Last week a customer came to me with an interesting use case. They have three products in use at the moment that between them allow the company to lock down devices that are used on a production line.
These devices are under strict change control, not just because they are critical to the company, but also because they control the production of life saving medication – and change on pharma related production devices is mandated by regulatory controls.
I was surprised by some of the items, and also by some of the missing pieces – the customer wanted to be alerted when something happened, but not necessarily to respond automatically. For example, if someone put in a USB key, or changed a registry setting that “un-hides” the C: drive, they wanted to be informed.
I assume the reason they only wanted to be informed, rather than to automate response, is that the regulations don’t expect technology to be in place that allows for real-time response, in other words, a proper control.
With Tachyon, the customer can replace those three tools (which between them cost several times more than the Tachyon license) and put in place a solution that allows for real-time automated response, as well as the notifications they required.
Using something like Group Policy allows you to set policies, which typically end up being registry key changes. However, as you likely know, if someone circumvents a policy, it will remain circumvented for a long period of time (up to 2 hours by default) before Group Policy addresses the required setting.
Guaranteed State, part of the base Tachyon license, allows you to setup rules which are of either type “Check” or “Fix”. All rules have a Precondition and a Trigger. Check rules typically alert only, and Fix rules typically make a change to “Fix” the problem identified.
In this case, rather than running every 60-120 minutes like a Group Policy, Tachyon Guaranteed State (GS) reacts to the “Trigger”. If someone changes a registry key or does whatever match the trigger, GS reacts immediately, within just a few milliseconds. If you change the registry to allow you to put in a USB key, Tachyon reacts faster than you can push it into the slot, changing the setting back.
In my opinion, regulations need to change to talk about Prevention, Real-Time Detection and Real-time Response.
- Put in place the controls to prevent users making the changes to controls.
- Detect, in real-time, if/when a user attempts to circumvent the control.
- React, in real-time, with an appropriate response
Appropriate responses may include end-user notification, alerts to the security team and obviously, resetting the control back to the required state, it’s that reaction that led to the name “Guaranteed State” – we don’t just set something as “desired” – we enforce the rules, in real-time, not eventually or at some stage, like GPO – assuming GPO is even working to that level of “timeliness” on devices which are remote and not connected to the corporate LAN!
Tachyon allows you to ensure controls are monitored continually, even while devices are offline – the policies are in force even without a connection to the Tachyon server – although obviously they can’t be updated or changed until the device is online again.
Best of all is that with Tachyon, you can allow for exceptions in real-time too. If someone has a valid need to use a USB key, or whatever the control is, you can change the setting on the device in real-time with a Tachyon instruction (from Tachyon Explorer, via ServiceNow or any self-service portal (1E Shopping for example). Every change is tracked and audited, and you can allow access for just as long as it is needed. It will revert to the required state at the required time.
This is something that looks really good in a video – so I look forward to demonstrating it next week.
With the CyberSecurity Maturity Model Certification program in the US (CMMC), there’s ever more requirement for enterprises to be able to show adherence to security controls. Tachyon Guaranteed State can help you implement controls for CMMC, ISO 27002, NIST 800.53, NIST 800.171, 800.172, etc. Obviously, you can implement whatever controls you want or need – regardless of standard, even if they are just home grown best practices. All with real-time control, real-time exception handling and full audit logging.