Automate CIS Compliance with BackBox

Ongoing, Automated Configuration Audit, Remediation, and Drift Prevention


The Center for Internet Security (CIS) Benchmarks are vendor-specific configuration recommendations to help organizations reduce risk and demonstrate compliance with various government and industry regulations. Network operations and network security teams use the recommendations and best practices to safeguard devices against today’s evolving cyber threats that take advantage of vulnerabilities to exfiltrate data and disrupt operations.

Implementing these guidelines typically requires significant manual and administrative work with a strong potential for human error. For every single device, every step in the process requires manual intervention – from checking configurations for compliance to remediating when needed, creating reports, and staying current with updates. In single-vendor environments CIS compliance is unwieldy, but in multi-vendor environments it can become overwhelming quickly.

Fortunately, there’s a better way for network operations teams and service providers of all types to keep networks up to date on the latest CIS guidelines.

Automation Advantage

  • Teams accelerate CIS compliance with the ability to quickly download automation templates into the BackBox Automation Library and complete CIS Benchmark checks in under a minute.

  • Teams respond faster to compliance audits with comprehensive, detailed reporting.

  • Teams maintain compliance and prevent configuration drift with contextually-aware, automated rechecks, remediations, and updates

  • Teams increase bandwidth to focus on more strategic initiatives by reducing manual work and the potential for errors.

Let’s look at a typical scenario of applying CIS Benchmarks without BackBox and compare that process to what it’s like with BackBox.

Without BackBox

Using Check Point as an example, the CIS Benchmark for Check Point Firewall is a 118- page document that includes more than 40 Level 1 configuration profiles. Achieving and maintaining CIS compliance is tedious, time-consuming, and error prone.

Network engineers must manually:

  • Recheck every device on a regular basis to ensure compliance is maintained and remediate as needed.

  • If a device is not compliant, remediate the device and update the spreadsheet.

  • Export data from the spreadsheet and manually compile reports whenever called upon to validate and report on compliance

  • Sort through the document and long list of checks, develop a tracking spreadsheet, check every single device for compliance with the configuration guidelines, and update the spreadsheet.

  • Download the updated CIS Benchmark, revise the spreadsheet, run the updated CIS checks, remediate the device, and update the spreadsheet every time Check Point updates a device.

Even in a single-vendor environment, depending on the number devices, the process can become incredibly complex and a headache to manage. Some organizations may choose to build their own automations for CIS checks. But supporting these automations may not be scalable as a business or an operator typically won’t have capacity to also automate remediations and support updates

Now imagine a multi-vendor environment which requires creating and maintaining this process across devices from multiple vendors, and introduces the added complexity of having to check multiple dashboards and compile disparate reports into a single, comprehensive report. Being able to confidently say the organization is CIS compliant typically requires a massive investment of time and resources. So, organizations are sometimes in the difficult position of having to prioritize the devices they maintain based on their risk profile and budget, and hope for the best.

With BackBox

BackBox has turned CIS’s 118-page Check Point Firewall Benchmark document into approximately 40 contextually-aware automations focused on key device types. These automations remove the drudgery and reduce risk by validating that a specific configuration meets CIS best practices and can automatically remediate those that do not. From a single pane of glass console, network engineers simply:

  • Download the automation templates into the Automation Library, and either load them via API or file import from the UI.

  • Select the CIS checks for the devices in their environment, give the group a name, and save it

  • Launch an automated procedure to run checks periodically on a schedule they set and send notifications when devices drift out of compliance.

  • Turn on automated remediation if they choose

  • Click to run a unified report to demonstrate compliance of devices, even across multi-vendor environments.

Organizations can confidently report on CIS compliance because all checks and status updates are in one place and easy to see. BackBox also updates the relevant automations whenever a vendor updates a device and CIS updates the Benchmarks, so CIS checks are always current.

In the case of Check Point, BackBox automation templates cover 90.5% of CIS Level 1 configuration recommendations (three CIS actions must be completed manually). That’s a 90% time savings over manual methods.

In addition to Check Point, BackBox offers CIS Automation Templates for Cisco, F5, Fortinet, Juniper, Palo Alto, and several other device types.

Control Where It Needs To Be – A Real World Scenario

Alignment with CIS best practices is not just about execution of the check, but the procedures put in place to maintain that compliance.

For instance, when an employee is no longer with a company, CIS best practice is to ensure denial to unused accounts. But what happens when an employee’s manager contacts the help desk because they need access to the former employee’s account to pull some information? The help desk is focused on supporting business operations, not compliance, and provides access to the account. It’s likely the network engineer is not in the loop and now the organization is out of compliance until the engineer manually rechecks the device, which could be weeks or months later.

With BackBox automation templates, rechecks can be scheduled to run daily or at whatever frequency aligns with internal policies and best practices to mitigate time of exposure. Network engineers receive notifications of configuration drift and can automate remediation to bring the organization back into compliance. Control stays where it needs to be – with the teams responsible for configuration compliance and network device security


With BackBox automation templates, control stays where it needs to be - with the teams responsible for configuration compliance and network device security.


BackBox eliminates the tedious, time-consuming, and error prone activity of implementing CIS Benchmarks manually. And for organizations considering building their own automations, BackBox offers a sustainable, scalable, and trusted alternative by automating all aspects of compliance – not just checks, but also remediation, comprehensive reporting, and support for device updates.

From single to multi-vendor environments, and from enterprises to service providers of all types, BackBox ensures device configurations are set to align with CIS best practices and if not, can automatically bring them up to date safely and efficiently.

Watch CIS Checks in 45 Seconds to see how BackBox can help your organization achieve, maintain, and report on compliance automatically.

See for yourself how consistent and reliable your device backups and upgrades can be