BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Benchmarks as a Point of Reference

Posted November 3, 2010    Morey Haber

I have been reading Stephen Hawking’s new book, “The Grand Design” and am completely stunned by the analogies he uses to simplify perception, measurements, and even quantum physics. This book is not light reading and has had me looking up terms using old college textbooks and Google multiple times. The one thing that fascinates me about all of the concepts he presents is perception. We use perception every day for driving our cars to work, cooking dinner, and even comprehending the computer systems in our environment. As we comprehend how network traffic flows, we always need a frame of reference for measuring speed, quantity of data, and desired results. The analogy Dr. Hawking uses in his book relies on the concept of living in a fish bowl and looking out at the universe. From inside the fishbowl, straight lines would be curved and the shortest distance between any two points is not a straight line, but rather a curve as well. The perception then leads to measurements and ultimately theories and standards. When a set of observations and comparisons leads to standards, laws, and theories we form baselines and benchmarks to guide us through the process and have a frame of reference.

Simply, benchmarks are a set of standards that you can reference observations from and determine deviations. Benchmarks allow us to say that something deviates by some order of units. In the case of computer security, benchmarks allow us to judge how secure a system is based on best practice theory for preventing unwanted threats from compromising a host. They outline all the proper settings and run time parameters for securing a host, provide guidance on how to implement them, and finally a vehicle for testing hosts against these parameters (OVAL). IT Security benchmarks are available from a wide variety of sources such as CIS, NIST, Microsoft, and DISA. All of these can be implemented by SCAP compliant scanning solutions to benchmark how well the IT infrastructure is secured within your organization. This provides a straight line form of reference for gauging how secure you are from the latest security threats using tools created by the most brilliant minds in the industry.

IT Security benchmarks have been around for a long time. Only recently however, have the processes for implementing them and measuring them matured using automated scanning techniques in an open and standardized (non-proprietary) format. Retina CS 2.0 contains a new module called Configuration Compliance Module that allows users to load their own SCAP benchmarks for measuring the security standards within their environment. Benchmarks provide a uniform method for reporting and measuring that is well understood and uniform across businesses. It removes any assumptions or bias based on interpretation or testing criteria. The scan engine and benchmark complier are integrated into the complete multi-tier Retina management solution for a seamless perception for all the assets on the network.

Determining the state of security threats and even understanding the universe requires both standards and benchmarks. Dr. Hawking’s book simplifies this for readers. eEye has simplified both IT Security and benchmarks so that everyone can benefit from IT Security lessons learned and best practices.

Tags:
, , , , , , , ,

Leave a Reply

Additional articles

webinar_ondemand

On Demand Webinar – Why You Still Suck at Patching

Posted March 27, 2015    Lindsay Marsh

On Demand Webinar: Dave Shackleford recounts some of his personal experiences in patch management failure, and breaks down the most critical issues holding many teams back from patching more effectively.

Tags:
,
dave-shackleford-headshot

Why You Still Suck at Patching…and How to Turn Your Life Around

Posted March 25, 2015    Dave Shackleford

Live webinar | March 26, 2015 | 10am PT/1pm ET | Dave Shackleford, SANS Instructor | Why You Still Suck at Patching…and How to Turn Your Life Around

Tags:
, ,
infographic

Privilege Gone Wild 2: Over 25% of Organizations Have No Privileged Access Controls

Posted March 24, 2015    Scott Lang

BeyondTrust recently conducted a survey, with over 700 respondents, to explore how organizations view the risk of misuse from privileged account misuse, as well as trends in addressing and mitigating those risks.

Tags:
,