Making CIS Benchmarks Part of your Vulnerability Management Strategy

While vulnerability management is one of the few preventative practices in security, vulnerability patching is still a reactive process. It’s a continuous cycle of discovery, vendors releasing patches, and remediation teams applying those patches. What if there was a way to build in some proactivity to this endless reactive spiral?  

The Center for Internet Security (CIS) benchmarks are a common standard used for system hardening, which is sometimes also called policy compliance. Think policy as in ‘Group Policy’ in Microsoft Windows, not security policy or remediation policy. The CIS is a vendor-neutral consortium that collects best practices for system hardening and configuration to improve security. It has grown over the years to include vulnerability scanners, operating systems, cloud providers, and more. 

The defensive concept behind using the CIS benchmarks is simple. The benchmarks allow you to disable components of a system that you aren’t using, making the system much more difficult to exploit. If an attack wants to target a specific vulnerable component that isn’t running, they must first enable the vulnerable component before attacking it. This increases the attacker’s dwell time, making detection more likely while also making your assets more resilient against attack. 

This approach also has a positive impact on the regulatory compliance front. For example, the requirements for Sarbanes-Oxley regarding computer systems tend to be vague. Applying the CIS benchmarks to any system that is in scope for Sarbanes-Oxley is an effective way to demonstrate to regulators that you are configuring and protecting your computer systems in a prudent and responsible manner.  

The Three Different CIS Benchmark Levels  

The CIS benchmarks are available for popular desktop and server operating systems, including Microsoft Windows, Mac OS, and the most popular Linux distributions. They also exist for many popular applications, including major web browsers, Microsoft Office, and Zoom.  

The CIS benchmarks are categorized in three distinct levels.  

Level 1 

At the lowest level, CIS benchmarks can be implemented quickly and with minimal to no impact on business functionality. Benchmarks at this level are designed to reduce risk without causing business disruption. 

Level 2 

Level 2 benchmarks are much more stringent, intended for use at organizations where security is essential. These benchmarks, if not implemented properly, can have a negative impact on business operations. Implementing Level 2 benchmarks requires planning and careful consideration for functionality. 

STIG 

The third level of benchmarks, these recommendations are taken from the Security Technical Implementation Guide (STIG), a security standard originally created by the United States military and based on US Government publication NIST 800-53. While designed to assist government organizations achieve compliance with the NIST standards, some organizations outside of the government also incorporate this level into their own implementation. 

How To Implement CIS Benchmarks  

It is possible to download the CIS benchmarks, log into a system, and make the changes by mousing around and running commands. However, this approach doesn’t scale, especially for larger organizations.  

For example, the Windows 11 list of recommendations is currently over 1300 pages long. It makes more sense to script out the changes, buy the build kit from CIS, or buy one of their hardened images. The cost of a CIS membership isn’t hugely expensive, but it is worthwhile to weigh the cost and benefits of membership versus the amount of time and labor it takes to implement each control individually.  

The ideal time to deploy the CIS benchmarks is when rolling out a new operating system, such as when you build a corporate standard image running Windows 11 to replace Windows 10. You can already expect some compatibility issues during this process; applying the CIS benchmark during implementation allows you to assess the impact of any changes before they hit production.   

Retrofitting onto an existing system is possible, and sometimes necessary, but tends to be more challenging. If you are not facing an immediate requirement to retrofit, it’s recommended to the benchmarks into a new technology rollout first. Once you have that experience under your belt, think about strategically retrofitting some existing systems.  

Once you apply the benchmarks, you need to make sure they stick. CIS provides a scanning tool called CIS CAT, available in two levels. The free CIS-CAT Lite level will scan a system and provide results in HTML format. The Pro product scans systems, providing results in additional formats and reporting on compliance levels. 

CIS CAT isn’t the only scanning option. Most common enterprise vulnerability scanners can scan for CIS compliance. They usually call it a policy compliance scan or a secure configuration assessment. When you select the appropriate standard and then scan the systems that should conform to that standard, you will get scan results stating which controls passed and failed on each system that you scanned.  

You will not be able to fully conform to the CIS benchmarks 100% of the time. When testing, you will find the occasional CIS control that breaks functionality you need. Information security is a delicate balance of protecting the data users need to do their jobs while not impacting their ability to access that data. This last part is the trickiest part of implementing the CIS benchmarks. You end up creating exceptions, but then when you need to produce the list for an auditor, the data is in a combination of ticketing systems, spreadsheets, and email inboxes. Pulling it all together can quickly turn into a nightmare. 

Using CIS Benchmarks with Nucleus  

Nucleus can natively import policy compliance scan data, including the CIS benchmarks, from many vulnerability scanners, including Tenable Nessus, Tenable.SC, and Tenable.IO. If you use another scanning tool, your technical account manager can assist you in importing that data into Nucleus.  

Each CIS control becomes a finding in the Compliance section of Nucleus, where each finding is scored based on the severity data the scanner provides, if any, as well as third party information regarding severity or priority. Nucleus also allows you to define four asset context attributes and how heavily to weigh those into the scoring. If you tell your auditors that you conform to 80% of the CIS benchmarks, this scoring can help you if they ask how you decide which 80%.  

Importing the results into Nucleus also makes it easier to spot unauthorized changes so your IT organization can make corrective action.  

Additionally, when you are not able to apply a control because it broke something, you can attach the evidence to the finding. This can be anything, including screenshots, references to tickets either in your internal ticketing system or tickets you opened with any associated vendors, and any recommendations that you received from the affected vendor or your own IT organization’s internal analysis. Add whatever other justifications you need and then set the finding status to ‘exception granted.’ All your exceptions are in a single place, so when it comes to showing them to an auditor, you have everything you need.   

Your scanner probably has a way to customize the CIS benchmarks to allow for your exceptions, but it doesn’t have any place to store the reasoning behind them. By using Nucleus, you can skip that step of having to customize the policy in the scanner and simply handle the exceptions inside a single platform.   

The common objection to implementing the CIS benchmarks is that hardening standards breaks things. However, by implementing the standards as part of your normal software lifecycle maintenance, you can minimize those types of issues. Plus, by tracking the CIS benchmarks in Nucleus, you can have everything you need in one system, making it much easier to satisfy your auditors. By limiting your attack surface, you may also be able to decrease the number of systems updates you need to deploy monthly.  

Implementing the CIS benchmarks or any other hardening standard can be a long journey, but it doesn’t need to be an impossible one. The benefits include better security, more reliable performance, and increased compliance with security regulations. If you need assistance, please contact us to discuss your CIS benchmark needs and learn more about how Nucleus can help make the journey an easier one.