Monitoring the compliance of your systems against reference configuration templates or standard system builds gives you an opportunity to detect changes and existing configuration problems that could lead to a possible breach. Sometimes, these issues cannot be seen by common security tools such as vulnerability scanners unless the configuration problem is exploited, which is not the best time to identify the problem. There are also cases in which you might have a policy that forces you to follow some good security practices, such as continuously evaluating against benchmarks set by the Center of Internet Security (CIS) or meeting PCI DSS 2.0.
Many of today’s vulnerability scanning tools, such as Qualys, Nessus, and Nexpose, include a compliance module that enables them to remotely log in to a system, collect its configuration, and then analyze that against a reference benchmark. You can also develop your own programs or scripts that can perform the same function.
Automating the system compliance process and then linking it to your risk management and incident response practices are key steps in any successful security operation. An example of including this in your practice is incorporating system compliance as part of the risk assessment and vulnerability assessment steps of the SANS Vulnerability Management Model shown earlier in Figure 2-10.