Remediate Insecure Configurations to Improve Cybersecurity

A data breach can result in catastrophic consequences for any organization. Ensuring that your IT environment is safe from cyber threats can be a real challenge.

To keep intruders out of your networks and data, you need more than up-to-date guidance; you also need to continually assess system configurations for conformance to security best practices, and to harden thousands of individual settings in your environment.

But, where do you start?

Begin with Recognized Security Best Practices

The CIS Controls are a prioritized set of actions that mitigate the most common cyber-attacks. They translate cyber threat information into action. The CIS Benchmarks are secure configuration recommendations designed to safeguard systems against today’s evolving cyber threats. Both CIS best practices provide organizations of all sizes with specific and actionable recommendations to enhance cyber defenses. And, both are mapped to or referenced by a number of industry standards and frameworks like NIST, HIPAA, PCI DSS, and more.

Starting with these best practice resources can make the process of securing your systems faster, more reliable, and more cost-effective.

Assess, Then Remediate

Configuration assessments should be performed regularly to identify possible security concerns. Systems very rarely come securely configured right out of the box; and software updates, while necessary, can make your environment vulnerable to configuration drift. That’s why continuous assessment is essential.

CIS-CAT Pro is a tool that can be used to assess configuration at scale. Available to CIS SecureSuite Members, it features two components: CIS-CAT Pro Assessor and CIS-CAT Pro Dashboard.

Assessment without remediation is useless, right?

The latest update to CIS-CAT Pro Assessor includes configuration assessment evidence in the HTML report, which assists in remediation planning.

The Reality of Remediating Configuration Settings

To understand what’s so challenging about remediating configuration settings, let’s consider the example of the Microsoft Windows Desktop operating system (OS). The CIS Benchmark for Microsoft Windows 10 has 474 recommendations. If you have 50 instances of that desktop OS in your environment, you’re looking at managing almost 24,000 configuration checks for that platform alone!

And of course, it’s not just the OS that needs configuration. It’s all the other systems as well. You’re literally looking at thousands of individual judgments and actions needed to secure your environment.

You and your team could do it manually, but to touch every device would be incredibly time-consuming, requiring thousands of personnel-hours. Continuing to remediate systems on a manual basis would far surpass the resources of even the largest IT departments. You could also hire a consulting firm to do it for you. While they’ll likely get the job done, this approach can be expensive.

Thankfully, there are other options.

There’s More Than One Way to Remediate

Any action that corrects a failed/insecure setting is a form of remediation. One of the advantages of using the CIS Benchmarks as your starting point is that you can tailor each Benchmark to your specific needs and circumstances. If a recommended setting is inappropriate for your environment, you can adjust the Benchmark accordingly, noting why the exception was required.

CIS-CAT Pro Dashboard provides the ability to create exceptions, giving you even more options for your remediation program. Eventually however, you will need to adjust the settings in your environment, and that’s where an automated tool such as the CIS Build Kits can help.

Remediate System Configuration at Scale

CIS Build Kits provide the option for a rapid implementation of CIS Benchmark recommendations. Essentially, the CIS Build Kits are pre-configured templates that can be applied via the group policy management console in Windows, or shell scripts for Linux/Unix. Applying the Build Kit will change the setting in a target system to the recommended value, providing a “passing” status the next time an assessment is run.

Combined with the use of other CIS SecureSuite resources, Build Kits reduce the time to implement secure configurations. CIS Build Kits can also be customized to an organization’s particular use case. (Please note that it’s important to run Build Kits in a test environment first before deploying).


CIS SecureSuite: Assess and Remediate at Scale

Cybersecurity is a responsibility that requires constant attention. It’s not just something you can “set and forget.” Cyber threat actors are always developing new and more sophisticated techniques for attacking established defenses. Any security breach can put your organization and the people who rely on it at risk.

You need to stay up-to-date with current guidance, to continually assess your systems, and remediate failed settings.

CIS SecureSuite Membership offers the added value of the CIS Benchmarks in machine-readable formats, plus assessment and reporting tools such as CIS-CAT Pro Assessor and CIS-CAT Pro Dashboard, CIS Build Kits, technical support, and more. Attend our CIS Benchmarks Demo Webinar to learn more.