This is a bit more of an advanced cybersecurity technique. A secure configuration baseline really has two main components: 1) the actual baseline secure configuration and 2) an ability to identify deviations from the secure configuration.

The secure configuration is an organization’s defined security settings to be applied to workstations, servers and network infrastructure. Once those settings are configured, you can’t assume they’ll always be that way. It’s possible that an employee makes a modification to a security parameter as a matter of convenience or a simple mistake. What you should really be worried about is that hackers will start modifying some of your settings during an attack.

You should have a process to periodically compare what’s actually in place to your approved baseline. You can do this manually or you can automate it, but either way, it’s imperative to be able to detect an unauthorized security configuration as close to time of change. Whether it was an innocent mistake that weakens your security posture or is an indicator of compromise, you need to know so you can get it fixed ASAP.

Next steps

  • Inventory your systems: The first step is making sure you understand your systems and the different makes and models of infrastructure that make up your environment. You should also know how many of each so you can help identify when unauthorized devices might be connected to your network.
  • Define the parameters of your baseline: Once you have your inventory defined, you can build the set of parameters and values that will make up your configuration baseline. You’ll probably have to do some research, or you might want to engage some consulting help with specialists. In addition to the computer infrastructure itself, you might consider key business applications, just in case there are security settings you want to monitor there.
  • Establish how you’ll monitor: Automated or manual, you’ll need to designate some resources to monitor your secure baseline. This involves regularly inspecting the current state settings and comparing them to your baseline.
  • Ensure you have an investigation process: When you identify a deviation where some setting in the current state doesn’t match what’s defined in your baseline, you’ll need to investigate the change. Did that change move you to a more secure posture or less? Who made the change? Was the change authorized? Any time there’s an unauthorized change, it could be an indicator of compromise, so link this to your incident response process.