Why CIS Benchmarks are Critical for Security and Compliance
The cybersecurity industry gives a lot of attention to protective solutions like firewalls and EDRs. And that makes sense. These technologies are important for a powerful security program.
However, the over-focus on these solutions leads many people to believe that security is something that’s done to a network environment. In reality, if a network environment isn’t intrinsically secure, there aren’t enough security solutions on earth to keep it safe from cyber attacks.
To be intrinsically secure, a network environment must be properly designed and configured. This is where the Center for Internet Security (CIS) benchmarks come in.
What are CIS Benchmarks?
When a new operating system or application is installed, it comes with default settings. Usually, all ports are open, and all application services are turned on. In other words, freshly installed assets are highly insecure.
CIS benchmarks are a set of configuration standards and best practices designed to help organizations ‘harden’ the security of their digital assets. Right now, over 100 benchmarks are available for assets in 14 technology groups, including Microsoft, Cisco, AWS, and IBM.
Three things separate CIS benchmarks from other security standards:
They relate specifically to the configuration of existing assets. They don’t cover security defenses like firewalls and EDRs.
They are developed by consensus between experts that include SMEs, security vendors, the CIS benchmarking team, and even the global security community via the CIS Workbench.
While not a regulatory requirement, most prominent compliance frameworks point to CIS benchmarks as the industry standard, making them an excellent means of achieving both security and compliance objectives.
Depending on the security and compliance needs of your organization, there are two levels of benchmarks:
Level 1 is designed to rapidly minimize the attack surface of an organization without hindering usability or business functionality. These standards can be considered the minimum level of security and compliance that all organizations should aim to meet or exceed.
Level 2 is a more stringent set of standards designed to maximize an organization’s security posture through ‘defense in depth’. These standards are intended for environments where security is essential, and are more costly and labor intensive to implement.
All CIS benchmarks are freely available as PDF downloads from the CIS website. These guidance documents are extremely thorough, with some running to 800+ pages. Each recommendation maps to at least one of the CIS controls, a set of broader security requirements that look beyond asset configuration.
Who Uses CIS Benchmarks?
Organizations across all industries and geographies use CIS benchmarks to help them achieve security and compliance objectives.
The CIS benchmarks are the only best-practice security configuration guides that are both developed and accepted by government, business, industry, and academic institutions. Globally recognized, this also make them more wide-reaching than country-specific standards like HIPAA or FedRAMP.
With that said, the benchmarks are especially popular in heavily regulated industries, and industries governed by a regulatory framework. In particular, organizations in sectors such as healthcare, financial services, and government are likely to use them.
Why are CIS benchmarks so widely used? Aside from the security and compliance value they provide, the benchmark documentation is freely available to all industries and organizations. To get started, all an organization needs to do is download the relevant PDFs from the CIS website.
Importance of CIS Benchmarks
Cybersecurity is a broad and complex field. To make matters worse, operating systems and applications are often highly customizable, with thousands of ports, services, and settings to configure. If organizations were forced to decide on the ideal configuration of every asset, it would take years to build a secure business environment.
CIS benchmarks provide a clear set of standards for configuring common digital assets — everything from operating systems to cloud infrastructure. This removes the need for each organization to ‘reinvent the wheel’ and provides organizations with a clear path to minimizing their attack surface.
From a security perspective, the benchmarks help organizations:
- Build and maintain a security profile in line with industry best practices.
- Eliminate configuration settings that are known to be insecure.
- Protect the organization from known threats.
- Offload unnecessary cyber risk by narrowing the attack surface to only what is necessary.
From a compliance perspective, CIS benchmarks map directly to many major standards and regulatory frameworks, including NIST CSF, ISO 27000, PCI DSS, HIPAA, and more.
For organizations governed by a security framework, maintaining configuration in line with the CIS benchmarks is a huge step towards compliance. This also helps to protect organizations against financial hardship, as non-compliance can lead to costly fines — particularly in the event of a breach.
How to Implement Benchmarking in Your Organization
When it comes to implementing CIS benchmarks, there are two options:
- Download the benchmarking documents and implement the suggestions manually.
This approach has the advantage of being free to get started. However, it is often extremely labor intensive, and it's difficult to ensure continual compliance — particularly as configurations are updated and new assets added.
- Use an automated solution to identify and resolve areas of non-compliance.
While it is theoretically possible to implement CIS benchmarks manually, most organizations use an automated CIS benchmark tool. An automated solution makes it faster and easier to implement and maintain compliance with the CIS benchmarks.
Solutions typically include scanning functionality to quickly identify areas of non-compliance. By running scans regularly, an organization can prevent misconfigurations from creeping in.
Implementing and Maintaining CIS Benchmarks
As an IT integrity, security, and compliance tool, CimTrak makes it easy for any organization to quickly reach and maintain compliance with CIS benchmarks.
Using continuous scanning, CimTrak assesses the current state of configurations throughout your environment and compares it against all relevant CIS benchmarks. When CimTrak identifies a misconfiguration or non-conformance issue, it raises an alert and provides clear action steps to re-establish control.
If a benchmark result is not in the expected state, CimTrak makes it easy to remediate any identified issues.
This functionality makes it easy for organizations to:
- Achieve and maintain compliance with CIS benchmarks. CimTrak saves organizations countless hours compared to a manual implementation of benchmark PDFs.
- Ensure continuous compliance. Manual implementation of the benchmarks (and even most toolsets) only ensure ‘point-in-time’ compliance. CimTrak ensures continuous compliance by providing real-time monitoring and alerts across your entire environment.
- Reduce and eliminate entry points that an attacker could exploit. For example, by removing files, closing ports, and disabling services that aren’t needed.
- Improve performance. Systems work more efficiently when unnecessary files and functions are removed.
To find out more about how CimTrak can help your organization achieve security and compliance objectives with CIS Benchmarks, download the solution brief today.
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".