There's an old adage in business; if you're not measuring something, you can't manage it. These days, information technology (IT) and information security professionals know this all too well, especially when it comes to configuration assessments.
Network performance requires constant monitoring. Cyber threats demand identification and remediation. Systems need to be securely configured upon implementation and then assessed frequently to ensure they stay that way. What's more, cyber threat actors (CTAs) constantly seek out poorly configured or vulnerable systems. As organizations around the world experienced with the Log4j vulnerability, CTAs are constantly looking for ways try to exploit these weaknesses. After all, when one system is left unsecured, it often means that others are unsecure, as well.
Identifying configuration vulnerabilities is a key element of a strong cybersecurity program. Improper configurations can put your organization at risk. While configuration assessment is essential, it can also be difficult to execute. First, systems very rarely come securely configured right out of the box. That's because most manufacturers prioritize ease of use over security. Taken at the scale of your organization, the sheer number of systems you need to harden can be enormous, and the volume of settings that require configuration can be daunting. As your teams try to meet deadlines or day-to-day business needs, it might be tempting to put systems into production without basic hardening. Upgrades and other changes to these systems can lead to configuration drift, creating new vulnerabilities over time.
For your IT teams, system configuration can be a big focus at the time of implementation. However, effective protection against cyber threats requires continuous attention. To reduce opportunities for hackers, you need to perform configuration assessments regularly.
Assessment is an important step in system hardening. To understand how well your current environment matches up to industry best practices and evolving regulations, compare your configurations to the recommendations in the CIS Benchmarks™. The CIS Benchmarks are consensus-developed, best practice secure configuration guidelines used to harden your target systems. Today, there are more than 100 CIS Benchmarks that cover 2 vendor product families. The PDF versions are available to download at no cost.
Each CIS Benchmark describes in simple language the security benefit of each recommendation and the steps that should be taken for secure configuration. CIS Benchmarks map to the CIS Controls® (CIS Controls®) where applicable, making it possible to develop an actionable remediation plan with a high-level view. This ensures your configurations align with industry best practices and reduce your risk profile.
Configuring systems to CIS Benchmarks recommendations is a proven way to assess and remediate configuration vulnerabilities.
Knowing your desired end state for secure configuration is only part of the picture. Assessing system configuration at scale is also important. To understand how your system configurations conform to the CIS Benchmarks, you can use the CIS Configuration Assessment Tool (CIS-CAT®), which scans against a target system’s configuration settings and reports its compliance to the corresponding Benchmark. With hundreds of recommendations in each CIS Benchmark, automated assessment is the key to accelerating your implementation of secure configurations at scale.
CIS-CAT Pro, which is available to CIS SecureSuite® Members, has two components: the easy-to-use CIS-CAT Pro Assessor v4 GUI and the CIS-CAT Dashboard. CIS-CAT Pro Assessor v4 supports more than 80 CIS Benchmarks for automated configuration assessments and remote endpoints. CIS-CAT Pro Dashboard is also a companion application for CIS-CAT Pro Assessor, and is a great way to visualize assessment results and track conformance over a recent period of time time.
Analyzing security configuration assessment results is critical to remediation planning efforts. That's why the CIS-CAT Pro Assessor includes configuration assessment evidence in the HTML report. The evidence provides an in-depth view of an endpoint's state and assists in remediation planning. To experience how CIS-CAT works, try CIS-CAT Lite, the preview version of CIS-CAT Pro. The free version produces only HTML reports and supports a subset of CIS Benchmark assessments.
CIS-CAT Pro Assessor and CIS-CAT Pro Dashboard are both included in CIS SecureSuite Membership. In addition to CIS-CAT Pro access, CIS SecureSuite Membership provides access to multiple cybersecurity resources, including build content, full-format CIS Benchmarks, and more. Start secure and stay secure with integrated cybersecurity tools and best practice guidance for over 100 technologies.
Want to learn more about CIS SecureSuite?