Recently I posted some thoughts on effective vulnerability management (here) and (here) which calls for organizations to move to a policy-driven approach to reducing organizational vulnerabilities and exposures through baseline and audit as opposed to reacting to the constant flood of vulnerabilities through a scan and patch approach. I have had the opportunity to participate in similar activities through the years and thought I would share a recent experience that highlights the benefits of security configuration management which enables coordination between security and operations over vulnerability assessment or scan and patch with all it’s inherent challenges (here).
Before I do let me state the obligatory disclosure statement, I am the CTO of BigFix (here) which provides enterprise systems and security management solutions and I believe in our approach and am grateful to have connected with an organization that shares my vision for the future of IT, coincidentally OMB agrees as well (here). Prior to joining BigFix I was the Lead Analyst for Vulnerability Management at Gartner, ran engineering for nCircle and was part of the team that productized Ballista as Cybercop Scanner for Network Associates, hopefully that will clear up the unavoidable “be warned he is biased” links that are sure to follow.
During an executive discussion with a large client it was disclosed that they were experiencing significant issues in several areas including ensuring that the SI’s responsible for patching were adhering to SLA’s, reducing the sheer volume of vulnerabilities and exposures and gaining situational awareness into the state of their complex, globally distributed environment. They were spending significant time trying to assess and prioritize the VA data provided from both an external penetration test and the use of a very well known VA service, of course new vulnerabilities, remediations, and patches were being released on a fairly frequent basis. It was, according to them, an overwhelming task. A very common problem experienced by small, medium and large organizations in every vertical throughout the globe.
We partnered with this organization to help implement a plan of action for dealing with the VA data, we focused on one of their operations center and were staring down the barrel of around 20 thousand vulnerabilities, of which roughly 45% were designated as critical or high-priority. After some initial review of their vulnerability assessment and penetration testing data we suggested that a significant portion of the vulnerabilities would be eliminated through implementation and enforcement of security configuration baselines, I made an assumption that the resulting reduction of vulnerabilities would be approx. 75% of the close to 20,000, the actual result was far more impressive. Implementing and enforcing security configuration baselines resulted in a 94% reduction of known vulnerabilities and exposures without any impact on internal applications or disruption of any services.
So what exactly did we do?
We focused on their windows and *nix real-estate and based upon the configuration information we obtained we implemented Windows based gold baselines for servers, domain controllers, file and print servers, and web servers, which covers everything from auditing, user rights, security options, system services and ports. We also looked at Unix/Linux gold server baselines which includes general services, network services, boot services, kernel tuning, network parameters, logging, file/directory permissions/access, system access/authentication/authroization, block system accounts, and some additional security measures…we coupled the baseline information with the latest organizationally approved patches.
All of this may seem like an overwhelming task but this is where superior technology enables rapid implementation and change, although I try to avoid too much shillin’ and pimpin’ on this blog I will state that one of the reasons I was so attracted to BigFix was the architecture and how it enables an organization to dramatically compress the time to automate operational processes. Regardles of the technology though I wanted to highlight some real-world examples of effective vulnerability management in action and highlight an organization that went from being overwhelmed to being in control and is now able to audit against a baseline, limit configuration drift, focus key security analysts on emerging threats against critical infrastructure, and enforce SLA’s against their SI’s, all of this in an extremely accelerated time frame.
For those of us with out heads in the bit bucket, spell it out. What kinds of baselines and policies are we talking about?
Stuff like disabling telnet, removing setuid bits, enabling noexec stacks, editing config files? Aka “hardening”?
Or if not that, what?
For me, the concept would gel better with some examples.
May i use the vader-fail picture for a quiz i am making on facebook?? Its really cool and I hope you will give me permission.