CIS-CAT Pro Results Focus on CIS Controls IG1

One of the core benefits of CIS SecureSuite Membership is the CIS Configuration Assessment Tool (CIS-CAT) Pro. CIS-CAT Pro brings the power of CIS Benchmarks to your organization by performing automated configuration analysis of your systems against CIS Benchmark best practices. It identifies configuration security gaps, helping you to quickly prioritize remediation tasks.

As a Member, you're determined to make the most of CIS-CAT Pro. So you've attended one of our CIS SecureSuite Member webinars. You've gone through the steps of installing CIS-CAT Pro. And you've run an assessment...only to score 28%.

What Does a Low Assessment Score Mean?

CIS Critical Security Control 4 explains that system manufacturers deliver assets and software with default configurations designed for ease-of-use and deployment rather than security. Most out-of--the box systems score below 30% against CIS Benchmark configuration best practices.

Many organizations might feel alarmed when a configuration scan results in such a low score. It can feel like a daunting task to determine how to address configuration. This is normal! Depending on individual preference, organizations may wish to apply a CIS Build Kit on a test system and remove settings that block business processes. This is a great way to make a big impact quickly, but it's not for everyone. Some organizations might not have many hands to drive this process. Some might also want to start more slowly with additional analysis of their results.

IG1 as an Area of Focus

Fortunately, there's a way forward for organizations that want to take things slowly.

The latest version of CIS-CAT Pro Assessor offers a new feature within the HTML formatted configuration assessment report that operationalizes this flow. An interactive filter within the report allows organizations to focus on results for CIS Benchmark recommendations associated with CIS Critical Security Controls Implementation Group 1 (IG1).

CIS Microsoft Windows 10 Enterprise Benchmark v1.12.0 blog graphic 

Just as a reminder, IGs are categories of the CIS Critical Security Controls that help define cyber defenses by levels of cyber maturity. IG1 has been defined by community consensus processes as “essential cyber hygiene,” the foundational set of cyber defense Safeguards that every enterprise should apply to protect against the most common attacks.

Focusing Your Remediation Efforts

When it comes to security remediation, any start is a good start! Not all “Fail” results need to be addressed immediately, after all. It’s possible to make a big impact and improve your CIS-CAT Pro assessment score in a short time by breaking down which recommendations can initially be considered for adoption, section by section.