cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

An A-B-C Approach to Improving Security Compliance

Level 11

By Paul Parker, SolarWinds Federal & National Government Chief Technologist

Security is always an important topic with our government customers. Here's an applicable article from my colleague, Joe Kim, in which he offers some tips on compliance.

Ensuring that an agency complies with all of the various standards can be a job in itself. The best strategy is to attack the challenge on three fronts. First, proactively and continuously monitor and assess network configurations to help ensure that they remain in compliance with government standards. Second, report on their compliance status at any given time. And third, beef up their networks with rock-solid security and be prepared to quickly remediate potential issues as they arise.

Automate network configurations

One of the things agencies should do to remain in compliance with the RMF, DISA STIGs, and FISMA is monitor and manage their network configuration status. Automating network configuration management processes can make it much easier to comply with key government mandates. Device configurations should be backed up and restored automatically, and alerts should be set up to advise administrators whenever an unauthorized change occurs.

Be on top of reporting

Maintaining compliance involves a great deal of tracking and reporting. For example, one of the steps in the RMF focuses on monitoring the security state of the system and continually tracking changes that may impact security controls. Likewise, FISMA calls for extensive documentation and reporting at regular intervals, along with occasional onsite audits. Thus, it is important that agencies have easily consumable and verifiable information at the ready.

The reporting process should incorporate industry standards that document virtually every phase of network management that could impact an agency’s good standing. These reports should include details on configuration changes, policy compliance, security, and more. They should be easily readable, shareable, and exportable, and include all relevant details to show that an agency remains in compliance with government standards.

Catch suspicious activity and automate patches

Agency IT administrators should also incorporate security information and event management (SIEM) to strengthen their security postures. Like a watchdog, SIEM alerts for suspicious activity and alerts when a potentially malicious threat is detected. The system can automatically respond to the threat in an appropriate manner, whether that is by blocking an IP address or specific user, or stopping services. Remediation can be instantaneous and performed in real-time, thereby inhibiting potential hazards before they can inflict damage.

Implementing automated patch management is another great way to make sure that network technologies remain available, safe, and up to date. Agencies must stay on top of their patch management to combat threats and help maintain compliance. The best way to do this is to manage patches from a centralized dashboard that shows potential vulnerabilities and allows fixes to be quickly applied across the network.

Following the guidelines set forth by DISA®, NIST®, and other government acronyms can be a tricky and complicated process, but it does not have to be that way. By implementing and adhering to these recommended procedures, government IT professionals can wade through the alphabet soup while staying within these guidelines and upping their security game.

Find the full article on our partner DLT’s blog Technically Speaking.

24 Comments
MVP
MVP

Nice write up

Keep it coming. 

Thanks,

Eric

I have recently run into pockets of resistance against automated patching. Some just want to "be there" when it happens, which is fine but seems like a luxury. Some want to do as little as possible because "its working now". Both make me think that you don't trust your understanding of what's important to keep your system running, that kind of pain is no good.

MVP
MVP

automated patch management is great....AFTER you have vetted the patch.

I have never seen a patch or update bring down a system or data center...never.  And if you believe that....

Level 20

Going through RMF right now... for one big network it's going to be year long endeavor... maybe longer.  There's going to be a big POAM for sure.

MVP
MVP

Good reminders of what most of us already know, but we must constantly be checking ourselves to ensure that we are taking these steps.

Level 20

I seem to remember a few bad ones from MS that had to be rolled back.

Handy write up.

I like this.  Keep security in front of us, and in front of Administrators, C-Level staff, Directors, but most importantly in front of end users.

Then train, test, train, test, repeat.

And don't forget the physical:

Bring in outside contractors to be your hired White Hats, have them test users and see how well the training's taking.  Do users:

  • Keep passwords private, off sticky notepads?
  • Pick up stray USB sticks and plug them into ports?
  • Let someone tailgate them through a badge-protected door?
Level 11

The overly sensitive admins, I'm okay with. At the end of the day, it's an extra set of eyes and and extra layer of attention. The cost vs benefit is there. The latter ones you mention are the systems admins who put a black mark on our profession. I agree though, I've seen them, and sometimes they're so institutionalized that they simply want the easiest path.

That's where we can help motivate them one of two directions

Level 13

All good points.  report report report

Level 11

Good luck with that exercise. I'd certainly be thrilled to hear about any challenges or successes that you have related to your SolarWinds implementation (or really any systems for that matter).

Level 11

I remember a dastardly one in the days of XP where it denied logon to users. We had several thousand computers affected.

MVP
MVP

definitely trust but verify

Automating verified patches is a wonderful thing

Level 14

We have a 'Head of IT Security' who is always on at us to patch everything and a management that only allows us to patch one third of the servers each Tuesday morning between 07:00 and 09:00 on a three week cycle (with no overtime).  Funny how no one seems to be available out of hours.  Systems do get patched though.  Just don't tell management how we do it.

Level 15

We patch every Sunday afternoon like clockwork.

Level 13

Good Article

Reporting! Reporting! Reporting! The production of the evidence on your current level of security compliance maturity. Not enough do it. Many groups are paranoid to the fact that revealing such data is detrimental to their mission and/or their job security.

MVP
MVP

Automated network device configuration is all fine and good, but the same applies to server builds so that they are all consistent and up to expected standards.

Level 17

Excellent Info!

MVP
MVP

Great info!  I am using it for validation!!!!  I can't brag enough about virtualization done right!  Makes patching of clients and servers so much easier.  We used to have scheduled maintenance windows for updates; because of the redundancy, I can flip services in the wink of an eye, reboot, test, and put back into production.

SolarWinds has been a champ with the network configurations; I automate the download of configs to a repository.  Totally love the config compare, as it was instrumental when I cut the network from my primary site to a new DR facility.

I have SolarWinds and the PaloAlto sending me daily reports; gotta love the NOC view too - lights up like a Christmas tree when something goes down!

pastedImage_0.png

I am doing a demo of DarkTrace right now!  DarkTrace would be the last complement to the network (for this year).  It goes hand in hand with Catch suspicious activity and automate patches!

Check this dashboard out:

pastedImage_1.png

MVP
MVP

Excellent !

Level 21

We had an opportunity to check out Dark Trace a while back also, it was a really amazing product and the UI is captivating.  

Looking forward to implementing some of these excellent ideas in my Compliance Class. 

About the Author
Paul Parker, a 25-year information technology industry veteran, and expert in Government. He leads SolarWinds’ efforts to help public sector customers manage the security and performance of their systems by using technology. Parker most recently served as vice president of engineering at Infoblox‘s federal division. Before that, he served in C-level or senior management positions at Ward Solutions, Eagle Alliance and Dynamics Research Corp.