Preparing Organizations for CIS Benchmark Compliance

We’ve released fully-customizable CIS Benchmark™ compliance automations for major network equipment providers supported by the Center for Internet Security.

What does this mean?

It means that if you’re either getting started with CIS Benchmark compliance or already have a program in place we can help you right out of the box with a gap-analysis, reporting, and automatic or manual configuration-drift remediation.

These automations are valuable to both enterprises and service providers, and can be customized to meet your exact needs. For example, if a CIS Benchmark recommends a password of 8 characters, but you want 10, you can edit the automation and still take advantage of all the analysis, reporting, and configuration-drift remediation.

What are the CIS Benchmarks?

The CIS Benchmarks are community-developed secure configuration recommendations for hardening organizations’ technologies against cyber attacks.

One area of benchmarks is network devices, including:

1. Check Point Firewall
2. Cisco
3. F5
4. Fortinet
5. Juniper
6. Palo Alto Networks

These benchmarks are available in two forms – a PDF document with the requirements for different levels of compliance, or hardened images that can be used as starting points for “secure golden configurations”.

The BackBox Benefit

With BackBox we include over 2,300 pre-built, easily customizable automations in our Automation Library™. Of those, hundreds have been added in support of CIS Benchmark compliance so that you don’t have to manually create them from the PDF benchmarks.

Even if you used the hardened images, you’d still want BackBox because we can groom configuration drift, with detailed reporting and notifications to ensure network operations hygiene is maintained and improved over time.

BackBox automations are unique. There’s no scripting involved. Anyone that can configure a device via command line or API can modify or create a BackBox automation.

BackBox and CIS Compliance

With these out-of-the-box CIS Benchmark automations enterprises and service providers can accomplish three things:

1. Get started with CIS compliance. Within minutes of getting started a gap-analysis can be generated across all devices to determine where configuration changes are required to harden devices and secure the network.
2. Monitor status of CIS compliance. The gap analysis automation generates a report that details which devices are out of compliance, which rules they fail, and what remediation is necessary. This report serves as a great start to a project plan for bringing devices into compliance and also helps teams monitor the state of compliance. Of course, notifications are available as is integration with ITSMs so any drift from compliance can be properly propagated to appropriate teams for remediation.
3. Auto-remediate compliance drift. Each automation can have remediation turned on so that compliance-drift can be auto-remediated. As with everything else BackBox does, notifications can be used to alert operators that drift has been remediated to understand why changes are happening in the network and address the underlying causes of compliance-drift. It’s not all-or-nothing either. It’s quite possible (and simple!) to have some automations auto-remediate when compliance checks fail, while other more complicated changes might just notify for manual intervention.

These automations will not only keep you in compliance with regulatory requirements, best practices, and standards but will also help you enforce your Golden Config templates. BackBox ensures your configs are set up to align with best practices and if not, can remediate and push those out to your devices.

Going Forward

BackBox adds new pre-built automations every month, many of which are specifically oriented around mitigating the increased cybercrime activity the company has seen related to network infrastructure vulnerabilities and breaches.

Keeping networks up-to-date on the latest CIS guidelines is crucial for MSPs, MSSPs, and service providers of all types that are responsible for keeping their client’s networks safely up-to-date.

Without these automations, you’re looking at a lot of manual and administrative work with a strong potential for human error.

There’s no need to update your version of BackBox to download the CIS Benchmark automations. Just head over to support and download the package(s) you need. Or reach out to support and we are happy to give you a hand.

If you’re not yet using BackBox, start a free trial and see how simple it is to get started with these compliance automations.