Staying CIS Compliant: When Good Mandates Go Wrong 

Navigating the obstacles of CIS Compliance.

System-level technical controls, like CIS Benchmarks, are the detailed configurations that you use to secure your systems. You need the technical knowledge and experience to implement, deploy, and maintain CIS Benchmarks. And that last part is key. Because getting your system into compliance is not the only goal. It may not even be the most important one. Maintaining compliance over time is the real trick.

Some things take more time and patience than you have.

Security problems never stop multiplying. Just when you’ve gotten all your systems secured and protected, misconfigurations pop up out of nowhere. Maybe you’ve fallen out of compliance when adding new technologies and applications to your system. Maybe CIS just published a regular update.

If you’re trying to manage hardening and maintain compliance manually, then you need to start by scanning your systems:

1. Scan a system on the network
2. Evaluate the system’s compliance level
3. Manually remediate out-of-compliance items
4. Run the scan again to check for compliance and validate that the remediation worked

It’s the same repetitive, time-consuming process your admin went through when setting up the baseline configurations in the first place. Furthermore, it’s the same mind-numbing process they will repeat day after day, year-round.

Whatever can go wrong probably will.

Misconfigurations are just the start of the complex processes that admins face on the road to compliance. They also need to check that users aren’t affected. Most configurations are global, meaning that when the admin makes a change in one place, it gets pushed to all systems and users. Admins need to check access to network resources, VPNs, application operations and other services across all departments and locations.

Global configuration changes also often cause problems because they impact a bunch of settings across all technologies all at once, not just a single setting or line of code. If the change causes a problem, then the admin needs to look at each individual change to find the culprit.

Then there are configuration errors, indicating the change the admin made meant the program couldn’t work as intended. There can be conflicting CIS Benchmarks where one Benchmark prevents normal operation in another component or application. And just when you thought the hardening task was compliant, the system drifts after you have added or removed a component. In addition, you’ll probably want to check systems monthly to ensure you’re still maintaining your secure baseline.

All of that is to say that, when done manually, compliance and cybersecurity are VERY time-consuming and require admins with years of technical skill to implement. And because the repetitive acts are soul sucking and endless, it takes very special people to implement the security your customers demand. Those kinds of people don’t come cheap.

Eliminating downtime in the development environment.

Downtime – or a system outage – is the CIS Benchmark compliance menace nobody wants to encounter, because it means:

• People don’t have access to resources
• The company experiences business-interruption costs and losses
• Users and customers lose confidence in you and your ability to provide access to critical services
• Leaderships, peers, and users lose respect for the system administrators

When you implement processes for creating and testing hardening baselines in the development environment, however, you can prevent a lot of these problems. Before any of your CIS Benchmark changes get pushed to production where they can actually do damage, your admin should be going through a development, testing, and integration process.

If you do all the hard work in the development phase, then when your admin pushes the changes live to users, you’re less likely to have expensive downtime.

Eliminating the frustration, repetition, and mind-numbing work altogether.

At least 90% of the effort and 70% of the time it takes to get and stay compliant can be eliminated by automation. SteelCloud’s ConfigOS Command Center performs the repetitive tasks repeatedly on an ongoing basis so your admins don’t have to.

With a workforce shortage, limited budgets and limited time to get the job done, automation relieves your people to work on backlogs, proactive projects and strengthening security even farther. Better yet, it’s what your government clients use to streamline security on their ends, so it can only help your cause.

To learn more about automation for CIS compliance, contact SteelCloud or schedule a free demo to see how it works.