Threat-Based Methodology Part 2: Configuration Settings

This is the second post in the Threat-Based Methodology series. The first post introduced Threat-Based Methodology and the analysis conducted by the FedRAMP PMO and NIST. That post concluded with a list of the top seven controls based on their Protection Value. This post will explore CM-6 in greater depth and explain how Devo supports the ability to meet this control.

CM-6, Configuration Settings, was determined to provide the most Protection Value with a score of 208.86. Let’s take a closer look at CM-6.

CM-6 is described within NIST 800-53 Rev 5 as:

  1. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations];
  2. Implement the configuration settings;
  3. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and
  4. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.

It’s easy to understand why this provides the most protection. If you harden your systems as much as possible while still enabling functionality, you effectively minimize the threat surface. Reducing the threat surface reduces the effectiveness of an attacker’s attempts and reduces the stress on the company’s incident detection and response capabilities.

Devo supports CM-6 through either the use of the Devo Endpoint Agent or integrations with existing configuration monitoring tools.

Devo Endpoint Agent
Devo Endpoint Agent is a multi-operating system, low-footprint endpoint analytics and instrumentation tool. It is available for Windows, Linux, and macOS systems. Regarding CM-6, the Endpoint Agent can retrieve from the host system information regarding the hardware configuration, operating system versions, installed applications and extensions, etc. You’ll find more detailed information on Devo Endpoint Agent in our documentation.

Devo Endpoint Agent operates by using pre-configured system queries. Devo has created specific queries to retrieve relevant information for configuration, events, status, performance, and files. Using these queries, the user can gain a deep understanding of the configuration and status of the system. This information is forwarded to Devo Endpoint Manager which manages all of the deployed agents. Endpoint Manager then forwards the data to the Devo cloud.

Devo has many out-of-the-box integrations that support CM-6. Those relevant to CM-6 include, Carbon Black, Rapid7, SentinelOne, and CrowdStrike. For more, see the full list of integrations.

Once in Devo
Once the configuration data is in Devo, either through Endpoint Agent or from integrations, the data is ready to be processed and queried. At this point the full capabilities of Devo are available to analyze the configuration data, create alerts for non-compliant systems, create dashboards, and leverage the Devo Security Operations and Service Operations applications.

The final post in our series will explore the AU-6 family of controls deeper, and how Devo supports meeting these controls.