It seems like every time you turn around, somebody’s website has been hacked or their data has been compromised. In 2013, the Cybersecurity and Infrastructure Security Agency (CISA), who leads the national effort to defend critical government and private sector infrastructure against threats and evolving risks, established their Continuous Diagnostics and Mitigation (CDM) program to combat the problem. CDM provides a dynamic approach to fortifying the cybersecurity of civilian government networks and systems. To do this, organizations need to create baseline technical security configurations that are known to be effective. Currently, most stakeholders align their security configurations around one of two sets of “checklists” to follow to ensure baseline security compliance:
- Developed by the Defense Information Systems Agency (DISA), Security Technical Implementation Guides (STIGs) are DoD configuration standards for locking down system vulnerabilities.
- Center for Internet Security (CIS) controls offer organizations a roadmap for maturing their cybersecurity programs, as well as technical guidance for establishing and maintaining secure configurations.
However, configuring systems is one thing. Maintaining those security configurations over time is a whole different beast. Through the process of continuous diagnostics and mitigation, agencies are able to receive relevant, timely, and actionable information on the state of their systems and ensure security before mal actors have a chance to pounce.
Satisfying STIG and CIS Benchmarks and controls gives you a firm cybersecurity baseline.
The Center for Internet Security (CIS) is a non-profit organization whose mission is to make the connected world safer by “developing, validating, and promoting timely best practice solutions.” A primary initiative that enables CIS to meet its mission is the CIS controls and CIS Benchmarks. The CIS controls is a set of twenty basic actions to take to protect your organization and data from known cyber-attack vectors. And CIS Benchmarks are a collection of more than 100 configuration guidelines.
Likewise, STIGs are published as a set of 500 individual policies, encompassing tens of thousands of controls. Originally created for the DoD by DISA, today, STIGs are widely used throughout the federal government to meet compliance obligations. STIGs are updated every 90 days in order to address the latest threats.
Whether STIG or CIS, the benchmarks and controls fall under the National Institute of Technology Standards (NIST) Special Publication (SP) 800-70 definition of a “checklist.” Security configuration checklists are the technical instruction or procedures for verifying that a product is configured appropriately for its operational environment. Meeting these requirements provides a low-level technical configuration foundation upon which your organization can build a secure IT infrastructure.
To give you an idea of what kinds of areas these controls cover, they include:
- Inventory and Control of Hardware and Software Assets
- Continuous Vulnerability Management
- Controlled Use of Administrative Privileges
- Secure Configuration for Hardware and Software on Mobile Devices, Laptop, Workstations, and Servers
- Email and Web Browser Protections
- Malware Defenses
- Data Recovery Capabilities
- Secure Configurations for Network Devices, such as Firewalls, Routers, and Switches
- Data Protection
- Account Monitoring and Control
Continually diagnosing and monitoring STIG and CIS controls is essential to cybersecurity.
It doesn’t sound terribly complex, right? You’ve got CIS controls and benchmarks to tell you where and what to monitor. However, consider smartphone updates for a moment. People need to make sure that their operating systems are continuously updated, but they also need to make sure that each application on the device stays updated. Even with automatic updates, people struggle because sometimes an operating system update creates a functionality problem with an application.
Now, take this example and scale it across the enterprise. According to Netskope’s 2021 Cloud and Threat Report, organizations with 500-2,000 employees use an average of 690 specific cloud applications per month. This number doesn’t even cover the fact that the average organization also includes at least one device per employee, network devices, Internet of Things devices like printers, and on-premises applications. When organizations try to maintain secure configurations, they often find that the number of devices and applications makes the process cumbersome and time-consuming.
As malicious actors continuously evolve their threat methodologies, companies need to continually review their controls’ effectiveness. This makes continuous monitoring the bane of every security professional’s existence. It’s such a cumbersome, manual project subject to human error that an entire cybersecurity industry has grown up around it. Continuous monitoring means making sure that you have visibility into your environment to remediate any security control weaknesses.
Many organizations have complex technologies that include security information and event management (SIEM) and Security Orchestration, Automation, and Response (SOAR) platforms to help them. Other organizations use centralized log management (CLM) tools to help them detect, investigate, and remediate suspicious activities.
However, at their core, all of these solutions focus on monitoring the organization’s environment to detect abnormal activity, indicating potential threats or risky activity. That can mean a cybercriminal has already gained unauthorized access to the organization’s systems, networks, or applications.
STIG and CIS provide the technical configurations that lock down your devices and applications. When your organization is engaged in continuous monitoring activities, those tools are scanning your organization’s hardware and software to look for any weaknesses that can act as a backdoor into your infrastructure.
Continuous diagnostics and mitigation of STIG and CIS benchmarks and controls is essential to securing the data that’s critical to our nation. The processes may be complex and the job may be imposing, but it is essential to our nation’s security. To learn more about CDM, CIS, STIG and the other concepts discussed here, download our STIGs For Dummies guide, or get a demo of ConfigOS in action visit steelcloud.com