Cisco, CIS Compliance, and BackBox
CIS compliance is complicated. It’s a baseline set of benchmarks defined by the Center for Internet Security for protecting systems, like network devices or firewalls.
CIS benchmarks align with essential industry regulations, including the NIST Cybersecurity Framework and HIPAA. As a result, organizations prioritizing CIS compliance can simultaneously achieve compliance with other industry regulations.
Cisco and The Center for Internet Security have been working together for almost 15 years, publishing a benchmark for Cisco devices.
BackBox can help ensure your devices meet this benchmark and don’t drift from it, right out of the box.
How can BackBox help?
BackBox has out of the box IntelliChecks to jump start CIS compliance. No need to go through the latest Cisco Benchmark and manually implement the benchmarks (that cover about 225 pages!).
Just head over to IntelliChecks and filter on the tag ‘CIS’ to see all the out of the box checks we run.
These can be used to get started, or more importantly (in my opinion) to make sure once you’ve started, you don’t drift from your desired benchmarks.
CIS in practice
It’s possible you’ll start with a hardened image. In any case, you have two choices:
- Go through about 225 pages of rules, and carefully implement them one-by-one, across every device type, each with their own idiosyncrasies.
- Go through the list of pre-written IntelliChecks and decide which to implement. Select which devices to have them keep an eye on and the schedule you want. Want to modify them to suit your needs? Simple. No need to start from scratch, just clone each IntelliCheck you want to use and modify it to suit your needs.
The choice is obvious to me. Why start from scratch instead of getting a head start? I mean, I know people do. I just don’t understand why they purposely would choose to do so.
What do you do with that?
Well, if you’re configuring a new device you can simply run the CIS IntelliChecks (some or all; and ours our your version) against the device as it’s built to make sure it starts in a compliant way.
Over time, you’d run the CIS IntelliChecks on a schedule of your choosing to make sure that the devices have stayed compliant.
You’d like report on that compliance to whatever governance committee needs to see those reports.
But it’s more likely that things change over time. Configuration drift isn’t something that can happen, it’s something that does happen. Don’t drift yourselves right out of compliance.
What happens if you find something that’s changed, or that you’re no longer passing the CIS compliance checks?
Up to you.
You can notify someone with all the details (and more) that you need. Part of what BackBox can do in the event of a failed check is go collect even more information that might help you save time while troubleshooting things.
Better yet, BackBox offers unique and rich remediation possibilities. Go ahead, notify, report, and remediate all within the same automation.
Learn more
Some of this language may be new to you if you’re just exploring BackBox. And, it’s likely useful to take a step back.
Watch our webinar recording “Managing Cisco Devices in Multivendor Environments with BackBox” with Cisco’s very own Doug Hurd and BackBox’ Chanoch Marmorstein introduce BackBox and talk about, backups, software updates, compliance audits, and remediation. There’s nothing specific about CIS planned for the demo, but they’ll be able to show you what it looks like in the UI and talk about what makes it, and BackBox, so special.