Configuration Drift could be caused by multiple factors, such as uninformed actions by privileged users, critical data exposure, and the creation of roles with more permissions than needed; this could seriously jeopardize security posture of the infrastructure or applications. Hence, the need for the ability to have proactive monitoring of critical asset Configuration Drift is vital.

Drift Detection based on security posture of infrastructure in a continuous and agile way is achieved by assessing delta difference in security posture of your infrastructure over the period of time with customized alerts based on violation. The first step to achieving Drift Detection is to get control of your baseline.

What is a baseline and how do you define it in a multi-cloud environment?

A baseline is essentially a complete, holistic snapshot of your system: Operating System, Cloud Accounts, Databases, Application Repositories, and Network Devices. As anyone who has lived through it knows, defining a baseline is a tedious process of handling interconnected spreadsheets that are managed collaboratively. Sort of like shoveling snow while it is still snowing! The process is further complicated when you have to report it to external parties such as 3rd Party Auditors.

With AccuKnox you can put your baseline on autopilot to continuously monitor your present security posture without having to go through alerts fatigue from a full infrastructure scan of your environment.

AccuKnox helps you to achieve Drift Detection and Prevention through automation of a cumbersome manual process with full lifecycle management around it.

1. We allow you to define a baseline from multiple ‘data sources’ such as leveraging baselines either from standard framework (e.g., CIS Benchmarks) or custom defined options. You can then associate the baselines to a particular asset or group of assets for conformance. You can have multiple baselines associated to a particular group of assets or an asset to detect any deviation in controls (pass/fail/warning) proactively.
2. You can review the baseline against the initial scan and mark results which Failed as “Expected” & “Fail” with an additional tag of False Positives if it’s not applicable. You can mark results which Passed with “Expected” & “Pass” to track the drift from the expected behavior.
3. You can then proactively monitor the critical assets or groups of assets you have set baselines against and alerts that get generated out of Drift from golden baselines. You can also associate an integration to notification channels like Slack or email for alerts generated with critical or high severity so that you get notified on the important issues.
4. With every scan of the infrastructure against baselines, if the set controls are violated, you will see alerts based on them which you can handle by creating tickets with customized severity. We have done several automations of operations and management in ticket handling, such as auto-generation of tickets with editable severity/comment/ticket-integration platform option, bulk ticket creation for a multiple issue of a specific type, and comment analysis on the tickets for auto-closure. Some of the alerts could be false positive or not applicable, and you can attend to them with comments specified on tickets logged against them as documentation for 3PAO auditing purposes.

Additionally, we also make it easy to export any of the informational findings as an Excel file which could be essential for an overall summary report to CISOs and auditing firms or for internal records, and it helps when the security team gets asked tough questions by management: finding the answer and reporting back is a breeze.

In summary, the Accuknox CSPM solution is robust in automating cumbersome manual processes by defining customized baselines, allowing multiple baselines associated to an asset and suppressing the alerts for false positives to have actionable items instead of having alert fatigue. We also allow you to set your baseline’s controls based on pass/fail expected behavior. Automation in ticket handling will help you manage the alerts out of Drift Detection of your infrastructure.

Informational Context

Now let us discuss Informational Context. One of the hidden secrets of Tenable Nessus is its rich collection of informational data. AccuKnox brings these valuable data points to the surface and enables rich reporting and monitoring capabilities. Common use cases include:

• What version of TLS is running in my environment, and are there any deprecated versions of 1.0 or 1.1?
• Are all the expected security tools installed on every system?

These questions and more can be answered by diving into Informational Findings. Informational plugins are used by Nessus internally to enrich findings but are not generally used outside of the platform itself. These sources of information can help security teams provide additional context when reviewing findings. We also make it easy to export any of the informational findings as an Excel file. When security management poses challenging questions to the security team, it is effortless to discover the answer and provide a report.

AccuKnox makes the process of reviewing and taking action easy and manageable

1. Search findings, informational data, and compliance control
2. Create monitors to identify when a condition is detected; if you want to monitor for any changes toggle drift detection mode and get notified if anything changes.
3. Keeping track of what is new and what has already been addressed means everyone saves time. When something is new it can be quickly addressed, and things which have already been addressed can be monitored to ensure remediation SLAs are met.
4. Powerful grouping, sorting, and filtering can be applied to reduce findings to the smallest atomic unit, meaning fewer tickets and happier analysts.
5. Notifications keep everyone up to speed on new findings, when things have been open for too long, or when an asset we expected to see data for didn’t show up.

In summary, AccuKnox makes the process of reviewing and taking action on findings easy and manageable for teams of all sizes. This is a very important aspect of Drift Detection, which is quickly becoming an organizational imperative.

A video version of this can be found on YouTube.

References

How Drift Detection and IaC Help Maintain a Secure Infrastructure, Talha Tariq, The NewStack