Any computer connected to the Internet is vulnerable to attacks that exploit flaws and vulnerabilities that were inadvertently distributed by operating and network system vendors. An important means of countering this threat is through the use of secure configurations on your devices based upon corporate policies and publicly available configuration benchmarks that describe in detail how systems and software should be configured. Configuration auditing monitor the steady state of configurations, detect changes to configurations and then compare the changes with required corporate configurations. With an integrated security and compliance management platform, configuration auditing enable this critical monitoring and control function to ensure that devices are not mis-configured eliminating common attack vectors and reducing risk.

The Challenges of Configuration Auditing
Data security and IT compliance professionals seek solutions offering more timely and cost-effective detection and mitigation of security incidents and instances of noncompliance with regulations, standards and best practices (compliance gaps) than has been possible using the available security and compliance management solutions. The real challenge for these solutions has been one of TIMELINESS.

Consider, for example, a typical “low and slow” breach in which an attacker remains undetected once they have compromised an organization’s systems by progressing slowly with minimal activity to evade detection from existing defenses like IPS and device security. Timely detection of these “low and slow” attacks is elusive for security management solutions because it requires the real-time collection and correlation of multiple sources of data. Specifically, log, asset, configuration, vulnerability, performance and network flow data each contribute to identifying different aspects of an attack. The following table outlines some of the more typical steps attackers use in a “low and slow” attack and the data source that most effectively reveals the true intention of the attacker.

A Typical “Low and Slow” Attack

Attack step:	Attacker action:	Action revealed in:
1. Probe	Runs port scans seeking targets with known vulnerabilities.	Log data
2. ID entry point	Identifies a target system with a known vulnerability.	Log data
3. Access	Brute-forces access to the system with multiple failed logins preceding the successful login.	Log data
4. Admin privilege	Escalates to Admin/Root or created a new account with Admin privilege.	Asset data
5. Config change	Disables logging.	Configuration data
6. Exploit vulnerability	Creates a buffer overflow that spikes performance by exploiting a vulnerability.	Vulnerability & Performance data
7. Rogue app	Installs a back door to the system.	Asset data
8. Data theft	Steals confidential data.	Flow data

Thus, to meet the needs of security and compliance professionals, the primary challenge for configuration auditing is to be integrated into the collection and end-to-end correlation of data from multiple data sources. In the example above, configuration analysis reveals that logging has been disabled. This analysis, alongside the analysis of log, asset and other data, quickly pinpoints a breach followed by the installation of a rogue application, which also violates the corporate standard configuration – providing another clue that a breach has occurred. This level of data integration and correlation enables faster, more targeted and more efficient incident detection and mitigation.

In addition to integration with comprehensive end-to-end correlation, effective configuration auditing must support:

• The definition of baseline configurations and configuration policies for your organization that will be used to monitor, compare, detect and alert when configuration changes occur.
  

• Automatic collection and comparison of configuration data from any device, host, and config file on the network.

• Making configuration changes to devices and nodes across the network as needed to ensure security and compliance.

• Supporting forensics so configuration information and analysis can be utilized in incident response and subsequent investigations.

Configuration Auditing Using SecureVue
As with the other analytic components, configuration auditing help SecureVue stand out from other SIM solutions because configuration data is one of several key data sources that SecureVue uses to analyze the security posture of your organization. The only truly integrated security and compliance management platform, SecureVue collects and correlates all important data: log, vulnerability, asset, configuration, performance and network flow data for the fastest possible security incident or compliance gap resolution.

Dropping down beneath the end-to-end correlation and taking a closer look at the configuration auditing capabilities of SecureVue reveals that it meets all the key challenges:

• Baseline configurations can be set in SecureVue and then used detect configuration changes that represent security and compliance issues or violate corporate or regulatory policies.
  

• Data from any device, host and config file is collected and compared with baselines automatically, eliminating laborious and inefficient manual data collection, comparison and reporting.

• New network hosts and devices are easily added to the system using SecureVue’s GUI-based Configuration Parser, a utility that eliminates the costly custom engineering that would otherwise be required to draw data from a non-standard config file.

• Configuration policies are easily created using the Policy Manager. Configuration data is then monitored for policy violations and system administrators are alerted on their detection. For example, if a corporate policy does not to allow browser add-ons to be installed, then a policy can be set up to notify a system administrator when the configuration assessment indicates an add-on has been installed. SecureVue automatically scans all configuration data to identify policy violations, so you don’t have to.

• Rich in forensics features, SecureVue alerts you on a configuration change that violates configuration policy. You can then easily drill down into the host or device configuration data, review any differences, and quickly act on any unauthorized configuration changes such as the disabled logging in the example above. You can also instantly view the periodic changes in the config file of devices and hosts at any time to fit your schedule and needs.

In the end, SecureVue meets and exceeds all these specific configuration auditing challenges. It exceeds them by being the only integrated security and configuration management platform delivering end-to-end correlation of all important data, including configuration data. As such, SecureVue is your best bet for detecting and mitigating the difficult-to-find “low and slow” network breaches as detailed above.

Discover why Network World wrote, “eIQnetworks has the broadest range of capabilities we have seen in one integrated product”. Download whitepapers, datasheets, case studies and more from the eIQ Resource Center today. When you are ready, don’t hesitate to test drive free evaluation copy of SecureVue to see how it can simplify management, boost efficiency, and enable easy audit reporting.