Chef’s Approach to CIS Critical Security Controls v7.0

The Center for Internet Security (CIS) have just released the latest version of the Critical Security Controls, designed to provide patterns and practices to help protect organizations and data from cyber attacks. These updated controls have been developed based on feedback from actual cyber attacks faced by organizations using input from a wide spectrum of experts across the security ecosystem. These experiences are combined with an analysis of effective defenses to create profiles companies can use to better secure their infrastructure. In this blog post, you will see how Chef helps detect, correct and automate security scanning using the top 6 basic CIS controls.

To get started, it’s helpful to understand how CIS approaches security practices. CIS has defined five key pillars of an effective cyber defense strategy:

  • Offense informs defense — previous experience of attacks inputs directly into the creation of the controls. This results in practical, real-world defences that are shown to work against the threats that are already being used.
  • Prioritization — Focus your organization’s efforts on the areas that give the best returns with respect to reducing your risks first, then work through the rest of the CSCs.
  • Metrics — Agree a standard way to discuss the implementation of security controls within your organization so progress can be clearly communicated and the next course of action quickly agreed upon.
  • Continuous Diagnostics and Mitigation — continually test and measure the effectiveness of the controls you have in place and use this to guide the next steps in implementing further controls – this is a continual process of improvement.
  • Automation — The automation of defences and checks is the only way to be able to scale a reliable set of defences and allow continuous monitoring across an ever growing estate.

There are 20 Controls set out within the Critical Security Control framework, in this post we’ll focus on the 6 Basic Controls defined as “Key controls which should be implemented in every organization for essential cyber defense readiness” and come back to the entire set in a later post. The first 6 Controls are:

  1. Inventory and Control of Hardware Assets
  2. Inventory and Control of Software Assets
  3. Continuous Vulnerability Management
  4. Controlled Use of Administrative Privileges
  5. Secure Configuration for Hardware and Software on all Devices
  6. Maintenance, Monitoring and Analysis of Audit Logs

Through the use of Chef Software’s Detect, Correct and Automate pattern and our investment in a dedicated team of engineers to build and maintain security focused Chef Server Cookbooks and InSpec Compliance Profiles, we have used the CIS CSCs to guide our overall approach for the Enterprise and enabling DevSecOps. Here are details around how to use Chef Server and InSpec to support each of these six areas.

1. Inventory and Control of Hardware Assets

“Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access”

The use of Chef’s asset database and configuration management capabilities ensures that a single, secure point can be used to supply authorised assets with client certificates in order to access the organisations trusted network. Chef’s database of On-Premise and Cloud instances is an accurate registry that can be integrated with tools such as ServiceNow to give a single pane into an organisation’s assets across multiple installation types.

2. Inventory and Control of Software Assets

“Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that all unauthorized and unmanaged software is found and prevented from installation or execution”

Using Chef as single point of software installation and distribution in the Enterprise ensures that only authorized software is installed and software version rollout can be handled in one central location, with unsupported versions controlled by exception and tracked on the appropriate environments. Integrating Chef Automate with dedicated asset inventory systems, such as ServiceNow, also allows for an overall integrated approach to software and hardware asset tracking and a single pane view of the enterprise.

3. Continuous Vulnerability Management

“Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.”

Using InSpec’s automated compliance capabilities for detection, and then correcting any vulnerabilities with Chef’s configuration automation, gives a solid approach to automating the requirements around this area. Our Detect, Correct, Automate principles, enabled by Chef Automate, allow an Enterprise to step up to the plate for the constant vulnerability correction cycle. Keeping software up-to-date and correctly configured, as well as running CIS profiles against the infrastructure using InSpec at all stages of the development pipeline and in production, gives the Enterprise CIO a few less sleepless nights. Additionally, Chef’s Integrations with tools such as Splunk and ServiceNow allows for comparisons of passing and failing InSpec scans, as well as the ability to automatically raise incidents or change requests for failure scenarios with the relevant teams in an Enterprise.

4. Controlled Use of Administrative Privileges

“The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.”

The use of Chef’s configuration management automation capabilities allows one place to control the distribution and restriction of administration privileges and configuration & distribution of scripting tools to meet the needs of this control. The combined used of our InSpec compliance automation tool also ensures that independent auditing is possible in this area and any unintended changes are captured and alerted across the enterprise estate rapidly.

5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.”

Chef’s creation of a dedicated team to continually create and test secure Chef configuration Cookbooks and InSpec Compliance Profiles, based on the CIS benchmarks, ensures that Enterprises using Chef Automate have access to up-to-date secure configurations and associated compliance scanning capabilities linked together in a Detect, Correct, Automate cycle. This approach matches with the best practices laid out by the CIS Critical Security Control for Secure Configuration on devices in the Enterprise.

6. Maintenance, Monitoring and Analysis of Audit Logs

“Collect, manage and analyze audit logs of events that could help detect, understand, or recover from an attack.”

The use of Chef’s configuration management to ensure uniform and centralized logging configuration, that aligns with CIS’s recommendations across the entire enterprise estate, and NTP configurations for time synchronization from multiple sources, helps enterprises meet this control in a centrally controlled and automated way. Additionally, Chef’s ongoing integration efforts with Splunk, to capture successful and failed events from Chef Cookbook and InSpec Compliance runs, helps to supply valuable data into the Enterprise’s data analysis tools. The use of Chef to ensure all of your infrastructure is configured to supply events into your Splunk system ensures the Enterprise meets the advanced aspects of this control.

Wrap up and next steps

The CIS Critical Security Controls are used across the industry in order to protect against the most pervasive cybersecurity threats and are also used to help guide Enterprises to be able to navigate the vast amount of possible ways to defend against these threats. Chef has created a compliance team to continually test and support CIS System Benchmarks with InSpec Profiles for detection and Chef Cookbooks for correction of vulnerabilities. Chef’s wider approach of Detect, Correct, Automate enables the Enterprise to embrace a DevOps approach to pushing software and services into production environments while ensuring the CIS Critical Security Controls are able to be followed.

Davy McAleer

Davy is an engineering manager with Chef and runs the Chef Belfast office, helping build out our Compliance automation content team and Partner engineering group. Before joining Chef he has spent time running engineering teams, support organisations and product management for large telecoms software companies. He dreams of DevOps throughout the land!