Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Tenable Network Security Podcast Episode 149 - "Gene Kim Interview"

Taking Advantage of Configuration Auditing

Recently, I've been studying configuration management in an attempt to better understand its benefits and the role it plays in an IT organization. Over the past few years, I've spoken to many IT folks about this subject. The conversation often turns into a deep explanation of how their particular organization's IT department, and company as a whole, operates. I've found that configuration management closely relates to the core of an organization's operations, including security, operations, and development.

Let's explain the various terms. Configuration auditing is the process of defining known-good configurations for systems, periodically checking that systems are in the known-good state, and if required, acting on the results to return a system to its known-good state. Compliance auditing is the very same process, however, the configuration settings are defined by a third-party standard (such as PCI DSS).

In order to take advantage of configuration/compliance auditing, several policies, procedures, and even cultural factors come into play. To give our readers a better understanding of these different elements, I reached out to Gene Kim.

Gene has done extensive research to understand what separates "good" IT organizations from "great" ones. His book, "Visible Ops Security: Achieving Common Security and IT Operations Objectives in 4 Practical Steps" goes in depth on how to address the people side of IT, including how to align security, operations, and development. Configuration auditing plays a huge role in this process. Find out more about Gene's book "The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win," coming out on January 15 and read his latest whitepaper, "The Top 11 Things You Need To Know About DevOps" to get more information on this topic.

"Trust but Verify"

I recently sat down with Gene and discussed good-to-great IT organizations, configuration auditing, and tips for successful security and operations processes.

I asked Gene what needs to be in place at the foundation of your IT organization to enable you to take advantage of configuration auditing. We agreed the major point is to embed security into the organization's daily operations. This has the added benefit of increasing your resources, rather than fighting systems administrators, making security part of the operations process.

Gene also underscored the importance of change control, defining configuration before you start the rollout or coding process. The code and environments are built at the same time, including development, QA, and production. This greatly reduces the situation where a configuration change is needed to improve security, but is impeded by developers who built code that won't work with the proposed change. Gene continued by saying, "People that continually make changes resulting in adverse effects are put into a role where they can no longer make changes." I believe there are many in security hearing that statement, nodding their heads in agreement, and likely already identifying similar situations in their own environment where configuration change should be restricted.

I also asked Gene to comment on the effectiveness of configuration management, as some lose sight as to how it can contribute to preventing attacks. In response, Gene commented, "Configuration is the ultimate preventative control. Complexity is the enemy of security, and uniform configuration, even with security problems, is an easier problem to fix."

I wanted to highlight the importance of routers, switches, and virtualization, and how to make sure they're included in your processes. Gene suggested that you develop a repeatable way to deploy all systems such that you end up with something in production that you can trust, so that "tribal knowledge" exists for the device. In the end you have to be confident that all systems deployed are in a known-trusted, risk-reduced state. From deploying firewalls to software, development, operations, and security share a uniform process.

Conclusion and Listen to the Podcast

In summary, Gene highlighted the following ways for IT organizations to take advantage of configuration auditing.

  • Embed security into your organization's daily operations
  • Define configurations before the rollout or coding process to reduce future configuration changes
  • Develop a repeatable way to deploy all systems so development, operations, and security share a uniform process


Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training