machines and the protection software deployed to protect them are not configured to be secure. The analogy is simple: the most well designed and secure deadbolt lock only secures a door when the deadbolt is engaged. Too frequently, endpoint protection tools are either improperly installed or improperly configured to perform the tasks for which they are intended, so attacks make it through. For how Triumfant addresses the configuration management gap see “A New Approach to Configuration Management”. [...]