How to Automate the Process of Implementing Secure Configurations
By Sean Atkinson, Chief Information Security Officer, CIS®
Resources like the CIS Benchmarks and CIS-CAT Pro help organizations around the world start secure and stay secure. The CIS-CAT Pro Assessor tool scans against a target system’s configuration settings and reports the system’s compliance to the corresponding CIS Benchmark. While it’s great to know where your systems stand, manually implementing the recommendations can be a daunting task. Another method for implementing the configuration guidelines recommended in the CIS Benchmarks is via remediation kits, which help users automate the process.
Based on the internationally-recognized and community-developed CIS Benchmarks, a remediation kit takes those benchmark recommendations and puts them into Windows Group Policy Objects (GPOs) and shell scripts for *nix based systems (such as Unix or Linux). Available through CIS SecureSuite Membership, remediation kits provide another vector to distribute secure configurations though either the group policy management console within Windows or via a shell within the *nix environments.
Moving towards confirmed compliance
Remediation kits can implement secure configuration settings in just a few minutes; however, there is one caveat. Not all recommendations from a particular CIS Benchmark can be deployed in this manner. For example, EMET recommendations are not included within the Windows remediation kits, because it is an external download from Microsoft. Where the CIS Benchmarks provide recommendations and CIS-CAT Pro assesses for compliance, remediation kits provide the “glue” of assurance by implementing configurations.
To get started, organizations should first establish a benchmark requirement. Secure configuration requirements should be documented as part of the operational security standard. Next, deploy secure configurations – this can be a manual process, or it can be automated with remediation kits. Third, establish continued monitoring. Be sure to define how often you’re going to review and assess configurations. The decision could be based on resources, but in most cases a recommended approach is to tier systems based criticality and risk. Tiering systems based on this categorization will define what should be scanned more often and those third- or fourth-tier systems that can be scanned less often.
For example, let’s say Company A deploys CIS-CAT Pro to scan monthly on their critical infrastructure. CIS-CAT Pro will confirm compliance or may discover a configuration that is outside the benchmark recommendations. Company A has two options:
- Approve the change based on organizational needs and document a known deviation from the delivered benchmark. As long as exceptions are documented, approved, and also referred to in the compliance check, Company A is still compliant.
- Recognize that an unauthorized change has occurred and correct the configuration either manually or with a remediation kit.