Simplifying Customers’ System Hardening Efforts in Less Time

Senteon is a cybersecurity startup that works primarily in the continental United States. As an independent software vendor, it supports managed service providers (MSPs) and other clients with configuration management and hardening their systems to meet compliance requirements. At the time of writing, Senteon has 12 employees.

We sat down with Henry Zhang, CEO and Co-founder at Senteon. Zhang handles all of the professional services and onboarding of products. He ensures Senteon's configuration management tool properly supports CIS Benchmarks^® by going through new CIS Benchmarks, catching those updates, working them into products, making updates to systems, and testing them.

Zhang told us how Senteon uses its CIS SecureSuite^® Product Vendor Membership to save time helping customers manage their secure configurations using prescriptive, authoritative guidelines. Let’s examine how this happened.

The Challenge: Finding a Detailed System Hardening Standard with Built-in Attestation

At the founding of Senteon, Zhang knew he wanted to work in the system hardening space to support people with configurations, create hardened baselines, as well as align security and compliance guidelines. To do this, he needed a prescriptive standard, not high-level advice, covering not only what customers need to do but also how they need to do it.

Zhang started out by working on creating a list of hardening guidelines internally. But attestation proved to be a challenge. He needed some way to authoritatively prove the list was relevant to the requirements he identified, so he did some research. He found a secure configuration framework from Microsoft, but he discovered it was deprecated. He also examined the Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs). While Senteon supports mapping to some DISA STIGs in the environment, Zhang observed that the DISA STIGs in general focus on the government, meaning some configurations were not sensical for private organizations to implement.

The Solution: Reputable, Machine-Readable Secure Configuration Guidelines

Zhang had previous experience working with the CIS Benchmarks. He had gone through and applied them during the onboarding process for different environments prior to starting Senteon, so he had a personal idea of how they worked.

What Are the CIS Benchmarks?

The CIS Benchmarks are prescriptive secure recommendations that remove the guesswork from hardening 100+ operating systems, desktops, servers, and other technologies across more than 25 produce vendor families. Referenced by numerous standards, including PCI DSS, HIPAA, and others, the CIS Benchmarks are developed by a global community of IT experts through consensus and stewarded by the Center for Internet Security^® (CIS^®), which has managed the process of creating CIS Benchmarks since 2000.

Want to learn more about the CIS Benchmarks? Check out our video below.

 

Testing Senteon's Tooling against CIS SecureSuite

Zhang quickly decided Senteon needed to become a CIS SecureSuite Product Vendor Member. After Senteon joined, he began using CIS-CAT^® Pro Assessor to test against Senteon’s tooling for attestation purposes. It came down to a matter of licensing; if Senteon needed to attest to what the company was doing, he wanted CIS to do it.

Additionally, Zhang expanded his access to and use of the CIS Benchmarks. Prior to becoming a CIS SecureSuite Member, he could access the CIS Benchmarks only as PDFs. Even then, he couldn't use the CIS Benchmarks commercially. Once Senteon became a CIS SecureSuite Product Vendor Member, Zhang signed up on CIS WorkBench to access the CIS Benchmarks as Excel documents and in machine-readable formats, which helped him to start using the CIS Benchmarks' guidance to directly support Senteon's business.

Aside from accessing the CIS Benchmarks, Zhang also began using mappings of the CIS Critical Security Controls^® (CIS Controls^®) to other frameworks like the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) 27001:2022.

The Impact: A Starting Point for Saving Time, Attracting New Business

The CIS Benchmarks became the backbone for Senteon's product. As of this writing, Zhang estimates at least 80–90% of configurations Senteon manages are from the secure recommendations of the CIS Benchmarks.

Here's Zhang on how this adoption of the CIS Benchmarks has saved him time:

Our access to machine-readable formats of the CIS Benchmarks enables Senteon to start from "1" instead of "0." From a cost perspective, it's given us a starting point. It cut down on my all-nighters when getting Senteon started. As a result, it probably saved me 60 hours all told on initial setup of the secure configurations we're now using.

Zhang has used these time savings to focus more on product development, refining the value of Senteon when it comes to drift correction and evaluations as they relate to configurations.

Meanwhile, Senteon continues to save additional time by pointing to CIS as the authoritative body for attestation. The startup's CIS SecureSuite Product Vendor Membership streamlines the process of achieving CIS Benchmarks Certification, which makes it even easier to demonstrate Senteon's products can remediate for, assess against, and configure to the CIS Benchmarks.

Zhang also simply references CIS and the cross-mapping of its security best practices to various regulatory frameworks when it comes to navigating Safe Harbor Laws. He's even looked at various frameworks and requirements that directly mention compliance to the CIS Controls and CIS Benchmarks, which has brought in new business opportunities for Senteon.

All the while, Zhang relies on CIS's regular cadence of releases for the CIS Controls, CIS Benchmarks, and its tools to set up a complementary update cadence for Senteon's own products.

The Value of Community in Upholding Customers’ System Hardening Efforts

Zhang says Senteon's work with CIS brings a sense of community good. At the annual RSAC™ Conference, for instance, the CIS team checks in on Senteon to nurture and grow the partnership.

Now It’s Your Turn!

Through its use of CIS SecureSuite Product Vendor Membership, Senteon integrated machine-readable formats of the CIS Benchmarks to simplify system hardening for its customers.

Interested in supporting your customers using CIS security best practices?