Dealing with multiple network administrators making frequent configuration changes with a monitoring solution that provides insights into device change without causing resource constraints.
The performance and capabilities of a network device are entirely dependent upon its configuration settings. Understanding the significant impact that a configuration change might have on a network device's performance, uptime, and overall availability, as well as the importance of configuration change notifications, is paramount. Any unauthorized change to network configurations can introduce significant security vulnerabilities and compliance risks, leaving security teams in a state of disarray.
The configuration of a network device generally does not change very often once the configuration is in a stable working state. It is critical to monitor for any activities that involve modifying the configuration or any actions that would be considered high-risk activities. Some examples of high-risk activities are listed below.
Whenever a change is made to the configuration of a network device, it is critical for each device to log the exact change and when it occurred. This information is crucial for detecting unauthorized changes to the configuration to prevent security incidents or audit failures.
Lacking measures to detect changes in network configurations can result in compliance failures with regulatory standards such as PCI DSS 4.0, HIPAA 2023, CCPA, HITECH, FISMA, GDPR, and many others.
PCI DSS 4.0 Requirement 1.2.2.c states the requirement to "examine network configuration settings to identify changes made to configurations of Network security controls (NSCs)."
The Cybersecurity and Infrastructure Security Agency (CISA) says, "Security teams must review logs generated by network devices and monitor for unauthorized reboots, operating system version changes, changes to the configuration, or attempts to update the firmware. Compare against expected configuration changes and patching plans to verify that the changes are authorized."
Configuration changes can be a sign that a device has been compromised. The National Security Agency (NSA) recommends implementing a configuration change control process to detect unauthorized modifications.
Qualys has introduced an all-new Agentless File Integrity Monitoring (FIM) solution designed specifically for detecting configuration changes in network devices such as routers, switches, and firewalls.
The change event is comprised of three key components:
Timestamp
Captures the last scan time of the network device when a difference is identified against the baseline configuration.
Asset details
Offers comprehensive information about the specific host on which a configuration change is observed.
Side-by-side comparisons
Facilitates a clear visualization of changes by presenting them in a side-by-side format. Modified lines in the configuration are highlighted and color-coded to signify changes, additions, or deletions.
Keeping track of configuration changes is required for auditing purposes. Network Configuration Drift FIM events are retained for at least one year as per most compliance regulation requirements.
Automated Compliance Reports
Allows users to schedule compliance reports detailing network configuration drift events and activities tracked by the FIM system.
Automated Incidents
Qualys FIM offers auto-correlation of events using Qualys Query Language (QQL), allowing you to match network configuration drift events in your environment. This functionality enables the automatic creation of incidents and immediate notifications to designated SOC teams for further review.
This is in accordance with the PCI DSS 4.0 new FIM requirement 10.4.1.1: Automated mechanisms are used to perform audit log reviews.
Integration with FIM Public APIs
Such events and incidents can be accessed through Public APIs and seamlessly integrated with any Security Information and Event Management (SIEM) solution, facilitating additional correlations for comprehensive analysis.
Qualys FIM offers native integration with prominent SIEM solutions such as Splunk, IBM QRADAR, and ServiceNow. This compatibility streamlines your security infrastructure, ensuring smooth data flow and real-time insights.
By detecting unauthorized access and changes to system files, Qualys FIM reduces risks for:
Reduce Your Compliance Risk with Qualys File Integrity Monitoring