Security Configuration Management – Don’t Fall for the Old Saw of Patch Management

Yesterday I attended a customer event for one of the larger IT security firms and one of our partners.  During one of the sessions, another partner gave a presentation on security configuration management that nearly drove me to a Kanye West “grab the microphone” moment.

The partner in question regaled the attendees with a story of automated configuration management that involved long intrusive scans, followed by analysis to identify problems, followed by the issuance of what are essentially patches to correct non-compliant machines.  This process seemed horribly cumbersome and certainly did not meet my definition of automated.  And the remediations for the detected problems were pulled from a list of pre-written remediations in a one-size-fits-all approach.

Worse of all, the process happened infrequently – monthly at best, perhaps quarterly or twice yearly.

The saw blades are a visual of configuration drift over time. The length of the saw teeth represents the amount of drift and the size of the gap between them represents the time between corrections.  If the height of each saw tooth indicates how much configuration drift you will experience with large gaps between configuration corrections, which do you think represents the most secure environment?  The bigger the teeth, the higher the organizational risk.  You want the hacksaw blade.

My negative reaction comes from knowing there is a better way to deliver security configuration management Triumfant will continuously scan for changes to endpoint machines and detect when the machine is in a non-compliant state.  Triumfant’s analytics will evaluate the changes to the machine, create a remediation for that problem, and return the machine to compliance.  Remediations are created on the fly to address specific detected problems on each machine.  The remediations are surgical, contextual, and situational.  The remediation is delivered to the machine and executed by the agent.  All of this can be set to a one-touch confirm from the administrative console or fully automated.  And we will open a touble ticket, populate the ticket, and close it to track the process.

The result – your organization starts every day in an audit ready state.  The maximum drift is 23 hours and 59 minutes.  Not a month, 3 months, or 6 months.  No need for heavy, obtrusive scans, no human intervention needed to write remediation scripts, no additional patching activity.

Folks, patching is a big part of the problem, so why would you get excited about any so-called solution that is essentially a patch management process?  Patching is hard and rarely done well.  Why do you think there is so large a time gap between correction cycles with this technique?  Take a hard look at many of the companies pushing configuration management – they often have their roots in patch management and that is how they address the problem.

Security configuration management effectively reduces the attack surface on each machine, but this is achieved only when the configurations are continuously enforced.  When you can detect and remediate problems every day, you create what we call persistent security readiness.  Don’t settle for old school techniques and large gaps between corrections because monthly or quarterly is not persistent.  There is a better way.