Hardening operating systems and keeping an audit trail of activity using a change detection and SIEM solution are must haves in order to ensure that your environment is safe from cyber attacks or unwanted intrusions.
Moreover, establishing a secure baseline is a great addition for protecting your systems from internal and external threats.
According to the European Organization for Nuclear Research (CERN for its acronym in French), the Internet’s birthplace, “a Security Baseline defines a set of basic security objectives which must be met by any given service or system”. Or in other words, set up your systems for optimal performance, document and review that configuration, and keep track of it from then on.
Establishing the Secure Baseline
A good place to start on this would be looking at some expert sources such as the Center for Internet Security (CIS) and the Department of Defense (DoD). These sources have detailed guides and procedural documents that explain security configuration options for a wide range of operating systems and applications. Hardening would typically include removal of unnecessary accounts, disabling or removal of unnecessary services, and enabling security conscious configurations (2).
Additionally, depending on your industry security requirements, you may need to comply with a particular standard (i.e. NERC CIP or DISA STIG), so you would need to implement those rules if that’s the case. A recommended practice would be grouping your devices per operative system or according to their function in your environment. That would simplify the change detection process and significantly reduce the amount of time needed for the implementation.
Once classified into groups, it’s essential to establish secure and consistent configuration baselines for each of them. So, after conforming your secure baselines using all the information previously gathered, now it’s time to test them to meet your security requirements, while working within operational parameters. Many tests and some adjustments later, you will be ready to generate a template from which similar systems and applications can be built.
Documenting and Reviewing the Configuration
Once a configuration baseline is established, a review and approval process should be established to review requests that deviate from the baseline. There may be legitimate institutional needs that require software to deviate from that baseline. These deviations should be documented, and the approval process should allow management to weigh both the risks and rewards of the requests.
With the secure baselines in place, it’s now time to keep track of the changes. You will need a tool where you can import those baselines and be notified if an unexpected event is registered. You surely want to store all those changes for further analysis and make sure that all of your devices are in compliance with the standards recommended for your industry. You’ll also want to be promptly alerted if any malicious activity is registered.
Using Change Tracker to Detect Your Changes
Agent-based and agentless solutions are combined to gather every change that has occurred in your environment. Each event is classified as a Planned or Unplanned Change, and email alerts can be configured to be sent if a certain type of event is received. NNT even offers a whitelisting service, named FAST (File Approved-Safe Technology) Cloud, to help its customers with events classification.
But let’s go back to the baselines. How are they added to Change Tracker? And most importantly, how does Change Tracker keep track of those changes made to the established baseline?
Once it is determined which systems are the ones providing the baselines for each group, a Change Tracker agent is installed on each of them. With the baseline providers added to Change Tracker, now it’s time to run our Harvesting Report to start gathering the configuration baselines that will be added later to the actual baseline reports.
After adding all of the entries (i.e. installed software, Windows updates, etc.) to the baseline reports, it’s now time to assign each report to its corresponding group of devices. Every new device added to Change Tracker will be automatically assigned to its OS Group, but customers can group devices according to a different criteria (i.e. Domain Controllers, Workstations, etc.) and assign their baseline reports to those groups.
Let’s take a look at this NERC CIP (North American Electric Reliability Corporation critical infrastructure protection) standard implementation example.
Software and Windows Updates Baseline reports have been shaped, added to Change Tracker and applied to the proper group of devices. At this point, they can be scheduled to run daily, for example, checking every event received from its devices and comparing them to the baselines. Email notifications or syslog messages (sent to your SIEM solution) can be configured, and every change is stored on the Change Tracker database.
In this particular example, several NERC CIP reports have been implemented to check for open ports and user accounts, among other essential parameters. Those ones, added to the Compliance Reports that come by default with Change Tracker, are taking care of all the critical elements (file system, registry, security policy, etc.) of the connected systems.
Yes, staying safe in this increasingly connected world is not an easy job. New challenging and more sophisticated attack methods are used to access and harm our systems every day. That’s why developing and implementing different security solutions is a must, and this approach of setting up an optimal system and keeping track of changes - is, let’s say it, a first-class solution for some environments.
As Benjamin Franklin said: “By failing to prepare, you are preparing to fail”, so better to be prepared.
Share this post