Hot Stuff: Security Policy Management Tools
Ideally, managing security should follow directly from managing all policy decisions that govern security. But this is somewhat challenging to do with technology, and somewhere near impossible to do for physical security and anything having to do with “human security” (that is, in training people how to “think and act securely”). Nevertheless, an interesting set of tools are emerging in the marketplace that are most properly identified as “systems security management tools” since they’re all about identifying, capturing, monitoring, and auditing compliance with organizational security policy settings and decisions.
Take, for example, Pedestal Software’s Security Expressions product, which the company (fairly) labels as an “adaptive system security policy management system.” As a former instructor on Windows security at Interop from 1997 to 2002, I’d heard from numerous students about Pedestal’s good, many, and varied security tools. Subsequent investigation turned me into something of a fan—perhaps because the company’s roots still go back to the “two guys in a garage” school of technology innovation, but perhaps because their excellent NTSEC toolkit saved my butt more than once in some tight situations. Be that as it may, this personal experience goaded me on to dig into Security Expressions when word about the latest version of this product (3.1) started to appear in the news.
Security expressions works on Windows and Unix based systems. It begins its work with an audit/inventory on the systems it can find, including system settings, software patches, versions installed, and discovery of unwanted or unknown software and hardware components as well. The tool can also verify policy compliance on individual systems by comparing what it finds on them to what is mandated or specified in its own security policy database. This latter item can involve some work to build, but can also draw on standard predefined policies from organizations that include SANS, the NSA, and Microsoft, among many others. It also helps provide reporting to drive risk assessment, and to establish remediation plans (install needed patches, upgrade versions, remove vulnerabilities, delete unauthorized or unlicensed software, and so forth).
Interestingly, Security Expressions does not rely solely on the use of local software agents to report into a central console/database. For some situations, it uses standard Windows Networking or SSH APIs to query systems across the network. Where security considerations make such access inadvisable—for example, on a DMZ machine—agents are available to permit the console to communicate with such hardened hosts.
Even more interesting, Security Expressions can force individual, group, or global policy deviations (where reality as discovered differs from what’s mandated in policy) into compliance. By logging all related changes, Security Expressions can also roll them back on a per-instance basis, should unwanted side effects or problems occur as a result of such enforcement.
All in all, products like Security Expressions offer valuable and powerful support to security or network administrators whose resources are often stretched thin and whose time and efforts are precious. At prices of less than $700 per server and $30 per desktop, the toolset is much more affordable than other enterprise level management solutions, whether geared purely toward security or more general systems management issues. It’s definitely worth a look: check it out (free trial downloads also available).