Configuration. It seems obvious. We all have to do it when setting up and maintaining our environments. In fact, some would say it is the most fundamental and the basic building blocks required to ensure your platform works correctly and according to your organization’s needs. You might also think that performing configurations is not so complicated and why it is relevant to security and preventing cyber attacks on the endpoints of my organization. Before we answer this question, let’s get an understanding of your IT Platform.
If your organization is based on a Microsoft environment (like over 80% of all organizations worldwide), then you are familiar with Domain Controllers, Active Directory and Group Policy Objects (GPO). Microsoft first released its NT Server in 1993. Today, the latest version is Windows Server 2019 (released in November 2018). The cloud based product called InTune is correctly in beta but soon to be formally launched.
Over the years, the product has evolved and grown in both features and complexity to satisfy the needs of organizations from small business to large global enterprises. Today, there are tens of thousands of configuration options available and this makes it impossible for any IT Professional to be knowledgeable in all of them. Today, most IT Professionals will turn to google when needing to perform a configuration and this is where the first set of problems begin.
Google and other search engines are a wonderful thing for the IT Professional. Let’s say for example, I have received a directive from the CISO in my organization that SMB version 1 needs to be disabled on all endpoints due to the well known vulnerability which hackers can exploit. I turn to google and find out how to achieve this using a Group Policy setting. I make the configuration setting and report back to the CISO that the corrective action has been performed. However, how can I validate that this configuration has been correctly applied to all endpoints in my organization? In this example, its is frequently found that an IT Admin will not configure the GPO correctly (thanks to google), and that a subset of the endpoints in the organization would still have SMB version 1 enabled, remaining vulnerable to hackers. Until this can be validated on all endpoints in the organization, both the CISO and IT Admin believe it has been applied correctly and would be surprised if a successful cyber attack occurs due to this weakness being exploited. An Endpoint Configuration Security (ECS) solution would be able to identify when configurations have not been applied properly and also alert when there are security vulnerabilities due to an incorrect configuration.
Another case for security misconfigurations is due to best practices not being applied correctly. Today, there are Information Security standards available such as ISO 27001, NIST etc which guide the CISO and SecOps teams as to the best practices to apply. These standards are extensive in scope, time consuming to apply and prone for configuration errors to be made. In addition to this, the IT Security landscape is always changing. New cyber security discoveries are being identified which result in new best practices being defined. Whilst the Infosec standards act as a very good baseline for organizations to apply, they will always lag a bit behind the latest actions which should be taken. An Endpoint Configuration Security (ECS) solution will be able to provide compliance validation on the well known standards but also updated on the latest best practices and alert when a configuration requires remediating as a result of this.