Security baseline automation of STIG and CIS controls with Ansible
With an ever-growing workload to accommodate, IT is deploying cloud services and automation to help keep pace with its line-of-business demands. A factory-like mentality towards IT infrastructure operations has allowed businesses to improve upon its SLAs while increasing the quality of service delivery.
Many security practices haven’t yet benefited from modern IT automation practices. Most enterprises continue hardening systems with manual processes fraught with human error and inefficiencies. So why did security get left behind the automation revolution? Like autonomous driving technology, IT security automation is still in its infancy. Up until recently, it was more conceptual than operational.
Here’s how it typically works. Security teams dictate a policy based on other third party security guidance (FISMA, NIST, DISA, CIS, PCI, HIPAA—the list goes on). After the policy is approved, Security hands it off to IT operations teams who are left to execute in whatever manner they can. While many IT ops teams automate aspects of vulnerability detection and triage, few will attempt to automate the application of security controls through end-to-end automation or CI/CD. To be fair, if applied without tact, automating system security configurations can do more harm than good by causing disruption to production environments and failing to properly secure systems to the standards they were meant to. So instead of trying to automate, teams often play it “safe” with manual steps once a system has been deployed.
The time and money businesses are spending on security hardening indicates that a more cost-effective and capable solution is needed for applying and maintaining security controls. However, current market solutions fail to provide sufficient value and ease of access.
Gaps in Security Modernization
Cloud Service Providers provide a golden image with security settings already in place. Yes, the image is secure and compliant, but it rarely remains so over the course of its lifecycle. The second an app is installed or the system updated, it’s likely no longer compliant. Of course, this is one of the reasons audits are so painful!
Managed Service Providers are capable of delivering secured infrastructure to a client, but many are costly and require the client to relinquish control of their own systems. This relationship sets up a communication divide between client and MSP that many have found to be inefficient, and the market is proving this out with many ending their MSP contracts and taking back control.
The do-it-yourself option requires scanning tools to evaluate vulnerabilities within the estate. You’ll then need to write remediation scripts or manually correct vulnerabilities. This is a risky option depending on your exposure, and an expensive cost center to maintain.
STIG and CIS Automation
Businesses with effective systems security strategy deploy continuous monitoring and remediation toolchains to keep their systems compliant. MindPoint Group’s cybersecurity experts are helping to democratize a pivotal piece of security strategy through a certified content offering that automates hundreds of third party controls. We’ve used our expertise in cybersecurity to automate popular security baselines such as CIS and STIG to infrastructure, operating systems, and applications. The following features are included as part of our annual subscription:
- Comprehensive and customizable security baseline automation written in Ansible - the most popular and fastest-growing configuration management tool in the world.
- Testing strategies that can be integrated into any workflow for validation and scoring.
- Quality assurance, ongoing maintenance, and an SLA to ensure we provide automation that works and keeps up with changes.
Want to learn more? Check out this quick demo on security baseline automation and reach out with any questions.