Understanding and Preventing Configuration Drift

Proper management of the configuration of your infrastructure components is vital to security, compliance and business continuity. Unfortunately, configuration drift in systems and applications is common, which leaves the organization vulnerable to attack. Indeed, about 1 in 8 breaches result from errors such as misconfigured cloud environments, and security misconfiguration ranks #5 on the OWASP list of the top 10 web application security risks.

In this post, you'll learn what configuration drift is and how you can prevent it.

What is configuration drift?

A practical configuration drift definition is that any system configuration will, over time, diverge from its established known-good baseline or industry-standard benchmark. While minor drift might not cause issues, the reality is that even one misconfigured setting can expose the organization to data breaches and downtime, so the more severe configuration drift, the higher the risk.

What causes configuration drift?

More often than not, drift is the result of administrative users making changes to the system. Causes behind configuration drift include:

• Software patches: Applications, operating systems and networks frequently require patches for regular maintenance or to resolve an issue. However, these software or firmware patches can also cause configuration changes that might go undetected.
• Hardware upgrades: As businesses grow, so do their IT infrastructures. Hardware upgrades can lead to changes in configuration both at the hardware and software levels.
• Ad-hoc configuration and troubleshooting: Each day, organizations deal with tens or even hundreds of events that require quick fixes to a network, operating system or applications. Though these quick fixes solve the problem at hand, they can involve configuration changes that hurt security.
• Unauthorized changes: All modifications should be made based on an approved change request. Any unauthorized change could compromise the availability, performance or security of your IT systems.
• Poor communication in IT: Configuration drift can also occur when one IT team makes a change but does not inform other teams about it, or when team members don't exactly know which configuration states are standard and approved.
• Poor documentation: If configuration changes are not properly documented, team members may not be able to determine whether systems are properly configured.

Examples of configuration drift

Here are some configuration drift examples:

Configuration changes hastily made

It's the end of the work week, and the system engineer is about to leave. One of his colleagues informs him that a critical application is having an issue. He cannot leave the problem to be resolved on Monday but, at the same time, he wants to fix it quickly so he can head home. He makes some changes to the application configuration to fix the problem. However, he also modifies a critical setting that blocked unprotected public access to the system - causing configuration drift that leaves the infrastructure exploitable. Since he's in a hurry, he doesn't document his changes, so this drift could go unnoticed until it's exploited.

New application installations or upgrades

A company upgrades a business application to gain new features. The upgrade process makes some crucial configuration changes to allow connections through previously blocked ports. A few months later, during a security audit, auditors discover this misconfiguration. Even if the open port hasn't caused any harm yet, it still jeopardizes the company's compliance status.

Risks linked to configuration drift

Configuration drift increases the organization's risk of the following consequences:

• Network breaches: An improper configuration change can leave the door open for an outsider to enter a private network. It's arguably the biggest security threat an enterprise can face, as network infiltration can lead to data theft, activity surveillance, and malware or virus infections.
• Data breaches: Improper configuration of on-prem or cloud data storage increases the risk of someone stealing or corrupting the data, which can result in steep financial losses and reputation damage. For example, IBM Security reports that the average cost of a ransomware infection in 2021 was $2.73 million.
• Downtime: Misconfigurations can lead to downtime, either directly or by opening the door to attacks. For instance, configuration drift in web server can allow a DoS attack that brings down the server. Downtime hurts company production and employee productivity, and can lead to lost revenue as customers turn to more reliable vendors.
• Poor performance: Configuration changes can drag down the performance of systems and applications, even if they do not cause complete downtime.
• Compliance issues: Today, data security and privacy are governed by strict regulations, such as ISO 27001, PCI DSS, HIPAA, or GDPR. Configuration drift can lead to non-compliance and result in hefty fines.

Tips for avoiding configuration drift

NIST Special Publication 800-128 offers guidance for avoiding configuration drift. Here are some of the key recommendations:

Implement continuous monitoring and regular audits

Auditing the configuration of your systems on a regular basis is a good start. But even if you review them once a week, that's still more than enough time for a misconfiguration to lead to a breach, downtime or a compliance violation.

Therefore, it's imperative not only hold regular audits but to monitor configuration changes continuously. That way, improper modifications can be corrected immediately. In addition, be sure to hold audits when new devices are added or ad-hoc changes are made.

Automate processes

Manual review of system configurations is slow and error-prone, so misconfigurations may not be detected promptly, or at all. With attackers ready to exploit the slightest misstep in security, manual processes just won't cut it.

Consider investing in a configuration management tool that automates the process of finding configuration gaps. It should be able to scan all network devices and applications, spot any configuration changes, and notify the security team. Some automated tools can even be set up to revert the changes and restore a known-good configuration.

Use a repository of benchmarks and baselines

Establishing baseline configurations can save time and avoid confusion. Your teams can quickly determine whether configuration drift has occurred and restore your systems to their intended state.

Consider using benchmarks from industry leaders like CIS or NIST to build your baselines. Some configuration management tools provide templates to simplify this process. Be sure to review and update them regularly, especially when there are changes to your IT environment or applicable regulatory mandates.

Standardize configuration change management

Implementing rigorous change management, tracking and analysis is vital to IT security and availability, and configuration changes should be included. Controlling configuration changes as they happen helps prevent configuration drift and the associated risks. Documentation is vital to change management. Any configuration change should be documented and communicated using standard protocols set by the enterprise.

How Netwrix can help

When it comes to the security of your enterprise assets and software, you can't afford to leave anything to chance. Netwrix Change Tracker scans your network for devices and helps you harden their configuration with CIS-certified build templates. Then it monitors all changes to system configuration in real time and immediately alerts you to any unplanned modifications.

With Netwrix Change Tracker, you can:

• Establish strong configurations faster.
• Quickly spot and correct any configuration drift.
• Increase confidence in your security posture with comprehensive information on security status.
• Pass compliance audits with ease using 250+ CIS-certified reports covering NIST, PCI DSS, CMMC, STIG and NERC CIP.

FAQs

What is a configuration management plan?

A configuration management plan defines a process for establishing baseline configurations, monitoring systems for configuration changes, and remediating improper or authorized modifications.

How do I stop configuration drift?

Configuration drift is a common problem that can be managed with better security configuration management. In particular, you should:

• Establish a baseline configuration for each system and application.
• Document all configuration changes.
• Monitor for changes to your configurations.
• Avoid ad-hoc changes to fix problems quickly.