Avoid Configuration Drift Through Effective Monitoring

Once your organization is secured, you’ll need to ensure that your environment doesn’t stray from its protected state. Configuration drift may be inevitable, but you can leverage best practices to minimize its consequences.

Why Does Configuration Drift Occur?

Whether by choice or chance, change happens in IT environments. Software updates are rolled out, ad hoc decisions are made, end users change settings, and new systems are introduced – often quickly, to meet deadlines. When these decisions are made in haste, security considerations can be incomplete or missing altogether.

Even if systems were secure to start with, the once-hardened IT environments develop “gaps” over time. It’s not always easy to keep track of the changes that can lead to configuration drift. You’ll need a management tool that provides you with the big (and granular) picture, so your team can effectively monitor and remedy the situation.

Preventing Configuration Drift

The best way to deal with configuration drift is to stay on top of it. A well managed cybersecurity program helps ensure that you maintain ongoing awareness and proof of secure configurations.

For example, you’ll want to consider tools and resources to:

  • Identify internal and external security requirements with the help of the CIS Controls, and document your progress toward meeting them
  • Assess whether systems are configured to comply with CIS Benchmarks configuration recommendations
  • Develop and tailor specific configurations within the CIS Benchmarks to meet your unique needs
  • Implement secure configurations and monitor them regularly for configuration drift

Resources for Monitoring and Correcting Configuration Drift

You’ll want to monitor configuration over time to ensure that your environment doesn’t stray from its hardened state. A quick view of your configurations in one place helps you do this effectively and efficiently. CIS-CAT Pro, a configuration assessment and reporting tool, can help.

Use CIS-CAT Pro Assessor to scan systems, then feed the assessment results into CIS-CAT Pro Dashboard. You can view a graphical representation of assessment results, comparison reports, a view of your hardening efforts over time, and more. If your overall conformance score drops below a previous score, you receive an alert.

CIS-CAT Pro Dashboard provides a holistic view of your environment’s conformance to the CIS Benchmarks. You can observe the evolution of the hardening of your target endpoints and quickly identify vulnerabilities. You’ll get both the big picture and the ability to dive down into the details.

Need to make a configuration change to your system? Use CIS WorkBench to tailor the configuration recommendations of the CIS Benchmarks to your organization’s specific needs. CIS Build Kits are group policy objects (GPOs) and Linux shell scripts you can use to push those configurations to your test and then production environments.

Put Policy into Practice

CIS SecureSuite Membership is based on the security best practices of the CIS Controls and CIS Benchmarks. Members have access to tools like the CIS Controls Self Assessment Tool (CSAT) and CIS-CAT Pro to effectively assess security compliance. Other benefits include the ability to customize configuration, technical support, and taking part in a global community focused on creating confidence in the connected world.