A data breach can result in catastrophic consequences for any organization. Ensuring that your IT environment is safe from cyber threats can be a real challenge. To keep intruders out of your networks and data, you need more than up-to-date guidance; you also need to continually assess system configuration for conformance to security best practices and to remediate thousands of individual settings in your environment.

But, where do you start?

Begin with Recognized Security Best Practices

The CIS Controls are a prioritized set of actions that mitigate the most common cyber-attacks. They translate cyber threat information into action. The CIS Benchmarks are secure configuration recommendations designed to safeguard systems against today’s evolving cyber threats. Both CIS best practices provide organizations of all sizes with specific and actionable recommendations to enhance cyber defenses. And, both are mapped to or referenced by a number of industry standards and frameworks like NIST, HIPAA, PCI DSS, and more.

Starting with these best practice resources can make the process of securing your systems faster, more reliable, and more cost-effective.

Assess, Then Remediate

Configuration assessments should be performed regularly to identify possible security concerns. Systems very rarely come securely configured right out of the box; and software updates, while necessary, can make your environment vulnerable to configuration drift. That’s why continuous assessment is essential.

CIS-CAT Pro is a tool that can be used to assess configuration at scaleAvailable to CIS SecureSuite Members, it features two components: CIS-CAT Pro Assessor and CIS-CAT Pro Dashboard.

Assessment without remediation is useless, right?

The latest update to CIS-CAT Pro Assessor includes configuration assessment evidence in the HTML report, which assists in remediation planning.

The Reality of Remediating Configuration Settings

To understand what’s so challenging about remediating configuration settings, let’s consider the example of the Microsoft Windows Desktop operating system (OS). The CIS Benchmark for Microsoft Windows 10 has 474 recommendations. If you have 50 instances of that desktop OS in your environment, you’re looking at managing almost 24,000 configuration checks for that platform alone!

And of course, it’s not just the OS that needs configuration. It’s all the other systems as well. You’re literally looking at thousands of individual judgments and actions needed to secure your environment.

You and your team could do it manually, but to touch every device would be incredibly time-consuming, requiring thousands of personnel hours. Continuing to remediate systems on a manual basis would far surpass the resources of even the largest IT departments. You could also hire a consulting firm to do it for you. While they’ll likely get the job done, this approach can be expensive.

Thankfully, there are other options.

There’s More Than One Way to Remediate a Configuration

Any action that corrects a failed/insecure setting is a form of remediation. One of the advantages of using the CIS Benchmarks as your starting point is that you can tailor each Benchmark to your specific needs and circumstances. If a recommended setting is inappropriate for your environment, you can adjust the Benchmark accordingly, noting why the exception was required.

CIS-CAT Pro Dashboard provides the ability to create exceptions, giving you even more options for your remediation program. Eventually, however, you will need to adjust the settings in your environment, and that’s where an automated tool such as the CIS Build Kits can help.

Remediate System Configuration at Scale

CIS Build Kits provide the option for rapid implementation of CIS Benchmark recommendations. Essentially, the CIS Build Kits are pre-configured templates that can be applied via the group policy management console in Windows or shell scripts for Linux/Unix. Applying the Build Kit will change the setting in a target system to the recommended value, providing a “passing” status the next time an assessment is run.

Combined with the use of other CIS SecureSuite resources, Build Kits reduce the time to implement secure configurations. CIS Build Kits can also be customized to an organization’s particular use case. (Please note that it’s important to run Build Kits in a test environment first before deploying).

Article Provided By: CISecurity
Liquid Video Technologies Logo, IoT security, Security, Video Surveillance, Greenville South Carolina, remediate configuration

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access ControlFire, IT consultant, or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.