ClickCease

Automate DISA STIGs Compliance with BackBox

Automating compliance saves time while minimizing errors from manual network and firewall administration.

Overview

Federal IT teams within the U.S. Department of Defense (DoD) as well as defense contractors must comply with testing and hardening frameworks known as STIGs (security technical implementation guides). According to the Defense Information Security Agency (DISA), STIGs “are the configuration standard for DoD devices and systems, containing technical guidance to lock-down information systems and software that might otherwise be vulnerable to malicious attack.”

DISA STIG compliance is a measure of whether systems and software are configured to meet standards set by DISA with the goal of ensuring that systems and networks within the DoD are secure and protected against potential threats. Failure to be in compliance can result in large fines and heavy scrutiny.

The Challenge

There are three challenges to implementing a compliance regime like STIGs.

  • 1. It’s Manual.

    Device configurations are often validated manually. With over a hundred rules, and potentially multiple vendors, manually validating configurations is both time consuming and error prone.

  • 2. Configuration drift.

    It’s entirely possible to be in compliance today but not in compliance tomorrow, as device configurations are known to drift off course over time. For agency and program security teams, it often feels like a never-ending catchup to ensure all systems are in compliance.

  • 3. Need for reporting.

    Auditing compliance is another important dimension of any compliance regime. Automation is the only way to efficiently and effectively audit and report on STIGs compliance.

The Automation Advantage

  • Teams can accelerate compliance by creating automation templates that define their compliance requirements and run those templates against groups of devices simultaneously. This eliminates manual work and allows for parallel efforts across many devices.

  • Teams can maintain compliance and avoid configuration drift with automated checks against the compliance requirements. Non-compliant devices can be automatically remediated, have audit reports generated, notifications sent, or trouble-tickets opened in an ITSM like ServiceNow for manual investigation and remediation.

  • Compliance audits are performed regularly, often nightly, without burdening your teams, and compliance reporting can be shared as needed with other parts of the organization.

  • |
    TIPS FOR CHOOSING A DISA STIGS COMPLIANCE AUTOMATION SOLUTION

There are three challenges to implementing a compliance regime like STIGs.

  • 1.

    How will the solution perform and scale when automating compliance for hundreds of firewalls or network devices?

  • 2.

    How easy is it to create any compliance rules needed, or to maintain them over time?

  • 3.

    How quickly can the solution be put into production and begin monitoring compliance?

BackBox and STIG Compliance

The BackBox Network Automation Platform can help organizations get compliant and stay compliant with the DISA STIGs related to network and security devices.

BackBox is purpose-built to help network teams automate compliance tasks. The platform can help deploy standardized configurations, detect configuration changes, audit configurations, and correct compliance violations. BackBox also incorporates a proprietary feed of vulnerability data (that includes CVEs from the National Vulnerability Database) to help identify and remediate vulnerabilities.

BackBox can also:

  • Backup and restore device configurations

  • Update device Operating Systems to eliminate vulnerabilities

  • Maintain a real-time inventory of network devices and their configurations

  • Produce DISA STIGs compliance reports

How to Use BackBox to Automate DISA STIGs Compliance

The first step is to turn the STIG into a set of automations. For example, the BackBox Automation Library already includes 116 pre-built automations that define the STIG for Palo Alto firewalls.

Creating automations for other STIGs is simple. Using the BackBox Automation Builder and only familiar CLI or API commands, automations can be easily created to replicate the work administrators would otherwise do manually.

The BackBox automation team can also help write additional automations to get customers up and running quickly.

After each STIG has been implemented as a set of automations within BackBox, it is then applied to a specific set of devices and run on a regular schedule. When the STIGs automations are run, devices are checked against the compliance rules. If found to be out of compliance there are three steps that can be taken:

  • 1.

    The device can be automatically remediated,

  • 2.

    A report can be created and a notification sent to appropriate teams to investigate, or

  • 3.

    BackBox can automatically open a trouble ticket with details of the compliance failures.

For one customer, BackBox was able to reduce the number of manual steps from 92 to a single set of automations that automatically run each day across hundreds of Palo Alto firewalls. Eliminating the need for daily manual processes resulted in fewer errors and more regular compliance testing.

Conclusion

Vulnerability STIGs compliance, while mostly designed for DoD organizations and related defense contractors, is yet another framework for building best-practice security into network and firewall device configurations.

Manually enforcing STIGs, however, is both error prone and lacks the scale necessary for realistic day-to-day management of network devices. Automation is the answer. Automation eliminates errors from manual device configuration activities while at the same time automatically ensuring that devices remain compliant and simplifying audit and reporting.

About BackBox

Backbox is a Network and Security Device Automation Platform that supports over 180 vendors, with thousands of pre-built automations and a scripting-free way to build new ones. Enterprises and service providers worldwide trust BackBox to automate and audit anything an admin could do manually, with reliable automations that are flexible, scalable, and contextually aware. From backups and OS updates to configuration compliance, BackBox gives you confidence that your automations will deliver the expected outcome every time.

Find out more at www.backbox.com.

See for yourself how consistent and reliable your device backups and upgrades can be