System Hardening and Vulnerability Management
Secure Configuration – No compromise
Full range of CIS Benchmark hardening reports are built-in at no extra cost. NNT are one of a handful of CIS Certified Vendors – The Center for Internet Security are the industry's authoritative source of secure configuration guidance. STIGs and any other SCAP/OVAL automated content can also be used.
Remediation Guidance? Vulnerability Details? All yours
Hardening doesn't have to be Hard! Clear, concise guidance makes hardening systems an almost 'paint-by-numbers' process. Rationale for any hardening measures provided in plain English, together with all remediation commands and settings needed.
Auditor-ready reports to prove compliance
And for compliance, get all the evidential reports you and your auditor could wish for – dashboards, exceptions-only, estate-wide. Full change tracking shows where any Planned Changes have been approved – compliance doesn't have to be a drag.
Key Issues - System Hardening and Vulnerability Management
1. How do you make systems truly secure?
A hardened system is one that is fundamentally secure and rendered hack-proof. Hardening a device requires known security 'vulnerabilities' to be eliminated or mitigated. A 'vulnerability' is any weakness or flaw in software design, implementation, administration and configuration of a system, which provides a mechanism for an attacker to exploit. A secure, locked down configuration requires care to achieve a good balance between security and operational function.
Vulnerability management and maintaining a hardened build standard are inextricably linked to tight change control. Any configuration changes, be it a through patching or other system maintenance, may introduce vulnerabilities so visibility and control of changes is an essential security best practice.
3. How do you measure and maintain compliance with your hardened build standard and governance standard?
Hardening checklists are usually lengthy, complex to understand and time-consuming to implement, even for one server, let alone a whole estate. A typical checklist for an operating system like Windows or Linux will run into hundreds of tests and settings.
The typical approach to testing for vulnerabilities and measuring compliance with a hardened build standard is to use a vulnerability scanner, such as Qualys®, Rapid 7®, Nessus® or Tripwire®/nCircle®.
There are two problems with this – first, scans are simply a snapshot of compliance and any configuration drift between scans will not be detected leaving systems vulnerable to attack until the next scheduled scan. The other major problem is that a scanner is blind to zero day threats and doesn't provide any file integrity monitoring to detect breach activity. NNT's non-stop file integrity monitoring provides continuous compliance assessment and real-time breach detection.
Contact us for a no-strings, no-sales pressure trial and see the coolest compliance solution in action for yourself