The Center for Internet Security (CIS) Use Cases and Cost Justification

Image

Vince Lombardi, the famous football coach, used to start his training camp each season with a talk about doing the basics. He’d tell the players that they start with the basics, then he’d take a football and hold it up and tell them, “This is a football.”  In football, as in life and IT Security, starting with the basics is the most important step you can take. Don’t assume anything. So, let us begin with the basics. CIS is the Center for Internet Security. In Tripwire terms, what does CIS mean? There are two “kinds” of CIS used by Tripwire:

• The 20 Critical Security Controls, which is a prioritized framework for implementing IT Security. It is essentially THE standard of care for IT Security.
• And then, there are the CIS recommendations for how to securely configure various servers, laptops, desktops, network devices, databases, domain controllers, virtual infrastructure, applications and cloud accounts.

Getting to know the CIS Controls

The CIS Top 20 Critical Security Controls give you a set of steps. Start from the top, and work your down the list, adding layers of security along the way. They start with the basics. Knowing what is changing in your environment and how things are configured are two very basic parts of the 20 Controls. The CIS recommendations for how to securely configure assets is used by Tripwire to guide you in terms of how to configure various software packages in a secure way. For instance:

• Logon
  • Success and Failure
  • This test verifies that 'Logon-logoff: Logon' events are being recorded on success and failure.
  • This setting supports information confidentiality and system integrity by providing evidence of potential brute-force (i.e. password-guessing) attacks against a given account.

Each OS and application has configuration settings like “Login Success and Failure” that have an effect on security and operations. Tripwire baselines these settings and then tracks them for changes. If the configuration changes, then Tripwire will also test it for compliance with the chosen standard. The standard may be a compliance standard such as PCI, HIPAA, GLBA or SOX, or it could be a full-on security standard as provided by CIS, NIST, DISA or ISO27001. Tripwire has created the content for each of these standards and many others. Generally, adopt a full-on security standard for your company, and you will see benefits. These include the following:

• Get real security value out of a compliance-oriented activity.
• Make compliance easier (if you shoot for the stars…).

Thus far, we’ve covered one use-case and various standards, but what does this have to do with cost justification? I’m glad you asked.

Cost Justification of the CIS Controls

There is the cost of an audit, there is the cost associated with the risk of a breach and there is a cost associated with keeping systems configured correctly for operational efficiency. For example, there was an IT team that needed to do some maintenance and testing on a production box overnight. So, they changed the configuration of the backup product to “off” so that it would skip the backup for that night. When they were finished, they forgot to change the backup configuration back to “on.” A month later, they needed to recover files for that server, but there were no backups for the past month on that server. There was a cost associated with that data loss. They then set up Tripwire to monitor that configuration file, and they created a policy check for backup status in that file to ensure that this did not happen again. The basics of knowing what changed and having a way to double-check those configurations remain correct. It’s hard to quantify the cost savings for all of the outages you never had because of good processes and for monitoring, but assume that you’ll avoid at least 1-2 fire drills each month. Audit costs are often tied up in audit prep time and in audit support time while the auditor is onsite. When you can build a report in minutes and hand that to the auditors, you’ve saved time and effort on audit preparation. In addition, you are able to give that auditor a “credible response” to their request, and that means that they are more likely to move on more quickly. If your auditor asks for some artifact, and your response is something like, “Hmmmm. Give me a week to figure something out,” then that auditor will begin to suspect that there are problems, and THAT is when they unpack their suitcases and really dig into your environment. For cost savings and ease audit, some have even gone as far as using Tripwire Event Sender or the Tripwire Splunk App and sending the auditors straight into Splunk reports for change audit and policy reports. They can ask their questions and get answers from Splunk immediately without having to engage the IT, Security or Risk & Compliance team at all. On one level, our goal is for your IT staff to spend as little time as possible with auditors – not that they’re bad people! The IT Security audit standards don’t just appear out of thin air. There is a reason they exist. If you look closely at any compliance standard, you will find that the basic goals of that audit standard in the IT world are focused on encouraging monitored entities to work toward a more secure state. Take CIS Control #5 is Secure Configurations and CIS Control #6 is Maintenance and Monitoring of Audit Logs, for instance. Part of the CIS (as well as NIST, DISA and other standards) is configuring the audit systems of the OS. If you are not auditing events on the system, then the logs won’t have the information you need to do analysis of “what happened.” Without the checks in CIS Control #5, the controls in CIS #6 are ineffective. You can detect what you don’t see. This is why I recommend that the first section of any configuration standards you should implement are the audit policy standards. They’re easy to turn on, have almost no chance of causing an outage and have immediate impact. Unplanned outages and long Mean Time to Repair (MTTR) are other areas of cost that come seemingly out of nowhere.

Use Cases of CIS Controls and Tripwire

Ensuring that software and configurations are in sync across the environment is another seemingly simple yet often not followed tenet of security and operations. There was a Tripwire prospect with a server farm of different Linux systems running the same group applications for their customers. Their provisioning tool rolled out an update to all of those servers (over 200). The rollout was successful according to the tool. Yet, they had an outage a day later, and it took them a week to discover that the provisioning tool had failed to update just a few systems. They found they needed a validation step, something to ensure that what they thought had happened actually had happened. Tripwire was then installed to track changes on the systems and to ensure that the application was installed the same way across all of those servers. They were also able to create policy tests to ensure that the critical configuration settings of that application stayed appropriately configured. Another case was a customer with a set of Linux systems where the outage occurred due to an administrator editing the DNS setting (/etc/resolv.conf) on a single Linux box incorrectly. That customer started to monitor that file and several others in real time with Tripwire from then on. A year or so later, a few of their systems reported a change in real time to security. They checked, and it wasn’t an administrator this time. Malware had entered a few of their systems and modified the DNS entries to send info outside of the organization. Thanks to the tripwire of change detection in real time, they were able to diagnose how the malware had entered their environment and shut down the breach immediately. (None of their other network-based security products alerted to the intrusion.) Monitoring system configurations and changes to the system are important, but how do you know what to review? There may be thousands of changes per system per week in an environment. Having control of your change process is a good place to start. What processes exactly are making changes on your systems? Do you know? By running a system log report that filters just on the Tripwire audit events, you get a report that shows what application made a change and which user was running that application. This report can be exported as XML and pulled into a spreadsheet. You can then filter it based on the application, making the application unique. Now, you have a list of all of the applications making changes on the systems in the timeframe of the report. Generally, there are more processes making changes than you know. Can you use this information to get a handle and control how changes are made? And how much money (unplanned downtime, unhappy customers, lost business, etc.) might that save your company? Maybe you don’t want to be a hero, but your boss might have other ideas. Basic IT hygiene is ensuring your configurations are set securely and that only expected changes are occurring on your systems. You can save on audit prep time and unplanned outages. Get back to the basics, and happy hunting! To learn more, join us on August 13 for a live panel webcast as we walk you through common use cases to show how worthwhile an investment in the 20 CIS Controls can be. Register today: https://info.tripwire.com/register-cost-justifying-use-cases-for-critical-cis-controls.

Authors note: This blog was co-authored between Mike Betti and Brian Cusack. About the Co-Author: Brian Cusack has been a Senior Systems Engineer at Tripwire for over 15 years. His responsibilities include providing technical demonstrations during client meetings, driving POCs, and introducing new customers to the security, compliance, and operational-best-practice capabilities of the Tripwire suite of products and service offerings.