Increases endpoint security with continuous compliance for all endpoints
New and increased governance both internal and external to organisations are forcing companies to invest a lot time and money both implementing new security policies and proving compliance to existing policies. Some companies are still finding it difficult to implement some of the most fundamental IT security policies, such as:
- Maintain secure systems.
- Security patch management and security updates for major operating systems.
Even when the right security policies are in place companies often find it difficult and time consuming to provide evidence of compliance.
The IBM® BigFix (Endpoint Manager) Security configuration & Vulnerability Management software provides the ability to assess and enforce security policies on all systems running the BigFix agent. It provides an out of the box security patch management solution and default security configuration policies that can be applied to Windows, Unix, and Linux platforms that will assist companies in maintaining secure systems. Compliance of systems to enforced security polices can also be monitored in real time through the reporting tools.
How does Security Configuration Management (SCM) work?
BigFix SCM works by providing industry standard checklists that security teams can use to define security parameters and configurations to suit corporate policy. The following example shows how to:
- Define a custom company security configuration policy
- Report compliance against newly defined company security configuration policy.
- Remediate non-compliant security policies
- Report after remediation against company security policy
Define a custom company security configuration policy
In this example the target endpoint is a Windows XP client, we are going to create a custom company policy containing the CAT 1 severities from the DISA STIG (Defence Information Systems Agency - Security Technical Implementation Guide) for Windows XP. In the following picture we have created a custom site SCM-CAT1-DISA-STIG-XP within the security domain, we have subscribed all Windows XP clients to this site. The relevant CAT 1 security fixlets have been copied into the site to make up our company standard.
Report on compliance to custom company security policy
Using the built in SCM compliance reporting, we can create a report based specifically on our newly created custom company security policy. The following picture shows a list of available custom reports.
Selecting the report displays the current state of compliance to our new custom security configuration policy.
It can be seen from the above report that the Windows XP client is not compliant with the new custom security policy that we have created.
Remediate non-compliant security configuration settings
Using the built in fixlets we can take actions to correct the non-compliant security configurations. The following picture shows the action for correcting the non-compliance for the "Annoymous enumneration of SAM accounts and shares".
Non-compliance to security policies should be remediated through Group Policy or using a fixlet to modify local security policy.
Report on compliance after remediation
After all security setting have been remediated, we can run the custom security configuration report again to check our current state of compliance.
Maintaining secure systems and keeping security patching up to date on all IT systems should be the minimum requirements for a company's IT security policy. Using Tivoli Endpoint Manager SCM, company wide security policies can be enfored and reported on in real time.