"Human error creates the biggest [security] threat. Technicians can inadvertently misconfigure devices, opening up holes. We need to go back and validate configs." DISA
The increasing need for configuration drift monitoring
Modern networks contain hundreds of thousands of devices and potentially millions of endpoints. All of which need to maintain a secure configuration that matches both network policy and functional intent. Where configurations change over time – typically as a result of internal network operators altering the configuration – the drift can result in unintended security gaps.
Most of this activity is not malicious in intent but nevertheless results in potentially critical security and operational problems. Largely through the unwitting interaction of configurable items – for example, routing changes or firewall rules. Which is why monitoring configuration drift is now considered a key foundational component of establishing a defendable network and Zero Trust Architecture baselines.
Learn more >Establishing a Zero Trust Architecture baseline
At the heart of zero trust lies the principle that no entity should be implicitly trusted due to the application, device or location that they appear to be using. Another key principle is to understand the estate and ensure every node in the network is configured correctly and has no security holes. As networks mature towards higher levels of zero trust implementation, continuous assessments are required to assure the network remains secure. This ensures any inadvertent or deliberate acts of misconfiguration are discovered quickly and the risks are remediated.
This requires a solution that can ensure devices in a protect surface are compliant with security policies and ZTA baselines, and continuously monitor for any change.
Mandated requirements for daily security assessment
Assessing the security status of the network is a skilled and time-consuming job. The combination of network scale and resource constraints – even when using best of breed, on-demand configuration assessment software like Nipper to automate the process – means that typically:
- perimeter-only defences are checked,
- only a sample of devices can be tested and/or
-
the cadence of testing reduces to once per quarter/year.
According to military and federal security risk management programs, sampling is insufficient to protect the networks. Continuous assessment must now be implemented for government agencies and their critical contractors:
- RMF for DoD and DHS CDM (both based on NIST 800-53) for the agencies, and
-
CMMC and NIST 800-171 for their supply chains.
Raising the organization’s configuration security maturity level
Configuration drift is unavoidable, to some extent. The maturity of an organization’s approach to managing configuration drift typically depends on the maturity of the overall security program and ranges from:
- manual sampling,
- ad hoc auditing,
- continuous monitoring, to
- auto-remediation.
Establishing a security baseline and avoiding unplanned and unrecorded network changes is the first step in getting ahead of configuration drift. Organizations with a more mature approach to configuration security will have embedded a fast and efficient, ongoing process for identifying changes to network devices. Ultimately, the goal is not only to detect misconfigurations but also to auto-remediate them, closing security gaps as soon as possible after they appear.
Nipper Enterprise for continuous configuration drift monitoring
As sampling is known to leave misconfigurations and security gaps exposed, organizations are actively looking for technology that enables them to check the configuration of every firewall, switch and router – every day. Nipper Enterprise provides the technical capability to:
- Automate accurate daily assessments and raise security events when configurations do not meet security or compliance criteria,
- Prioritize the remediation of critical risks, persisting in the network, which are exposing the mission to unnecessary risk,
- Detect and monitor network security posture trends over time, including:
- configuration drift critical risk exposure,
- mean time to remediate,
- and compliance posture over time.
Equipped with vital Nipper Enterprise analyses, cyber protection teams can develop remediation strategies and POAMs to close security gaps, prioritized according to the organization’s appetite for risk.
Request a Demo >How Nipper Enterprise enables configuration drift management
Nipper Enterprise is a web application using a set of containerised Nipper instances that can be scaled up to automate the assessment of the configuration of every network device, every day. It provides a risk-focused approach to misconfiguration detection and remediation that is accurate, timely, and scalable. Delivering trusted, continuous monitoring and prioritized mitigation, for 300,000 firewalls, switches and routers across the network, on an up to hourly basis.
Nipper Enterprise is capable of directly connecting to network devices to access the configuration file or ingesting previously extracted configurations. Alternatively, Nipper Enterprise can use a configuration management database (CMDB) as it’s source, and either audit the entire database, or assess configurations that have changed since the last audit. The analysis that Nipper Enterprise performs is identical, regardless of the configuration source.
Find out more >Ready for continuous misconfiguration detection and response?
Latest Resources
Check out our latest resources
New Report Reveals U.S. Federal Government Exposed to Significant Cybersecurity Risks Due to Exploitable Network Misconfigurations
Read moreTitania Research Suggests Disconnect Between Network Security Perception and Reality; Firewalls Prioritized Over Switches and Routers
Read more