CIS Benchmarks and Runecast Analyzer: the what and the how

Let’s take a look at CIS Benchmarks. In the last blog post about Kubernetes, we said this was coming and now here it is.

Runecast Analyzer contains CIS benchmarks for each of our supported platforms and in this article we take a deeper look at CIS, their benchmarks and how Runecast Analyzer can help you implement them for your environment.

CIS Benchmarks are a set of standards for IT services and products which set out benchmarks and guidelines for cybersecurity. They are widely used throughout the world because they are free and set standards for an enormous breadth of technologies and platforms.

So who are CIS and what are their benchmarks? How can Runecast Analyzer help you to meet the CIS Benchmarks in VMware, AWS, Azure and Kubernetes? And how do the CIS Benchmarks compare to another widely used set, DISA STIG?

CIS and the benchmarks

CIS is the Center for Internet Security, a non-profit organisation which is responsible for the CIS Benchmarks. They describe themselves as a global community of IT professionals and were founded in the year 2000. They released their first benchmark (for windows 2000) in 2002 and have been actively building and improving their benchmarks since then.

CIS develop their benchmarks with a selection of industry professionals to ensure that they are best practices that build security for the entire digital universe. They provide a baseline standard which is regularly updated to ensure that it is current with new releases of software or hardware. It’s important to note that these benchmarks are primarily about how systems are configured, rather than defining an organisation’s response to issues, or internal procedures. For that you might want to look at ITIL or something similar.

The CIS Critical Security Controls (CSC) are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks.

Today there are CIS benchmarks for a massive array of products and systems, ranging from physical and virtualised hardware to printers and cloud operating systems. This can initially make getting the right benchmark you’re looking for difficult, especially as there are benchmarks for previous versions of the same software on the CIS website.

The CIS benchmarks are free and take the form of an exhaustive PDF, which details all the controls that CIS require for the specified technology to pass the mark. While the PDFs are free, you do need to register to access them, and you then spend the time reading through the document. Or you could use Runecast Analyzer. Runecast Analyzer currently has the CIS benchmarks preloaded for each of our supported platforms: VMware, AWS, Azure and Kubernetes.

Instead of manually trawling the documentation and recommendations for your IT environment(s), you can quickly scan with Runecast Analyzer and have actionable insights in minutes.‍

In your results, and in the benchmarks, you’ll see they are grouped into two categories, automatic and manual. This shows whether a technical control can be fully automated, or whether there are manual steps required to meet the benchmarks.

For many of the automated benchmarks, Runecast Analyzer now has the ability to produce remediation scripts. This means that you can have a script to provide for your change process and ready to implement across your environment in just a few clicks.

CIS vs DISA STIG

There are similarities between CIS and another set of widely adopted set of baselines: DISA STIG. DISA STIG was developed by the US Department of Defense Systems Agency and is their Security Technical Implementation Guides (STIG). DISA STIG is also a set of system configuration principles and guidelines that aim to make your technology more secure.

What CIS and DISA STIG have in common is that they are a broad set of standards which cover multiple principles and guidelines. Another thing they have in common is that you can use Runecast Analyzer to analyse your environment against both of these benchmarks.

Where they differ, partly, is in their intended audience. DISA STIG is very much for organisations and technologies which are required to work with the US DoD systems or access their networks, whereas CIS has a broader appeal. Another, more technical difference, is the level of benchmark. While CIS has benchmarks and standards for AWS and Azure, DISA STIG has a broader Cloud Computing Security Requirements Guide. That’s not to say one is better than the other, merely that CIS has a tailored benchmark for these environments. This may be an advantage to your company, who may want a specific benchmark for a specific platform, or you may be looking to meet DISA STIG exactly, or even just want a secure generic guideline which applies across your cloud environments.

CIS Benchmarks achieved via Runecast Analyzer

Runecast Analyzer is a time-saving platform for any organization that wants or needs to pursue CIS certification. Runecast Analyzer automates the process of checking for compliance with CIS Benchmarks in Kubernetes, VMware vSphere, Microsoft Azure, and native AWS public cloud resources – in total, over 400 checks. Findings against both Level 1 and Level 2 recommendations are detailed, with each finding linked to the affected objects.

Runecast Analyzer has the CIS and DISA STIG benchmarks built in, so with the click of a button you can scan your environments and have a report detailing where you meet the mark and where improvements need to be made.

As stated above, the results are broken down to align to each of the recommendations, making the presentation even clearer. If you or your team has questions about the controls in section 5.2 of the VMware ESXi 7.0 CIS benchmark, you can see the result in Runecast Analyzer which will show you whether the ESXi shell is disabled or not. This is excellent for audit purposes as you can align each action and decision with a strict control.

There are also manual recommendations in the CIS benchmarks, which cannot be checked by Runecast Analyzer. Runecast Analyzer doesn’t look at your passwords and ensure they’re complex, or ensure that the previous 5 passwords can’t be reused, for example. But there is a place to tag that you’ve done that in the CIS benchmarks results in Runecast Analyzer.

Hopefully, that has cleared up a little of the what and the how of approaching the CIS benchmarks with Runecast Analyzer. If you aren’t already using Runecast for this, why not

Request a free trial or contact us.

About Runecast

Runecast Solutions Ltd., headquartered in London, UK, with offices worldwide, is a leading provider of actionable predictive intelligence for the Hybrid Cloud. Its patented, award-winning Runecast Analyzer software, regularly lauded by IT experts, provides real-time, automated configuration and security compliance analysis for AWS, Azure, Kubernetes and VMware. In 2020, Runecast was named a Gartner Cool Vendor and won Computing Magazine awards for Best Place to Work in Digital and Cloud Security Product of the Year.