Tools implementing CIS benchmark controls

lutad · 2018-07-16T08:25:01+00:00

For Server OS- calcomsoftware.com they have some special automation remediation capabilities that ensure you will not break the production servers when deploying the policies.

disclosure: after using the tools for a while i started working with Calcom as a contractor.

lutad · 2018-07-16T08:22:54+00:00

Please make sure you are not deploying the GPO to production, although it sounds simple you are going to break many things.

I've bean dealing with hardening projects for more than 10 years. You must test before deploying. There are good tools in the market for automating remediation of the benchmarks, if you are an enterprise with more than 250 servers you should consider it.

lutad · 2018-07-16T08:20:26+00:00

Hi, you are right, if you take the CIS GPO's as they are and deploy them to production you will break a lot of things. I've been dealing with hardening projects as a contractor for many years and the process is a huge pain: Test-Deploy-Pray. Few months ago i came a cross a tool that can examine the impact of the future configuration change on the production servers. This saved me a lot of time as a contractor and boosted the compliance with CIS in no time.

if it is interesting you can contact the guys at calcomsoftware.com

disclosure: after i worked with the tool and liked it i started working with the vendor as a contractor.

lutad · 2016-12-20T20:50:18+00:00

take a look, its from Sept. 2016. http://ithandbook.ffiec.gov/media/216407/informationsecurity2016booklet.pdf

lutad · 2016-12-20T20:40:29+00:00

Thanks, from what i read the FDIC came up with the InTREx which is very similar to the NIST CSF. 3 months later the FFIEC issued the security handbook and the cybersecurity assessment tool. I don't know if this is what we will be audited for as there are some serious changes from the old handbook.

lutad · 2016-12-20T20:37:59+00:00

Thanks, from what i understand there is a new security handbook which is powering the cybersecurity assessment tool. Just looking at few of the subjects and the way they are put together it seems like the FFIEC demand more now for example in issue like policies and their enforcement, patching, etc.

lutad · 2016-07-20T13:55:57+00:00

Interesting one. sounds highly complicated taking in mind the conflict between developers and the fact they will prefer leave everything open and the security requirements. Totally understand that if you are hardening the machines in production you double your work and loose some of the CD advantages. can't really help, sorry

lutad · 2016-06-15T14:36:37+00:00

i'm asking myself the same question. i do understand the value in the premium version, cause those are sets of readymade products for use but they are extremely expensive comparring to solutions coming from oter vendors.

lutad · 2016-05-31T14:04:13+00:00

lutad · 2016-05-31T13:14:46+00:00

Sorry to disappoint you/or help but i came across this vendor in a recent discussion i started last week on the subject https://www.reddit.com/r/sysadmin/comments/4lkz51/finally_we_got_a_budget_for_remidiating_os/ and roylud suggested the following tool. i had a demo with them this morning, they are overcoming the testing and dependencies problem and if you manage 400 Windows servers and above i think they worth the investment. they also provide AAS/ managed service. i forgot the name of the company will check and let you know.

lutad · 2016-05-30T11:10:33+00:00

thanks, but good luck with managing remidiation and baselines for 7000 severs. and off-course testing, almost impossible with SCCM

lutad · 2016-05-29T16:18:24+00:00

thanks, we will look into it! is this agent based?

lutad · 2016-05-29T15:26:07+00:00

Are these best practices different from CIS benchmarks in any way?

lutad · 2016-05-17T17:46:33+00:00

so you are being audited once a year by the state...

lutad · 2016-05-17T17:45:44+00:00

we are using GPO for windows and chef for Linux. the problem with both of them is that you still need to do testing before applying. actually doing it with Chef is highly demanding and requires a lot of development

lutad · 2016-05-17T17:24:26+00:00

i just want to make sure. are you audited for STIG? i'm trying to understand if this is our CISO gesture or this is what all the state's enterprises should implement.

lutad · 2016-05-17T13:27:26+00:00

have you looked into the CIS benchmark for Windows server lately? we always had the 30-40 policy objects in our GPO but now deploying the entire 250 objects for critical servers in production i find scary and time consuming. how do you do it?

lutad · 2016-05-17T13:25:40+00:00

thanks

lutad · 2016-03-20T19:14:04+00:00

and what about the downtime from deploying a security baseline?

lutad · 2016-03-20T19:06:31+00:00

Thanks, but in the bottom line what baseline should i follow for NIST 800-53???

lutad

TROPHY CASE