A Tangible Return – Remediating Misconfigurations

A Tangible Return – Remediating Misconfigurations

A refresher: what is a misconfiguration? Well, NIST defines it as: “A setting within a computer program that violates a configuration policy or that permits or causes unintended behavior that impacts the security posture of a system.”

What causes misconfigurations to be present in my network? There are two main reasons misconfigurations plague corporate networks: Human Error and Default Settings. A plethora of configuration-related security gaps are out-of-the-box default settings by the vendor. Others – well they are a product of human error…many times configurations left behind in the void of the ever-changing corporate IT infrastructure.

So why is finding and remediating misconfigurations important to security teams? In late August, Microsoft released its Cyber Signals publication analyzing the ransomware threat landscape. In this report, it states that 80% of successful ransomware attacks can be traced back to misconfigurations. (CITE) Threat actors are leveraging these security gaps as attack vectors for exploits. For various reasons, organizations aren’t closing these gaps. Just like old configurations, they’re being glanced over as they relate to the threat landscape.

It’s no secret that finding and remediating misconfigurations is a strenuous process. Security teams spend hours identifying misconfigurations and attempting to remediate them without disrupting business functions.

That leads into another hurdle: what if the fix breaks something? What if it disrupts business continuity? This is a concern for security teams day in and day out. No one wants to be a on the other end of the phone when a business leader calls saying their application stopped working. For security teams to mitigate these risks, they need to be supplied with the proper information to execute the remediation to provide all parties with peace of mind.

Until Gytpol, there has not been a tool that can identify, assess, and remediate (with zero impact) misconfigurations. Gytpol has the ability to solve all the issues above in minimal time.

Let’s take PrintNightmare for example (see link for CVE details). In order to sufficiently mitigate this risk, one must disable the print spooler on the endpoint/server. Right now, there are two ways you can achieve this: 1. Apply a GPO disabling print spoolers 2. Manually disabling print spoolers. Both have caveats –

1. Applying a GPO draws risk of disrupting business functions, and administrators also don’t know if the GPOs are actually applied throughout the targeted business unit.
2. Manually mitigating this risk takes time – a lot of time.

For example, let’s use an organization with 500 endpoints (all of the following are approximations). Remoting into the endpoint: 5 minutes each. The process of determining whether the endpoint needs the spooler for business functions: 5 minutes each. Disabling the print spooler manually on the endpoint: 5 minutes each. With coordinating efforts and potential disruptions, we can estimate that it would take around 150 hours for a 500-endpoint organization to completely remediate PrintNightmare manually.

With Gytpol, mitigating PrintNightmare (with zero impact) on a 500-endpoint network takes 35 minutes. 5 minutes to make the selection in the console, and 30 minutes for the configuration changes to be pushed network-wide. Gytpol provides administrators with the information to ensure print spoolers won’t be turned off when needed by the business.

The time difference sheds light on the value: Gytpol provides security teams a tangible return on their investment. Finding and remediating these misconfigurations (in a matter of minutes) enables teams to easily close gaps and focus their time on other initiatives. PrintNightmare is only one example of the hundreds of indicators that Gytpol provides. Additionally, Gytpol has a function that enables users to auto-reapply the remediation function. The criteria set for the initial remediations can be repeated as new endpoints join the network…eliminating the overhead of addressing the misconfigurations again, and providing peace of mind to administrators.

Although configuration management and deployment has improved in recent years, until Gytpol, there has not been a tool in the marketplace that solely focuses on identifying the security gaps caused by these misconfigurations and remediating them.