Using CIS Benchmarks in your Vulnerability Management Strategy
While vulnerability management is one of the few preventative practices in security, vulnerability patching is still reactive. It’s a never ending cycle of vulnerabilities being discovered, vendors releasing patches, and remediation teams applying patches to remediate those vulnerabilities. And while vulnerability management prevents breaches, it is still a reactive process. The CIS benchmarks, however, are proactive.
The CIS benchmarks are a common standard used for system hardening, which is sometimes also called policy compliance. Think policy as in ‘Group Policy’ in Microsoft Windows, not security policy or remediation policy. CIS is an acronym for Center for Internet Security, which is a vendor neutral consortium who collect best practices for system hardening and configuration to improve security. The number of participants have grown over the years, and now include some vulnerability scanner vendors, as well as operating system vendors.
By using these benchmarks to disable components of a system that you are not using, you make the system much more difficult to exploit. The thing an attacker wants to target isn’t running, so the attacker first has to enable the vulnerable component and then attack it. This system change makes it much more difficult for an attacker to be in the position to do that. If your remediation teams wish they didn’t have to patch as frequently, applying the appropriate benchmarks across your enterprise may be part of the cure they are looking for.
Another use I have seen in my role at Nucleus is Sarbanes-Oxley compliance. The requirements for Sarbanes-Oxley regarding computer systems tend to be rather vague. Applying the benchmarks to any system that is in scope for Sarbanes-Oxley is a good way to demonstrate to regulators that you are configuring and protecting your computer systems in a prudent and responsible manner.
The Three Different CIS Benchmark Levels
The CIS benchmarks are available for popular desktop and server operating systems, including Microsoft Windows, Mac OS, and the most popular Linux distributions. They also exist for many popular applications, including the four major web browsers, Microsoft Office, and Zoom.
The CIS benchmarks come in three different levels. The lower the number, the less impact you can expect to compatibility. The higher levels sacrifice a degree of compatibility for enhanced security. Most organizations start with CIS level 1, then progress to higher levels when needed for stricter security. CIS level 2 provides enhanced security over level 1. CIS has a third level it calls STIG. The STIGs are a security standard originally created by the United States military, based on the requirements in the US Government publication NIST 800-53. The CIS STIGs are CIS’s own reimplementation of the originals. The STIGs are a government standard, but some organizations outside the government use them.
Organizations frequently choose to start with CIS level 1, then move up to stricter standards selectively when they need to meet stricter regulatory or contractual requirements. Implementing level 1 is intended to have minimal impact to system functionality or compatibility. Level 2 may have some impact, and the STIGs can have a greater degree of impact.
How To Implement CIS Benchmarks
It is possible to download the CIS benchmarks, log into a system, and make the changes by mousing around and/or running commands. However, that methodology doesn’t scale. For Windows 11, for example, is 1239 pages long. It generally makes more sense to script out the changes, buy the build kit from CIS, or buy one of their hardened images. The cost of a CIS membership isn’t prohibitive, so it is worthwhile to weigh the cost and benefits of membership versus the amount of time and labor it takes to implement each control on a one-by-one basis.
The ideal time to deploy the CIS benchmarks is when rolling out a new operating system, such as when you build a corporate standard image running Windows 11 to replace Windows 10. When deploying a new operating system, you already expect some compatibility issues, so testing your build with your existing software is probably already part of your process. Applying the CIS benchmark at that time allows you to assess the impact of any changes before they hit production.
Retrofitting onto an existing system is possible, and sometimes necessary, but tends to be more challenging. If you are not facing an immediate requirement to retrofit, I recommend incorporating them into a new technology rollout first. Once you have that experience under your belt, think about strategically retrofitting some existing systems.
Once you apply the benchmarks, you need to make sure they stick. CIS provides a scanning tool called CIS CAT, available in two levels. The free level will scan a system and provide results in HTML format. The for-pay Pro level scans a system and can provide results in additional formats…but you may already have an even better tool.
The most common enterprise vulnerability scanners often have the capability of scanning for CIS compliance already built in to their system. They usually call it a policy compliance scan, or a secure configuration assessment. When you select the appropriate standard and then scan the systems that should conform to that standard, you will get scan results stating which controls passed and failed on each system that you scanned.
You probably will not be able to fully conform to the CIS benchmarks 100% of the time. When testing, you will find the occasional CIS control that breaks functionality you need. Information security is a delicate balance of protecting the data users need to do their jobs while not impacting their ability to access that data they need to do their jobs. This last part is the trickiest part of implementing the CIS benchmarks. You end up creating exceptions, but then when you need to produce the list for an auditor, the data is in a combination of ticketing systems, spreadsheets, e-mail inboxes, and pulling it all together quickly turns into a nightmare. This is where Nucleus can help.
Using CIS Benchmarks With Nucleus
Nucleus can natively import policy compliance scan data, including the CIS benchmarks, from Tenable Nessus, Tenable.SC and Tenable.IO. If you use another scanning tool, your technical account manager can assist you in importing that data into Nucleus. Each CIS control becomes a finding in the Compliance section of Nucleus. Nucleus scores each finding based on the severity data the scanner provides, if any, as well as third party information regarding severity or priority. Nucleus also allows you to define four asset context attributes and how heavily to weigh those into the scoring. This helps you to prioritize each of them. If you tell your auditors that you conform to 80% of the CIS benchmarks, this scoring can help you if they ask how you decide which 80%.
Importing the results into Nucleus also makes it easier to spot unauthorized changes so your IT organization can make corrective action.
Additionally, when you are not able to apply a control because it broke something, you can attach the evidence to the finding. This can be anything, including screenshots, references to tickets either in your internal ticketing system or tickets you opened with any associated vendors, and any recommendations that you received from the affected vendor or your own IT organization’s internal analysis. Add whatever other justifications you need, and then set the finding status to ‘exception granted.’ Now all of your exceptions are in a single place, so when the time comes to show them to an auditor, you have everything you need. And if you happen to be on vacation, it’s easy for your teammates to find what the auditor needs. Furthermore, years from now when any question comes up regarding why a control is set a certain way, you have all of your records so you know. It makes you much less reliant on institutional memory.
Your scanner probably has a way to customize the CIS benchmarks to allow for your exceptions, but it probably doesn’t have any place to store the reasoning behind them. By using Nucleus, you can skip that step of having to customize the policy in the scanner, and simply handle the exceptions inside the same platform. At the very least, it saves you a step, And it also gives you a place to store all of your justifications.
The common objection to implementing the CIS benchmarks is that hardening standards break things. However, by implementing the standards as part of your normal software lifecycle maintenance, you can minimize those types of issues. Plus, by tracking the CIS benchmarks in Nucleus, you can have everything you need in one system, making it much easier to satisfy your auditors. By limiting your attack surface, you may also be able to decrease the number of system updates you need to deploy on a monthly basis.
To learn more about the advantages of utilizing CIS benchmarks within Nucleus, check out the video below:
Implementing the CIS benchmarks or any other hardening standard can be a long journey. Hopefully you find these tips helpful and find that they make the journey more manageable. However, the benefits are not only evident in the journey, but in the end results, as well. Not only do you get better security, but in my experience, having consistent configuration across an entire system can go a long way toward preventing unexplained behavior and making the system more reliable.
Want to learn more about using CIS benchmarks with Nucleus Security? Click here to get in touch.