ɫɫ�о���

This is the second post in the Threat-Based Methodology series. The first post introduced Threat-Based Methodology and the analysis conducted by the FedRAMP PMO and NIST. That post concluded with a list of the top seven controls based on their Protection Value. This post will explore CM-6 in greater depth and explain how ɫɫ�о��� supports the ability to meet this control.

CM-6, Configuration Settings, was determined to provide the most Protection Value with a score of 208.86. Let’s take a closer look at CM-6.

CM-6 is described within NIST 800-53 Rev 5 as:

1. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations];
2. Implement the configuration settings;
3. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and
4. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.

It’s easy to understand why this provides the most protection. If you harden your systems as much as possible while still enabling functionality, you effectively minimize the threat surface. Reducing the threat surface reduces the effectiveness of an attacker’s attempts and reduces the stress on the company’s incident detection and response capabilities.

ɫɫ�о��� supports CM-6 through either the use of the ɫɫ�о��� Endpoint Agent or integrations with existing configuration monitoring tools.

ɫɫ�о��� Endpoint Agent
ɫɫ�о��� Endpoint Agent is a multi-operating system, low-footprint endpoint analytics and instrumentation tool. It is available for Windows, Linux, and macOS systems. Regarding CM-6, the Endpoint Agent can retrieve from the host system information regarding the hardware configuration, operating system versions, installed applications and extensions, etc. You’ll find more detailed information on ɫɫ�о��� Endpoint Agent in our .

ɫɫ�о��� Endpoint Agent operates by using pre-configured system queries. ɫɫ�о��� has created specific queries to retrieve relevant information for configuration, events, status, performance, and files. Using these queries, the user can gain a deep understanding of the configuration and status of the system. This information is forwarded to ɫɫ�о��� Endpoint Manager which manages all of the deployed agents. Endpoint Manager then forwards the data to the ɫɫ�о��� cloud.

Integrations
ɫɫ�о��� has many out-of-the-box integrations that support CM-6. Those relevant to CM-6 include Tenable.io, Carbon Black, Rapid7, SentinelOne, and CrowdStrike. For more, see the .

Once in ɫɫ�о���
Once the configuration data is in ɫɫ�о���, either through Endpoint Agent or from integrations, the data is ready to be processed and queried. At this point the full capabilities of ɫɫ�о��� are available to analyze the configuration data, create alerts for non-compliant systems, create dashboards, and leverage the ɫɫ�о��� Security Operations and Service Operations applications.

The final post in our series will explore the AU-6 family of controls deeper, and how ɫɫ�о��� supports meeting these controls.