Baselining systems provides your business with a point of reference and allow you to recognise when something is out of place on a critical system. A baseline can be either static (configuration-based) or dynamic (activity-based) and can be used to alert the business of non-compliant, unauthorised and potentially malicious changes on likely-targeted systems.
For baseline security implementation to be reliable, we first need to ensure that we have established practices for the ownership and classification of all data. With this foundation in place, we can have confidence that our baseline will enforce the correct protections from now and in the future.
Steps to create baseline security for your network:
- Identify and inventory all critical assets
List components and systems that get utilised in your essential operations, those that process or hold sensitive data, and those subject to additional requirements such as legislative compliance. Remember to include any business continuity sites and equipment in this process as they get used for actual IT disaster; they must be suitable for production use.
- Perform static baselining of critical assets
Ensure your critical assets are hardened (locked down) using a predetermined secure configuration benchmark for each platform. Here we are ensuring that access control lists of folders and files have the least privileges and only authorised people can access secure folders.
Next, enforce patching compliance of current software and firmware to build systems up to comply with the set baseline. Any new devices or software added must adhere to the baseline before connecting them to the production network from this point forward.
- Perform dynamic baselining of critical assets
Define business-as-usual activities, including regular authorised access, typical daily activities, regular CPU-intensive reports and cyclical peaks. End of month, end of quarter and end of year reporting may exceed norms; this will require a decision to be made whether to incorporate these into your baseline or create activity-specific baselines for these in-frequent activities.
- Incorporate a process to receive alerts that may indicate malicious compromise
You need a process that will alert technical staff and business owners when there are events that do not conform to our baseline. This is to ensure that security events do not go unnoticed. Alerts may be email, SMS or raise a ticket via your incident management system. Configure alerts in your:
- network intrusion detection system,
- firewall,
- audit log monitoring, and
- security information and event management tool.
Examples of the types of alerts to create:
- an excessive number of failed logins for a server or router,
- a machine not meeting the minimum patching levels,
- too many concurrent logins under an administrative or privileged ID,
- unexplained higher than normal CPU usage or unusual network activity.
As your processes mature, you can include alerts around changes by an authorised user and deviation from a previously established compliant state.
- Establish a process to recover to a previously good and secure state quickly
Take steps to ensure that your business can quickly remediate issues and provide a secure operating platform without delay. Routine and approved activity can lead to critical assets losing compliance with your static baselines over time. In this case, you should modify your procedures to avoid this happening again. You may need to perform forensic analysis to understand an incident fully, document what happened without blaming individuals who did or did not do what is somewhat academic. Consider the big picture and place emphasis on learning and improving as an organisation. Questions to ask as part of the recovery process:
- What was the potential worst-case impact?
- How did the changes impact the organisation’s security posture?
- What risks were we exposed to as a result?
- What can the business do to avoid a repeat?
Certainly, there is a deal of work required and some challenges to face when implementing baseline security and the necessary associated practices. You should expect impediments and see these as facilitative hurdles rather than immobilising obstructions. The upside is that once established, baseline security processes provide genuine benefits. With baseline security in place, you can:
- easily enforce your business security standards,
- better focus your limited security resources,
- easily quantify and more accurately forecast security expenditure.
Provided you have a proper implementation, your overall costs associated with security compliance will be reduced in the long term, thus enhancing the ongoing viability of the organisation. Get in touch with Intrix Cyber Security for products and solutions to assist your business obtain comprehensive cyber security.
