NNT Change Tracker is a world class solution for evaluating the security posture of your infrastructure. Whether you adhere to frameworks such as the Center for Internet Security, NIST or even if you have a home baked version of how best to harden your environment, Change Tracker will assess and report on how your deployed assets measure up against the standard.
If, however you have ever wondered why in Change Tracker there is not a bright, possibly flashing button called “REMEDIATE NOW” then the following has always been NNT’s deliberations on why it’s best to allow specialized people, processes and software to undertake the remediation role.
- Not a one size fits all! This is the main consideration, a hardening configuration which fits one system, may not be suitable for others. One of the challenges of any hardening project is impact testing on the systems being hardened and, therefore, the applications which these systems support. Testing of a hardened build cannot be disregarded or its importance overstated. Ensuring the hardening has no effect on server functions and measuring to what level the systems will be locked down and ultimately therefore, usable is a key aspect to this type of project. To aid with hardening, NNT provides CIS build kits which are GPOs for Windows and scripts for Linux. During testing these build kits can be manipulated to match the level of hardening required and used within your preferred configuration tool to push out your chosen configuration standard. Note: Any change, even system hardening, should be run through a proper planned change process. Learn about Change Tracker Gen 7 R2’s “Change Manifest” planned change feature in this how-to guide.
- Organizational setup. There are multiple point solutions on the market that allow for configurations, software and patches to be pushed to an organization’s endpoints. Some, like Microsoft’s Active Directory are wholly integrated into the fabric of the environment. Most, like Puppet, Chef and Active Directory monitor their charges periodically to ensure that configuration settings stay initially implemented. Introducing another solution that has the capability to push out configuration settings would almost certainly cause conflict between the two solutions as they struggle to implement the settings that they deem to be correct.
- Lastly is the separation of duties, the distinction between the users of applications such as AD and Puppet and those of Change Tracker. The Change Tracker userbase is predominantly the security folks within an organization while configuration tools are driven by Operations. This presents an important separation of duties as those charged with the day to day task of keeping the lights on are not those evaluating the organization’s security stance. It is entirely possible that a system or systems which appear to be configured in a manner not in line with security best practice have been done so for operations reasons and so that flashing remediation button might not be the one to press!
To help combine security best practices and operations, NNT have developed a SecureOps (Secure Operations) approach to create an optimal security foundation with threat prevention, breach detection and intelligent change control technology. Download our SecureOps solution brief to learn more.
Share this post