STIG vs. CIS part 1: The Anatomy of Baselines and Compliance

This blog is part 1 of our multi-post blog series on STIG vs. CIS. In this series, we will give an overview of security baselines, frameworks, and ultimately discover if STIG or CIS is right for you. If you’re looking for part 2, check it out here.

STIG vs CIS
Photo by Pixabay from Pexels 

At first glance, selecting a baseline can seem like a daunting task. 

System configuration baselines—also called cybersecurity baselines—provide a common approach to ensuring your systems are more secure than their standard off-the-shelf configuration. A well-defined, implemented, and broadly deployed set of baseline configurations will generally improve your environment’s overall security. They are not foolproof, however. Even when properly implemented, there are likely additional efforts needed to truly ensure system security. 

Security baseline basics 

A security baseline contains a list of defined requirements that are called controls, or security controls. Each control addresses a specific requirement, such as logging, user access, password configurations, etc. 

Rather than go into all the controls that make up security baselines and all their hierarchies, we want to focus on how to select the best baseline for your business and system requirements. 

There are several security baseline options to consider. Each baseline has pros and cons, which we’ll discuss. 

  • Select an existing baseline 
  • Create your own 
  • Hybrid- existing with your own requirements 

Regardless of your selection, a baseline alone is not enough to ensure system security. There are numerous ways to configure a system so that it will pass a scan for that control, but still not actually leave it in a more secure spot. 

Existing Baselines 

The two most common system configuration baselines are the Center for Internet Security’s CIS Benchmarks, and the US Department of Defense Systems Agency (DISA) Security Technical Implementation Guides (STIG). Both are widely deployed and trusted worldwide. These two standards are largely configuration focused, which means many of the controls are focused on how you configure the system rather than the process by which your organization uses to, for instance, respond to a threat alert. One definite downside to these baselines is that it’s largely impossible to attain a perfect score and have a system that functions as intended. In nearly all cases, teams will be forced to make trade-offs, potentially developing a mitigating control when a baseline control cannot be applied. 

Create your own 

Cybersecurity is critical to your business, but there’s a good chance that you’re not really in the cybersecurity business. For that reason alone, it may be best to leave the control planning to the experts, which is exactly what you get when you select one of several industry and expert-vetted baselines. These baselines are written by experts and have significant industry input, testing, and community validation. This is a great example of the colloquialism “all of us are better than one of us.” 

Security Basline automation
Rolling your own is hard work and requires significant expertise. (Photo by Анна Рыжкова from Pexels)

In summary, creating a successful baseline requires access to seasoned cybersecurity experts that have deep understanding of the systems you need to secure. Even if you do have the resources to do this in-house, these standards have been so widely tested, that those resources can probably better be used elsewhere.  

Hybrid 

Nearly every organization in every industry has its own requirements and policies in addition to what might be required by a baseline’s definition. Certain applications or environments may need specific controls which are unaccounted for in a standard baseline.  

For this reason, it’s likely useful to add in tweaks to standard baseline configurations to ensure your application will work while properly in a secured state. 

Cybersecurity Frameworks 

It’s also important not to confuse a system configuration baseline with an industry-standard or requirement. Many industries have additional requirements (called cybersecurity frameworks beyond how a system or application is configured, which dictate the organization’s overall security posture. They specify how the data in an environment is handled, stored, and processed. Some of these more familiar standards or frameworks include, NIST 800-53, PCI DSS, HIPPA, or SOC-2. They’ll often include specific system configuration requirements but typically focus on data handling and access procedures.  

Merely applying a baseline to your systems will not ensure your cybersecurity preparedness. Because they only address system configurations, baselines are only a piece of the larger cybersecurity architecture. 

Now that you have the baseline basics down, check out our second post all about making the best baseline choice for your business. 

Next steps and resources 

Not sure where to start with a cybersecurity framework? It might be time for a gap analysis

Learn more about using Ansible to automate baseline validation and remediation.