Upgrading to Prime/Magnus Version 5: Deviations
For the most part version 5 looks and operates the same way as previous versions, but under the hood there are some significant changes. The most significant are changes to how deviations and remediation work.
For those who haven't already taken advantage of deviations, they allow you to mark items in the compliance content that your systems fail, but are deemed to be acceptable security risks -- perhaps because making that change would break a mission critical application. Each individual deviation can also contain POAM information, which basically documents the plan for being able to remove the deviation later.
The new format for deviations makes them less likely to need to be updated when the underlying benchmarks are updated. It also makes it possible to use a single deviation file to record deviations across a wide variety of systems in support of a specific policy. The system will automatically select the section of the deviation file that corresponds to each benchmark as it is being evaluated. For example, having separate deviation files based on computer function -- client versus server, by department, physical location, and so on. The only requirement is that deviations for a particular benchmark/profile combination can only appear in the file once.
The ThreatGuard deviation system is not a simple pass/fail mechanism. When you create a deviation the system records the actual value that is set for the collected data items. As a result, it is still possible for a machine to fail a compliance rule if its current setting is outside of the value that is set as part of the deviation.
For example, if the compliance benchmark requires that password length be a minimum of 12 characters, but your local policy says that 10 characters is sufficient, you can create a deviation rule for this. Any machine that is assessed that meets the 12 character policy will pass outright. Systems that are set to 10 or greater will also be recorded as a pass, with an indicator that this pass is due to the deviation. Systems set with a password length enforcement set to less than 10 characters would still be recorded as failing that rule.
One of the benefits of the new deviation format is that it is much more readable, so it's now possible refine the deviation condition by editing the deviation file you have created. We have also been able to revise the remediation report (accessible from the Deviation Manager) to be much more straightforward and informational.
The process of creating a deviation profile is very much the same as it always has, simply use the Deviation Manager while Prime is in Advanced Interface mode to create or activate a deviation file and click the Profile Now button to begin.
If a deviation file is active and an assessment has been run, you can also select any rule and use the right-click menu to add or remove deviations individually.
For more detailed information about using the Deviation Manager, refer to the User's Guide (available from the Help menu of Secutor Prime).
For Secutor Magnus Users
After upgrading from Magnus Version 4 to Version 5 the Deviation Manager in the Navigator client application will still show all of your previous deviation files and rules, but the server will not be able to apply any of them. It will be necessary to use the File Manager button to show the old deviation files and delete them.
You will then be able to upload deviation files using the new format and create the rules for when they are to be applied.
Keep in mind that the new deviation format allows you to include deviations for more than one benchmark in a single deviation file, so it is now possible to to group all deviations that represent a single policy (for example, classified vice unclassified systems) in a single deviation file, so your individual scope and applicability rules can be much simpler than with the old system.