Gartner’s Recommendations for Security Policy Configuration Assessment Part 2: Developing SCA Processes & Capabilities
In this series, we’re taking a look at Gartner’s recommendations for Security Policy Configuration Assessment and identifying areas where FireMon can help security teams accomplish them. Let’s take another look at the four recommendations Gartner proposed.
Security Policy Configuration Assessments – Recommendations
- Establish secure configuration policy baselines and minimum standards for system configurations by making use of sources such as business and functional requirements based on regulatory and statutory compliance requirements; benchmarks such as NIST and CIS; internal security policies; risk management; and results of threat assessment and incident management.
- Develop SCA capabilities by defining the objectives and scope, and selecting tools and an operating model to conduct regular SCA scans.
- Conduct frequent and regular SCAs to verify compliance with security policies, detect policy breaches and improve enforcement of policies.
- Engage IT operations to ensure that findings are being addressed by holding regular communication and cooperative meetings.
In Part 1, we took a hard look at the first recommendation and discovered methods to establish baselines and how to use Real-Time Monitoring and Customizable Compliance Reporting. Each of these aspects of FireMon’s platform gives organizations the confidence needed to determine the current state and actively report on the standards the business needs – make audit preparation a snap.
Here, we’ll look at the second recommendation. What exactly is an SCA? Thank you for asking. Gartner spells out the components of a strong SCA:
SCAs provide a top-down baseline of the environment for configuration hardening policies that are organization-specific but derived from industry-recognized best practices, vendors, benchmarks, etc…the configuration hardening process will facilitate the development of SCA capabilities in-house or will help in governing the outsourced capability.
We are once again confronted with a good recommendation. Now we need to know the “how.” Thankfully, Gartner provides a fairly comprehensive diagram to serve as guidance for developing an SCA.
Guidance Framework for Security Configuration Assessment
We come back to our guiding question of “how.” How does a security team go about implementing this plan? How do you use data from SCA tools? How do you perform risk assessments based on policy and define what setting should change? How do you document changes for audit purposes? How do you prepare and distribute the results to the appropriate parties?
The FireMon Difference
By integrating data in real-time into a single console, our customers are the heroes of SCAs. Often, there are a number of factors that will determine whether a policy is appropriate and has the desired effect. Secondly, reporting results into a risk-centric consumable deliverable requires data stitching, which does not give organizations the accurate view they need to take action.
FireMon is the only network security policy platform with risk analysis. This allows a user to take all those SCA tools (e.g. vulnerability scans) and analyze them within the context of their security policies and rules. What do you get from this? You can form an attack path simulation to see the precise steps an adversary could take to compromise the vulnerable asset. When linking vulnerability scans with policy, you get the clearest picture of where the problem spots exist – without thinking about it all in the abstract.
Now, you have a picture of what requirements are best based on the risk and policy pairing. Formerly, security teams may have run a scan, and in the absence of attack path simulation, they would rank the vulnerabilities based on other factors (e.g. criticality, connectivity, ease of patch for the specific asset). However, by linking vulnerability scans with policy and rules, you can rank the configuration needed based on reality; always a good thing for an SCA to converge on real-world situations.
Let’s take another look at the SCA chain. When you look at the steps that take us from Phase 2 to Phase 3, you notice that risk assessments measured against requirements is the necessary process to leap into execution. FireMon customers are able to automate this process, accelerating their SCA to execution with confidence.
Are these baselines conforming to security intent? Are these exceptions putting us at risk? Do these requirements add to or take away risk. These are excellent questions. FireMon customers answer them, automatically.
Tailored Access for All Users
When looking at ways to develop world-class SCAs, the final link is to prepare and distribute the results. This is a critical part of any program to improve configuration assurance. How do you know what is happening without being able to see the relevant details that matters to you? FireMon customers automate the reporting functions to push results to the correct people in the right context.
Risk managers, internal audit, executives and security teams all have various consumption needs. So, having a customizable format to distribute results is essential. Tailored access for all users gives you the simple, polished dashboards and KPIs with the highest relevance.
Audits, in particular, are often tailored to fit your industry or internal standards that are constantly evolving. When the audit comes, those involved need to have a customized and flexible way to see the data that matters most to them.
Back in the day, each consumer of the SCA would request particular information, leaving out or modifying anything that wasn’t significant to their decision process. What is a security team to do? Well, they cut/paste and save various reports based on the consumer. This interferes with the goal of SCA – making fast, correct, risk-mitigating decisions. How can one do this when you are busy stitching together the deliverables to accommodate each person?
By having a single data source with a litany of customizable options for visibility and reporting, you save time and get back to the work of configuration assurance.
Method matters. Developing SCA processes and capabilities is essential to get configuration assurance. The various elements of an effective SCA can be automated and well-informed with FireMon. Critical to any SCA is risk analysis and relevant reporting that fits to the specific audience. FireMon customers accomplish this every day. It is no wonder that they see such significant improvements in configuration assurance. Security Configuration Assessments can be grueling. But with FireMon it becomes a snap.