3 Steps to Deploying a Hardened OS by Tailoring

golden-image-tailoringIf you’re looking for the ideal machine image template, get ready to do a little customization. A custom configuration policy is needed whenever your organizational security policies differ from those in a prescribed standard. There are a lot of different best practices and security standards available. Some are vendor- or regulatory-driven. Others are community-driven. And it’s likely that within a single organization’s network, different machines need to meet different policies; for example, a local hospital may need several machines to meet HIPAA guidelines for healthcare security purposes while machines that process financial data would also need to be PCI compliant.  No single security standard is perfect for every machine in your organization’s environment – so some customization is needed. But where to start? This article will show you steps to tailor and deploy a custom configuration policy for an operating system to meet your organization’s needs.

Step 1: Identify a secure baseline.

The CIS Controls and CIS Benchmarks provide foundational cybersecurity for servers, operating systems, applications, and more. They are consensus-developed, independent security recommendations trusted by users around the world for hardening IT infrastructure. Some users think of the CIS Controls as an “on-ramp” to security frameworks such as NIST 800-53. Within the CIS Controls prioritized cybersecurity recommendations, secure configuration for hardware and software, is identified as essential to defending against cyber-attacks. It’s the focus of CIS Control 4: Secure Configuration of Enterprise Assets and Software.

Implementing a secure configuration policy such as the CIS Benchmarks is important for minimizing your organization’s vulnerabilities and reducing cyber risk. For organizations which handle sensitive financial data or payment processing, the CIS Benchmarks are referenced by security and compliance standards including PCI DSS. Together, the CIS Benchmarks and CIS Controls help organizations obtain PCI DSS compliance in these areas:

  • Firewall and Router Configurations
  • Patch Management
  • Access Control
  • Change Control

You can download CIS Benchmarks for free in PDF format for more than 100 CIS Benchmarks across 25+ vendor product families.

Step 2: Customize.

Wherever there’s a difference between a required organizational security policy and the CIS recommendation, you may need to do some tailoring.  You can do this manually by reviewing the recommendations against a test environment. Make a note of anything that disrupts the necessary business activity. You can also make notes using a web application. CIS WorkBench is one web platform which allows CIS SecureSuite Members to note policy exceptions and changes. The advantage of using CIS WorkBench to create custom configuration policy is that it can generate machine-readable OVAL and XCCDF files* for assessing endpoints – more on that later.

Once you’ve identified the differences you’d like to address, it’s time to account for risk. Weigh the risk against the specific security control using a risk method like CIS RAM, and you’ll be able to determine which specific configurations don’t apply to your environment. You’ve just created a custom configuration policy!

*available for select CIS Benchmarks

Step 3: Deploy.

Assess your target systems against the custom configuration policy to identify and remediate any configuration gaps. You can do this manually – or, you guessed it – automate the process using a configuration assessment tool. CIS-CAT Pro (part of CIS SecureSuite Membership) is one such tool that assesses endpoints against CIS Benchmarks and custom configuration policy (OVAL/XCCDF) in just minutes. Once your machines are up-to-date, regularly monitor them for “configuration drift,” which occurs when settings change over time. This can happen due to users modifying configurations, applications being added or removed, or updates to existing programs. Re-assess and deploy the custom configuration policy regularly and maintain the policy in CIS WorkBench. Some tools, including CIS-CAT Pro, allow you to schedule regular assessments against the custom configuration policy, making it even easier to monitor for drift.

Customized security at the OS level

By starting with a secure baseline and tailoring configurations as needed, you can create the ideal machine image for an environment. This helps you deploy securely configured machines and minimize vulnerabilities in your organization. It may take a bit more time to review which settings to modify, but the payoff is a totally tailored operating system for your environment. Regularly assessing against this system will help you maintain a hardened environment, strengthening your organization’s cybersecurity posture. And you don’t have to go it alone – there’s a suite of resources backed by the power of community ready to help at CIS.