Are Configuration Changes Costing You Too Much Time?

A refresher: what is a misconfiguration? Well, NIST defines it as: “A setting within a computer program that violates a configuration policy or that permits or causes unintended behavior that impacts the security posture of a system.”

What causes misconfigurations to be present in my network? There are two main reasons misconfigurations plague corporate networks: Human Error and Default Settings. A plethora of configuration-related security gaps are out-of-the-box default settings by the vendor. Others – well they are a product of human error…many times configurations left behind in the void of the ever-changing corporate IT infrastructure.

Why does it matter?

In late August, Microsoft released its Cyber Signals publication analyzing the ransomware threat landscape. In this report, it states that 80% of successful ransomware attacks can be traced back to misconfigurations. (CITE) Threat actors are leveraging these security gaps as attack vectors for exploits.

For various reasons, organizations aren’t closing these gaps. Just like old configurations, they’re being glanced over as they relate to the threat landscape.

It’s no secret that finding and remediating misconfigurations is a strenuous process. Security teams spend hours identifying misconfigurations and attempting to remediate them without disrupting business functions.

Inevitably though, that leads to another hurdle...

What if the fix breaks something?

What if it disrupts business continuity? This is a concern for security teams day in and day out. No one wants to be a on the other end of the phone when a business leader calls saying their application stopped working.

For security teams to mitigate these risks, they need to be supplied with the proper information to execute the remediation to provide all parties with peace of mind.

Until GYTPOL, there has not been a tool that can identify, assess, and remediate misconfigurations with zero risk to the business. GYTPOL maps dependencies, making it possible to identify and push (according to group or risk) remediations with a single click and with no risk of disruption. In virtually no time.

Putting principle into practice

Let’s take PrintNightmare as an example (see link for CVE details). In order to sufficiently mitigate this risk, one must disable the print spooler on the endpoint/server. Right now, there are two ways to achieve this:

1. Apply a GPO disabling print spoolers
2. Manually disable print spoolers.

Both have caveats. Applying a GPO draws risk of disrupting business functions, and administrators also don’t know if the GPOs are actually applied throughout the targeted business unit. While manually mitigating this risk takes time. A lot of time.

For example, let’s use an organization with 500 endpoints (all of the following are approximations). Remoting into the endpoint: 5 minutes each. The process of determining whether the endpoint needs the spooler for business functions: 5 minutes each. Disabling the print spooler manually on the endpoint: 5 minutes each. With coordinating efforts and potential disruptions, we can estimate that it would take around 150 hours for a 500-endpoint organization to completely remediate PrintNightmare manually.

With GYTPOL, mitigating PrintNightmare on a 500-endpoint network takes no more than 35 minutes. 5 minutes to make the selection in the console, and 30 minutes for the configuration changes to be pushed network-wide. GYTPOL provides administrators with the information to ensure print spoolers won’t be turned off when needed by the business.

The upshot

The time difference sheds light on the value: GYTPOL provides security teams a tangible return on their investment. Finding and remediating these misconfigurations (in a matter of minutes) enables teams to easily close gaps and focus their time on other initiatives. PrintNightmare is only one of the many examples that GYTPOL covers.

Additionally, GYTPOL has a function that enables users to auto-reapply the remediation function. The criteria set for the initial remediations can be repeated as new endpoints join the network, eliminating the overhead of addressing the misconfigurations again, and providing peace of mind to administrators.

Although configuration management and deployment has improved in recent years, until recently, there has not been a tool in the marketplace that focuses on identifying the security gaps caused by these misconfigurations and remediating them. Thankfully, that's no longer the case.