Security Configuration Management – Don’t Fall for the Old Saw of Patch Management

Yesterday I attended a customer event for one of the larger IT security firms and one of our partners.  During one of the sessions, another partner gave a presentation on security configuration management that nearly drove me to a Kanye West “grab the microphone” moment.

The partner in question regaled the attendees with a story of automated configuration management that involved long intrusive scans, followed by analysis to identify problems, followed by the issuance of what are essentially patches to correct non-compliant machines.  This process seemed horribly cumbersome and certainly did not meet my definition of automated.  And the remediations for the detected problems were pulled from a list of pre-written remediations in a one-size-fits-all approach.

Worse of all, the process happened infrequently – monthly at best, perhaps quarterly or twice yearly.

The saw blades are a visual of configuration drift over time. The length of the saw teeth represents the amount of drift and the size of the gap between them represents the time between corrections.  If the height of each saw tooth indicates how much configuration drift you will experience with large gaps between configuration corrections, which do you think represents the most secure environment?  The bigger the teeth, the higher the organizational risk.  You want the hacksaw blade.

My negative reaction comes from knowing there is a better way to deliver security configuration management Triumfant will continuously scan for changes to endpoint machines and detect when the machine is in a non-compliant state.  Triumfant’s analytics will evaluate the changes to the machine, create a remediation for that problem, and return the machine to compliance.  Remediations are created on the fly to address specific detected problems on each machine.  The remediations are surgical, contextual, and situational.  The remediation is delivered to the machine and executed by the agent.  All of this can be set to a one-touch confirm from the administrative console or fully automated.  And we will open a touble ticket, populate the ticket, and close it to track the process.

The result – your organization starts every day in an audit ready state.  The maximum drift is 23 hours and 59 minutes.  Not a month, 3 months, or 6 months.  No need for heavy, obtrusive scans, no human intervention needed to write remediation scripts, no additional patching activity.

Folks, patching is a big part of the problem, so why would you get excited about any so-called solution that is essentially a patch management process?  Patching is hard and rarely done well.  Why do you think there is so large a time gap between correction cycles with this technique?  Take a hard look at many of the companies pushing configuration management – they often have their roots in patch management and that is how they address the problem.

Security configuration management effectively reduces the attack surface on each machine, but this is achieved only when the configurations are continuously enforced.  When you can detect and remediate problems every day, you create what we call persistent security readiness.  Don’t settle for old school techniques and large gaps between corrections because monthly or quarterly is not persistent.  There is a better way.

Triumfant to be Speaking at the 5th Annual NIST Security Automation Conference

I have the great privilege to have been asked to speak tomorrow at the NIST Security Automation Conference.  My presentation will address how the unique approach and technology behind our offering helps drive three critical shifts in the thinking behind endpoint security:

The move from manual to automated processes.   Triumfant represents a significant step forward in automating the detect-analyze-act cycle. Most if not all tools automated the detect activities, but as you move through analysis and ultimately action in the form of remediation, manual intervention by specialized security personnel is required.  Triumfant uses our Adaptive Reference Model to analyze events in the context of the broader endpoint population and group changes into broader events.  Most tools only see events on the context of the affected machine, and further analysis becomes a manual process.  Remediations are performed manually and require some form of script to be written by either a vendor or in-house security staff.   Triumfant builds a comprehensive remediation that fixes the malicious code and all the collateral damage of the attack.  This remediation is written automatically, and is applied to the affected machine without interaction from the user, without the need for rebooting, and without the need to re-image.   Only Triumfant can demonstrate the complete automation of the detect-analyze-act cycle.  And we haven’t even begun to discuss the ramifications in regards to costs saved by automating the remediation process.

The move from periodic to continuous activities.  Triumfant continuously scans and remediates, creating a state of what we call persistent security readiness.   The automated processes continuously enforce policies and configurations by monitoring the machines, using changes at the granular level to trigger analysis and determining the ultimate affect of those changes on each machine.  Triumfant then builds a remediation to return the machine to compliance.  The result is every machine, every day readiness.  We also use the SCAP vulnerability database to scan each machine for vulnerabilities and detail the patches required to eliminate those vulnerabilities. 

The move from global to contextual requirements.  As stated, most endpoint protection tools view events in the context of the affected machine.   And they only see the malicious code and have no way to know the collateral damage from the attack.  They may address the malicious code, but leave all forms of collateral damage such as altered configuration settings, open ports and secondary payloads to name a few.  Only Triumfant provides the contextual information needed to fully remediate a machine under attack.  By monitoring over 200,000 elemental attributes for every machine, only Triumfant sees all of the damage to the machine and can build a remediation that is in complete context with the attack and the specific needs of the attacked machine.  Other tools may have pre-written remediations, but this is a one-size-fits-all approach that can leave a machine vulnerable.  And of course, this approach assumes prior knowledge of the attack while Triumfant requires no such knowledge. 

Because we fully automate the detect-analyze-act cycle, Triumfant addresses malicious attacks in less than five minutes from infection to remediation.  This includes targeted attacks and attacks for which there is no prior knowledge.  But we also continuously maintain the endpoints in a state of persistent security readiness, thereby reducing the attacks surface for those machines and ensuring that all of the protections, not just Triumfant, are in place, properly configured and fully operational. 

Needless to say I am excited about the opportunity to tell our story to such a group focused on automating security processes.  It is an exciting topic, and I have had the opportunity to speak to the really smart people at NIST and NSA that are driving some very progressive thinking on the subject.  Best of all, it is exciting to know that many of the capabilities thought to be critical by these smart people in regards to securing the endpoint already exist in our product today. 

If you are at the show, please stop by our booth (312) and we will be happy to show you a demonstration of how all of this works and talk about how we can put these capabilities to work for your organization.

One CEO’s Not So Rosey Take on the Cyberspace Policy Review

The President’s Cyberspace Policy Review was issued on Friday, and I suppose I should get in the long line of CEO’s from the IT security market and commend the study as “groundbreaking” or “impactful” or “a giant leap forward”.  I do believe the study was a first, albeit small, step in the right direction.  Defining the depth of the problem, calling for cooperation with the private sector, and creating a position responsible for the nation’s cyber security are all positive steps to be sure.  But after reading the report again I find myself very disappointed by what was released, as I saw very little in the report that showed tangible, immediate steps forward. 

I therefore have to step out of that line and join the very small group that is not patting the back of the government for a job well done.  I have picked up on some indirect dissent in the market with some writers using terms like “…so far…” until they see more meat on the bones.   John Pescatore, the respected Gartner Analyst on IT security notes in his blog post on the subject that the review “recommends response over prevention” and adds that it is “basically a strategy for investing in more forest fire lookout towers vs reducing the likelihood and impact of wildfires”.    

As the CEO of a small IT Security company, perhaps my direct interaction with our customers and prospects provide me a better glimpse of what is going on in the real world in a less sanitized, more firsthand way than most.  Specifically I have seen the results of attempts to implement security policy in the federal space without well defined enforcement.  In Triumfant’s role as a certified NIST SCAP vendor for FDCC Compliance, I have seen large agencies that not only do not adhere to FDCC Compliance mandates; they do not appear to have a plan in place to begin the process in the near term.  Numerous stories chronicle how agencies continue to miss the OMB deadlines, which I attribute to the fact that there is no enforcement or consequence of non-compliance.  I see organizations that have liberal personal use policies that allow their employees to fill endpoint machines that handle sensitive data with games and music sharing applications that have known vulnerabilities.  These vulnerabilities have already been traced as the source of the compromise of sensitive information about the President’s own helicopter and the nation’s most advanced strike fighter (which apparently has not yet been resolved).

I also found the Sputnik reference in the document to be quite disarming.  Lyndon Johnson’s declaration that he did not want to go to sleep by the light of a Russian Moon was against a threat that would take at least a decade to progress past the simplicity of the Sputnik launch and America was already well on its way toward launching its own satellite.  The Sputnik analogy disintegrates when you consider that it is generally accepted that cyber criminals from foreign lands have already infiltrated the power grid and other critical elements of the country’s infrastructure.  We are not ten years from losing command and control – the evidence shows that we already have.  The time to ramp up science and mathematical skills has already been ceded.  Real action is required, and those actions must have enforcement teeth to succeed.  More years of analysis and broad suggestions will only put us further behind.

I am also concerned that the Whitehouse is not looking past the larger companies in IT security for guidance on the way forward.  I have said it before – the solutions for many of the problems we face will not be found in the center of the exhibit hall at RSA, yet those were the companies visible at the announcement.  To be clear, I am in no way implying that these companies are in any way corrupt or lack a commitment to the United States.  But when change is a necessity, it is best not to look toward those who stand to benefit most for more of the same as agents of change.  It is obvious that many of the changes needed to take significant steps forward will potentially upset the status quo and may therefore be disruptive to the established revenue streams that these companies enjoy. 

One does not have to look far for an example.  General Motors filed for bankruptcy protection yesterday on the heels of the earlier bankruptcy filings for Chrysler.  It was not that long ago that the government looked to GM and the other auto manufacturers for solutions to fossil fuel consumption.  But there was little incentive for these companies to innovate and upset the profitable ecosystem that they enjoyed, and they ceded that role to global automakers whose ultimate success has been a significant contributing factor to the demise of GM and the others.  I would also add that these automakers did not step up to fuel efficiency until the government added enforcement in the form of stiff corporate penalties if aggregate MPG ratings did not reach certain thresholds – again showing the need for teeth to drive progress. 

I have some other concerns about the review.  Why was the announcement pushed to a Friday of a short holiday week?  That hardly gives the impression that this is front and center in the administration’s priorities.  Why is the Cyber Czar position a less prominent position than promised during the campaign and less than those in the Whitehouse were hoping for?  Combining these subtle signals with the lack of hard and tangible detail in the review and I am not feeling a sense of urgency nor am I confident that we will move from rhetoric to action in the near term. 

The evidence is all around us – the time for conversation is well past.  If this report is followed by tangible and concrete actions that result in real changes that have a sense of urgency and a structure of rigid enforcement with real consequences for noncompliance, than I will be the first to applaud.  But right now you can mark me down as underwhelmed and unimpressed by this first step.

Security Configuration Management – Plugging the Holes in Your Endpoint Security

This is the third entry in a series of how Triumfant helps plug gaps in your endpoint security defense-in-depth strategy.  In this entry I will address security configuration management – ensuring that the defensive software you have deployed is really deployed, properly configured, and in working order.

In my opening entry on this series I presented information about how many breaches do not come from some sophisticated malware or innovative attack vector, but rather as the result of missing or misconfigured software.  The source for such issues may be:

 – Deployment issues where software is simply not deployed, improperly deployed, or improperly configured. 

 – User ignorance in the form of altering configuration settings, turning off defensive software, or responding to social engineering.

 – A maliciously intended insider making changes to machines to either introduce malicious code or make the machine vulnerable to malicious code.

Security configuration management exists at the convergence of security and operations; combining elements of vulnerability assessment, automated remediation, and configuration compliance.  The end goal is to reduce risks by ensuring that systems are configured properly

Triumfant is extremely effective at security configuration management, and can enforce multiple security policies simultaneously on endpoint populations or specific groups within that population.  By using its patented analytics, Triumfant can detect configuration settings that depart from the normal settings of like computers, providing indicators of misconfiguration even if there is not a specific policy for that particular setting.  When Triumfant detects non-compliance, it can synthesize a remediation and return the machine to compliance automatically.

As a result, businesses and government agencies can start every day knowing that every computer is compliant with organizational security policies and/or with mandated policies such FDCC Compliance, FISMA, or PCI.  Defensive software is in place and executing properly, allowing it to do the job for which it was intended – to protect the machine.  Configuration settings at the operating system and application levels are set to organizational standards to maximize security and minimize risk.  And all of these tasks are executed on every computer every day, with minimal or even zero labor costs.  Our customers start every day audit ready and prepared to face the threats poised to attack any vulnerability.

This every computer, every day approach is unique to the industry and only possible because of Triumfant’s ability to detect unexpected changes and conditions on endpoint machines and automatically remediate the detected problems.  Think about how much time, money, and labor goes into endpoint security, only to have machines attacked because they are improperly configured, or the user simply turned off the antivirus agent because it slowed down the machine.  With Triumfant driving security configuration management, these vulnerabilities can be eliminated.

Best of all, if malicious code still evades all of this properly working and configured defensive software and finds its way to a machine, Triumfant will detect that attack and remediate the problem, with the same software used for security configuration management.  That is what I mean when I say we close all of the gaps in endpoint security.

FDCC Compliance – What is the “Or Else”?

We are fast approaching another “line in the sand” date for FDCC Compliance, but there is much to be done before we reach a state of mass adoption.  On March 31, agencies are required to submit to NIST and OMB a technical report about the status of their implementations. But like many other deadlines in the FDCC timeline, this will pass with a large number of agencies either in progress or still squarely at the starting line with their FDCC initiatives.

The problem is certainly not a technical one, as there are many validated tools that can help with the process. Triumfant was one of the first vendors to be a NIST SCAP validated FDCC scanning tool, and we remain one of a very few tools that can deliver automated misconfiguration remediation according to NIST. Enforcing the FDCC policies is a relatively simple task for our solution, as these policies touch a very small percentage of the 200K+ attributes that we scan on a daily basis. The policies are not inherently complex nor do the policies pose a significant technical challenge to enforce. In fact, they represent common endpoint security policies that we often see in security configuration management.

But there is something lacking that seems a bit more obvious to me – the “or else”. As a father of two teenage boys, I can assure you that I have a firm grasp of the “or else” component of successful policy enforcement.  So just what is the “or else” for those agencies that miss the deadline? The answer, or lack of, maybe the real reason why many agencies will wave politely from the sideline as another deadline passes them by.