Proprietary 1Proprietary

Eugene Kipniss – Program Manager – MS-ISAC/EI-ISAC

Ronan Tiu - Member Success Technical Training - Program Manager

August 27, 2019

CIS SecureSuite Resources - Common Workflows

2TLP: WHITE

• Register for the MS-ISAC’s services here:

https://learn.cisecurity.org/ms-isac-registration

• The MS-ISAC Stakeholder Engagement team will provide you with next steps:

• Register your HSIN account

• Submit public IPs, domains, and subdomains

• Register for an MCAP account

• Add additional staff to your account

How to access MS-ISAC resources

https://learn.cisecurity.org/ms-isac-registration

Confidential & Proprietary 3

• CIS SecureSuite™ Membership Tools and Resources

• Common Workflows for CIS SecureSuite™ Members

– CIS Controls

• Version 7.1 - Implementation Group 1

– CIS-CAT Pro Assessor

• CIS Benchmark Analysis and Reporting

– CIS WorkBench

• CIS Benchmark Tailoring and Build Kits

– CIS-CAT Pro Dashboard with CIS-CAT Pro Assessor

• Maintaining your hardened environment

• MS-ISAC – Malicious Code Analysis Platform

• Additional Resources

Agenda

Confidential & Proprietary 4

CIS SecureSuite Membership

Confidential & Proprietary 5

• All U.S. SLTTs and public academic institutions are eligible for FREE CIS SecureSuite Membership

• If you are current MS-ISAC or EI-ISAC member you are automatically enrolled

• Access CIS WorkBench https://workbench.cisecurity.org

How to Access Membership

https://workbench.cisecurity.org/

Confidential & Proprietary 6

Common Workflow used by CIS SecureSuite Members

Identify

internal and external security requirements, such as policies, PCI,

etc.

Develop

Assessment and implementation

standards for assets. Deploy remediation.

Assess

Security and compliance using assessment

standards and procedures.

Maintain

Hardened target environment via

scheduled scans and CIS-CAT Pro Dashboard.

CIS Controls™

CIS

WorkBench,

Tailored

Benchmarks &

Build Kits

CIS-CAT Pro

Assessor &

CIS

Benchmarks

CIS-CAT Pro

Assessor and

Dashboard

Confidential & Proprietary 7

Confidential & Proprietary

CIS Controls™

Version 7.1 - Implementation Groups

Confidential & Proprietary 8

• Prioritized set of actions that mitigate the most common attacks against systems and networks

• “One ask per Sub-Control”

– Easier to measure each sub-control

• Mappings (at the sub-control level)

– NIST Cybersecurity Framework

– NIST 800-171

- Version 7

Confidential & Proprietary 9

Confidential & Proprietary 10

• V7.1 Introduces Implementation Groups (IG) to the CIS Controls:

IG’s – a new prioritization for the CIS Controls, at the Sub-Control level.

A detailed methodology to help organization assess which IG they fall within.

Edits requested by the global community that clarify certain CIS Controls and Sub-Controls.

Confidential & Proprietary 11

• Prioritization at the Sub-Control Level based on Evolving threats

• Implementation Groups focus on:

– Data sensitivity and criticality of services offered by the organization

– Expected level of technical expertise exhibited by staff or on contract

– Resources available and dedicated towards cybersecurity activities

– https://www.cisecurity.org/controls/

We refer to Implementation Group 1 as Basic Cyber Defense and, as such, should be implemented first.

Controls v7.1 – Implementation Groups

https://www.cisecurity.org/controls/

Confidential & Proprietary 12

Confidential & Proprietary

CIS CAT-PRO Assessor Benchmark Analysis and Reporting

Confidential & Proprietary 13

CIS-CAT Pro AssessorWhat exactly does it do?

Manual Automated

System scan process of many systems resulting in

pass/fail report

Compare document to system settings one system at a time resulting in manually

created spreadsheet of differences

Confidential & Proprietary 14

CIS-CAT Pro Assessor

• Produces reporting of your target end-points’ conformance to the CIS Benchmark

• Vulnerability scanning tool for patch management

• SCAP 1.2 Validated – OVAL/xccdf, ARF files

• Interactive reporting format (HTML)

• Reporting designed for CIS-CAT Pro Dashboard

v3.0.60

• Centralized scanning workflows

• Java 1.6 or later or OpenJDK

• GUI and CLI interfaces

• Continued support of v3

v4.0.9

• Centralized scanning workflows

• Java 1.8 or later or OpenJDK

• CLI interface only, GUI on the product roadmap

• Remote scanning capabilities

Confidential & Proprietary 15

• Server admins/operations teams use CIS-CAT to perform self assessments.

• Build teams use CIS-CAT to validate a system before production rollout.

• Security teams use CIS-CAT as part of their assessment process.

• Auditors use CIS-CAT as part of compliance and governance processes.

• Scheduled scanning of Target End-Points for a constant monitoring of your

hardened environment

• Vulnerability Assessments

• Download from - https://workbench.cisecurity.org/files

CIS-CAT Pro Assessor How is it used?

https://workbench.cisecurity.org/files

Confidential & Proprietary 16

Confidential & Proprietary

CIS WorkBenchCIS Benchmark™ Tailoring and Build Kits

Confidential & Proprietary 17

• Where the CIS Benchmarks team works

• Document development environment

– Supports proposed changes

– Tracks changes in documents

– Supports automation content (some)

• Community forum for discussions and tickets

What is CIS Workbench?

Confidential & Proprietary 18

• The “forking” of a CIS Benchmark™ and the subsequent customization of the recommendations contained in the benchmark.

• Intra-organizational collaboration on benchmark customization

• Features for updates when CIS releases a new version

• CIS SecureSuite members only

What is Tailoring?

Confidential & Proprietary 19

• CIS Controls 7 – Sub Control 5.1

– Maps to NIST-CSF (PR.IP.1)

– Maps to PCI DSS 3.2 (2.2)(Mappings referenced from Auditscripts.com)

• Audit trail of your changes to the CIS Benchmark

• Export your tailored benchmark (.docx, .xlsx, OVAL/xccdf)

• Scan of your environment versus your custom benchmark using an OVAL/xccdf compliant tool

• Helps you maintain hardened target end points

Why tailor a CIS Benchmark™?

Confidential & Proprietary 20

Build Kits

• Group Policy Objects (GPO)

– Microsoft Windows XP, 7, 8, 8.1, 10

– Microsoft Windows Server 2003, 2008, 2008 R2, 2012, 2012 R2, 2016

– Microsoft Office 2013 & 2016, MSFT Access, Excel, PowerPoint, Word and Outlook 2013 & 2016

– Internet Explorer 9, 10 and 11

• Google Chrome 49

• Linux Scripts

– RHEL 6 & 7,

– CentOS Linux 6 & 7

– Amazon Linux 2014.09-2015.03

– Debian Linux 7 & 8

– Oracle Linux 6 & 7

– SLES 11 & 12

• IBM AIX 5.3, 6.1 and 7.1 (AIXPert)

• HP-UX 11i - Bastille Configuration

• Mozilla Firefox 38 ESR

Build Kits – Automated Remediation Application

Confidential & Proprietary 21Confidential & Proprietary

CIS-CAT Pro Assessor and Dashboard

Maintaining your hardened environment

Confidential & Proprietary 22

CIS-CAT Pro Assessor v4Centralized Scanning – v3 & v4 – Remote Scanning – v4 only

Note: For both Centralized and Remote scanning workflows, CIS-CAT Pro Assessor and Java only need to be installed on the machine hosting the applications. CIS-CAT Pro Assessor and Java do NOT need to be installedon the target system for which you are assessing.

Confidential & Proprietary 23

• A dynamic web-based application designed to store CIS-CAT Pro Assessor results (“ARF” files) and provide insight into your ecosystem’s security posture.

• Helps you understand the evolution of hardening your target end points

• Provides a holistic view of your environments’ conformance to the CIS Benchmarks/Tailored Benchmarks

• Provides workflow for IT/Ops teams for maintenance

• Helps your organization maintain a hardened environment by helping manage “configuration drift”

• Provides reporting for internal/external audits

Why install CIS-CAT Pro Dashboard?

Confidential & Proprietary 24

Recommended Hardware for InstallWindows - Linux/Unix Install

Lightweight application - processor and memory use:

Highest memory utilization during import of “ARF” reports

Suggested to run imports during off hours

System hardware requirements:

8GB RAM

2 CPU’s with 4 cores each

Ubuntu 16.04/Windows Server 2016

Confidential & Proprietary 25

Required OS/Software for Install CIS-CAT Pro DashboardWindows/Linux Installer – Java 64bit/Java 32bit

• Windows Dashboard - CIS Supported components:

Windows 2016 Server, SQL Server 2017

Windows 2016 Server, Apache Tomcat 8.5

64bit and 32bit Java versions

• Linux Dashboard – CIS Supported components:

Ubuntu 16.04, MySQL 5.6

Ubuntu 16.04, Apache Tomcat 8/8.5

• Java 8.0 or Open JDK

• SQL Server and Apache Tomcat must be installed prior to running the installer.

• Using the installer.exe is not required, but recommended on new installations and upgrades

• Consult the documentation for additional component options - https://cis-cat-pro-dashboard.readthedocs.io/en/stable/

https://cis-cat-pro-dashboard.readthedocs.io/en/stable/

Confidential & Proprietary 26

The Link between CIS-CAT Pro Dashboard and Assessor ReST API

CIS-CAT

Pro

Assessor

Host Server

Target end-points execute Assessment via “Scheduled Tasks” (Windows) or scheduling (Linux) software.

ARF file import into the database is invoked via ReST-ful web service. Documentation - https://ccpa-

docs.readthedocs.io/en/latest/Configuration%20Guide/#cis-cat-pro-dashboard-integration

Desktops Servers

SQL

database

for CIS-

CAT Pro

Dashboard

ReST

API

https://ccpa-docs.readthedocs.io/en/latest/Configuration%20Guide/#cis-cat-pro-dashboard-integration

Confidential & Proprietary 27

• Manage Configuration Drift - Alerts and “Configuration Difference” reports

• Target System tagging - view compliance to CIS Benchmarks/tailored benchmarks by creating a “custom” group of systems.

• Create exceptions/white list recommendations - will automatically recalculate assessment scoring and be reviewable through the dynamic nature of the dashboards.

• CIS Controls View - annotated benchmark content

• Complete Report showing all recommendations in the benchmark and overall pass/fail results

• Each CIS SecureSuite Member has their own instance(s) of CIS-CAT Pro Dashboard

CIS-CAT Pro Dashboard – Key Features

Confidential & Proprietary 28Confidential & Proprietary

MS-ISAC - Malicious Code Analysis Platform

29TLP: WHITE

A web based service that enables members to submit and analyze suspicious files in a controlled and non-public fashion

• Executables

• DLLs

• Documents

• Quarantine files

• Archives

Malicious Code Analysis Platform

To gain an account contact:

mcap@cisecurity.org

Confidential & Proprietary 30Confidential & Proprietary

Additional CIS SecureSuite Resources

Proprietary 31

Upcoming and Recorded CIS Webinars

Link to register: https://www.cisecurity.org/cis-securesuite/member-webinars/

https://www.cisecurity.org/cis-securesuite/member-webinars/

Proprietary 32

• As a benefit of membership, your organization’s employees are eligible to receive support service, at no charge, from staff:

Email: support@cisecurity.org

Discussion areas on CIS WorkBench site

• Email: freesecuresuite@cisecurity.org if you need your account manager to assist you with your account or have questions on benefits.

• SLTT Account Managers:

Kim Grimaldi – kim.grimaldi@cisecurity.org

Kelly Morris – kelly.morris@cisecurity.org

SLTT Support

mailto:support@cisecurity.orgmailto:membersuccess@cisecurity.orgmailto:kim.grimaldi@cisecurity.org

Proprietary 33Proprietary

Q & A

Proprietary 34Proprietary

Thank you !!