During the last two decades, compliance has become an essential business function. Until a few years ago, many organizations were more concerned with compliance than with being secure. Most organizations now understand that security and compliance are not synonymous, and that both functions must work together to protect the organization.
However, there are still some misunderstandings about compliance with frameworks such as PCI-DSS and regulatory requirements like the GDPR. Many organizations consider compliance to be an annual exercise, while security is a separate and more important function. Maintaining continuous compliance is vital for both risk management and security.
The Need for Continuous Compliance
Entertaining the idea that compliance is something to be ‘signed off’ once per year has the potential for problems. This mindset can almost guarantee that for most of each year, your systems and assets will be non-compliant.
For example, an organization undergoes an annual compliance audit and passes. Then, a month later, the finance department purchases a new software solution, which requires a new server, user permissions, etc. Every change or addition made to accommodate the new solution is a potential source of vulnerabilities and compliance issues. Worse still, if you’re only checking for compliance annually, those issues can remain undetected for 11 whole months.
New assets, users, and applications are added all the time, and configuration changes, in particular, are made constantly. While these changes are often essential, every single one is a potential source of security vulnerabilities and compliance issues.
By ensuring that your assets are always compliant with any necessary frameworks, you’ll be hardening your assets against cyber attacks and protecting your organization against the financial hardship of non-compliance fines. Remember — even if your last compliance audit was clear, your organization can still be fined for non-compliance in the event of a breach. This is why continuous compliance checking is so important.
Since configuration changes are among the most common sources of compliance issues, great care should be taken to ensure assets are hardened and configured securely at all times. The CIS benchmarks are a valuable tool for achieving this.
What are the CIS Benchmarks?
The CIS benchmarks are a set of configuration best practices for common digital assets. They have been developed by the Center for Internet Security (CIS) in collaboration with a community of cybersecurity experts and vendors to help organizations harden the security of digital assets.
Depending on your security and compliance needs, the benchmarks have two levels:
Level 1 — Essential controls that minimize your attack surface without hindering usability or business functionality.
Level 2 — More stringent standards designed to maximize security posture in environments where security is essential.
There are benchmarks for over 100 assets across 14 technology groups, including Microsoft, IBM, and the major cloud providers. By configuring assets in line with the benchmarks — and keeping them that way — you can be sure of two things:
- They are compliant with the configuration requirements of all major compliance frameworks; and,
- Easily exploitable security holes (e.g., unnecessary services, applications, and ports) have been closed.
CIS Benchmarks for Compliance
To be clear, the CIS benchmarks aren’t a regulatory requirement in themselves. However, most prominent compliance and regulatory frameworks (including NIST CSF, ISO 27000, and PCI DSS) consider the benchmarks to be the industry standard and have configuration requirements that map directly to them.
Even for frameworks that don’t directly reference the benchmarks, they are still globally accepted as the best practice for secure configuration and used to help achieve compliance with the GDPR, HIPAA, FISMA, and many others. If your organization has any compliance obligations — and let’s face it, most do — configuring and hardening your assets in line with the benchmarks is a huge step toward achieving them.
Implementing the Benchmarks
Implementing the CIS benchmarks really comes down to two things. First, you have to bring all of your existing assets into line with the relevant benchmarks. Second, you have to make sure they stay that way.
Of course, many organizations have a huge number of assets to configure, each with thousands of unique configuration options. Even completing an initial exercise to bring them in line with the benchmarks could easily take years if done manually. Since configuration changes are made all the time, it would really be impossible to ensure continuous compliance with the benchmarks without technological assistance.
For these reasons, most organizations use automated tools to help them implement and maintain the benchmarks. In general, the tool of choice is a system integrity monitoring solution that scans an organization’s environment and compares it against the latest version of the CIS benchmarks. This tells the organization immediately whether its assets are configured in line with the benchmarks, and if they aren’t, exactly how to bring them in line. Once again, continuous coverage is key.
Securing Assets from the Start
Even with the help of a system integrity monitoring solution, bringing assets in line with the CIS benchmarks takes time.
When a new asset is installed, the default configuration is set for convenience rather than security. Most of the time, all ports will be open, all services enabled, and discretionary applications turned on. Assets often have thousands of configuration options, so a considerable amount of labor is needed to bring each new asset in line with the relevant CIS Benchmark. This is where CIS Hardened Images come in.
CIS Hardened Images are virtual machine images that have been pre-configured in line with the relevant CIS benchmark. They are available for more than 65 technologies across AWS, GCP, Microsoft Azure, and Oracle Cloud. Each image includes a report detailing the image’s benchmark compliance, along with any exceptions made to allow the image to run in the cloud.
By using CIS Hardened Images you can save a tremendous amount of time — particularly when deploying assets at scale — and you also have the certainty that each asset is securely configured.
Of course, there’s no guarantee they will stay that way. Once again, this is where continuous compliance comes in. The Hardened Images help you save time at the start of life for each asset, but you’ll still need to conduct regular assessments (or use a continuous monitoring solution) to ensure that configuration or file changes have not accidentally introduced vulnerabilities.
An Essential Basis for Security & Compliance
In the cybersecurity industry, most attention is given to technology solutions like firewalls and EDRs that help organizations identify and block cyber attacks. Meanwhile, techniques and solutions designed to ‘harden’ existing systems — and thereby close the vulnerabilities that make attacks possible — are considered too labor-intensive.
Understandably organizations prefer the idea of repelling cyber attacks rather than spending time improving their technological foundations.
In reality, while firewalls and EDRs are extremely important, they can’t "make up" for serious underlying issues in areas like configuration. This is why all the major compliance frameworks place such a high importance on secure configuration, and why most of them map directly to the CIS benchmarks as the accepted best practice.
Simply, maintaining asset configuration in line with the benchmarks is one of the most effective ways to reduce cyber risk and ensure continuous compliance with any of the major frameworks.
April 8, 2021