What are CIS Benchmarks and Best Practice?
Most organizations need to create baseline technical security configurations. However, configuring systems is one thing. Maintaining those security configurations over time is a whole different beast. The Center for Internet Security (CIS) Controls offers companies a way to set a path to maturing their cybersecurity programs as well as technical guidance for establishing and maintaining secure configurations.
Who is the Center for Internet Security (CIS)?
CIS is a non-profit organization whose mission is to make the connected world safer by “developing, validating, and promoting timely best practice solutions.” A primary initiative that enables CIS to meet its mission is the CIS Controls and CIS BenchmarksTM.
What are the CIS Controls?
The CIS Controls is a set of twenty basic controls organized into three maturity stages.
- Implementation Group 1: Organizations with limited resources and security expertise
- Implementation Group 2: Organizations with moderate resources and cybersecurity expertise
- Implementation Group 3: Mature organizations with significant resources and cybersecurity experience
Additionally, the CIS Controls are filtered into three categories:
- Basic CIS Controls:
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
- Continuous Vulnerability Management
- Controlled Use of Administrative Privileges
- Secure Configuration for Hardware and Software on Mobile Devices, Laptop, Workstations, and Servers
- Maintenance, Monitoring, and Analysis of Audit Logs
- Foundational CIS Controls:
- Email and Web Browser Protections
- Malware Defenses
- Limitation and Control of Network Port, Protocols, and Services
- Data Recovery Capabilities
- Secure Configurations for Network Devices, such as Firewalls, Routers, and Switches
- Boundary Defense
- Data Protection
- Controlled Access Based on the Need to Know
- Wireless Access Control
- Account Monitoring and Control
- Organizational CIS Controls
- Implement a Security Awareness and Training Program
- Application Software Security
- Incident Response and Management
- Penetration Tests and Red Team Exercises
What are the CIS BenchmarksTM?
The CIS BenchmarksTM is a collection of more than 100 configuration guidelines for more than 25 vendor product families, including:
- Amazon Web Services (AWS)
- Check Point Firewall
- Palo Alto
CIS BenchmarksTM is the low-level technical configuration foundation upon which your organization can build a secure IT infrastructure.
CIS BenchmarksTM falls under the National Institute of Technology Standards (NIST) Special Publication (SP) 800-70 definition of a “checklist.” Security configuration checklists are the technical instruction or procedures for verifying that a product is configured appropriately for its operational environment.
Why are there two CIS BenchmarkTM levels?
All CIS BenchmarksTM have at least one profile, but some of them have two. CIS defines the levels like this:
- Level 1: Basic easily implementable configurations designed to lower the attack surface without impacting performance
- Level 2: Configuration recommendations that may create system conflicts and are intended to provide “defense in depth” for environments that need enhanced security
While Level 2 configurations enhance security, many organizations lack the means to manage these controls without causing adverse performance issues.
SteelCloud ConfigOS: Automate CIS Benchmark Configurations for Enhanced Security
SteelCloud’s ConfigOS patented technology automates CIS BenchmarkTM control implementation and maintenance. Our automation enables you to scan your entire environment, implement controls, detect conflicts, remediate conflicts, and document waivers all in a single location.
With ConfigOS, you no longer need staff with specialized cybersecurity skills to ensure secure configurations for all products within your environment. You can train your current staff to use ConfigOS in one day and start hardening your infrastructure immediately. Additionally, our automation enables you to maintain a secure environment by updating all configurations within 72-hours of a new release so that you no longer have to worry about the burden of manually updating systems, networks, devices, and software.