CIS Benchmarks and Systems Hardening: A holistic approach to cybersecurity





Very rarely do quick fixes completely change your trajectory. Within IT and cybersecurity, systematic changes make the biggest long-term results. Fortunately for those with little time and even less of a budget to ensure heightened cyber resiliency, some viable methodologies can set the framework for systems hardening and improved data and network security.


While the process isn't sexy, the results stand on their own merits.


Systems hardening and the benchmarks required to achieve them are essential elements of building a fully secure and configured; Operating System, Networks, Applications, Cloud elements, and more. By implementing these industry best practices an organization can complete the entire process of design, prioritization, implementation, and improvement of their cybersecurity program from the ground up.

Unlike onboarding a new security solution, or implementing a new MFA process, systems hardening goes far beyond looking into the individual links to understand the broader risks and overall security of the entire chain. Whereas in the past your organization may have been using their proverbial finger to close the hole in the dyke, implementing a comprehensive security approach, such as the CIS controls, aims to fundamentally strengthen the infrastructure and thinking to mitigate cyber risk.


The Name may have changed but the idea remains the same


The CIS hardening benchmarks stand on the mountaintop of industry-standard best practices to mitigate cyber risk across various systems and networks. Their routes derive directly from the SANS Critical Security Controls (SANS Top 20) and the CIS Critical Security Controls to culminate in the CIS Controls.


This evolved framework has been heavily influenced by its structure and comprehensive approach to assessing and mitigating a continuous mix of system stressors, gaps, and out-of-date security elements from its forebears.


The results are a comprehensive and methodical approach to mitigating the complete range of currently assessed systemized cyber security focus areas. The CIS Controls and benchmarks intend to provide a more robust and complete image of systemized risk by assessing the following sections:


  • Inventory and Control of Enterprise Assets

  • Inventory and Control of Software Assets

  • Data Protection

  • Secure Configuration of Enterprise Assets and Software

  • Account Management

  • Access Control Management

  • Continuous Vulnerability Management

  • Audit Log Management

  • Email and Web Browser Protections

  • Malware Defenses

  • Data Recovery

  • Network Infrastructure Management

  • Network Monitoring and Defense

  • Security Awareness and Skills Training

  • Service Provider Management

  • Application Software Security

  • Incident Response Management

  • Penetration Testing


What do I do with this framework?


Now that the skeleton has been formed you can begin to divide and conquer. Using the CIS Control as the structure, you can systematically assess which areas are high risk or easy to implement and update for your organization.


Not every business will have the same security profile and thus its focus area or the time required to optimize cyber defense in any of these critical sections will vary. In practice, IT will need to evaluate the most pressing and potentially cataclysmic areas of vulnerability, such as email security or employee education, and focus resources there to provide the biggest ROI.


For the benchmarks to provide the optimum value they must be implemented strategically and in consort with a defense-in-depth approach to managing the wide range of threats an organization faces daily.


Defense in Depth and thinking critically about your cybersecurity


Changing your organizational approach to mitigating risk is (without doubt) an extensive process. To create some sustainable wins and holistically shape an effective cyber risk strategy, everything in the toolbox must be utilized. From implementing innovative security solutions to new approaches to managing each at-risk element of your network, the only way to keep your data safe is to stay one step ahead of the hackers.

From a practical standpoint that means taking the CIS principles and integrating them with a broader Defense-in-Depth philosophy.


Where the CIS Controls help establishes your baseline security systems “Defense in Depth provides the structural and system-based support to ensure that if one bolt fails, another will hold its weight. Put another way, the Defense-in-Depth methodology is much like preparing for going out in an intense winter storm. It relies upon integrating established layers of data protection to ensure that regardless of the potential shortcomings of one system, the entirety of the process remains safe and secure.”


What are you doing to change your cybersecurity outlook?


Cybersecurity is a journey. Only through preparation, constant reassessment, and a long-term approach to mitigating risk can any real degree of cybersecurity begin to be achieved. With the evolution of the CIS framework as well as the Defense in Depth approach, security professionals are given one of the keys essential to managing this equation.


9 views0 comments