I am pleased to announce the availability of DISA STIGs on the Cavirin’s next generation Platform. Cavirin DISA STIG support provides several new security baselines for assessing and securing mission critical and several value-adds to DISA STIG assessments that ease implementation and usability. These include browsing, as well as assessment and reporting.
DISA STIGs Browsing
DISA does not provide an easy to navigate mechanism for browsing the STIGs, requiring the user to work with XML and stylesheets. There are no spreadsheets, pdfs, or detailed documentation, requiring the user to work with the XML and the enclosed stylesheets to browse the content. If you are like me, perhaps, you have been using the STIG viewer for a long time.
The platform provides several browsing enhancements.
- Consolidation – The platform’s policy browser, as depicted above, provides a consolidated view of the STIGs. All profiles are listed, and the operator may choose any profile to find out what policies are contained in each of them.
- Classification - The security policies within the DISA STIGs are not categorized into control families from the source. Cavirin takes additional steps to categorize various security policies under respective control families, permitting the operator to pick and choose the relevant control family. The browser and permits expansion of a selected control family, describing individual tests.
- Counts – When you choose a profile, it shows exact number of policies in each profile. This way you know how many policies you are dealing with in that profile.
- OS Filter – The Cavirin platform supports all flavors of Windows and Red Hat 6, and provides OS level filters that you could apply to browse a particular STIG.
The count of policies is automatically reset based on the chosen OS and the profile.
- Policy details and formatting –DISA STIGs do not provide any formatting to make it easy to read and differentiate text and code. Also, DISA SCAP content does not include details such as rationale, audit, or policy details. The Cavirin Platform combines SCAP and STIGs to present not only assessment status but also policy details: Rationale, Audit steps and Remediation Procedure. Also, each policy is well formatted to ease understanding of the desired actions.
DISA STIGs Assessment and Reporting
The Cavirin Platform supports all Windows DISA STIGs as well as Red Hat 6. Windows DISA STIGs are segregated into 3 major device types –
- Domain Controllers,
- Member Servers and
- Workstations
The platform eliminates complexity by allowing the operator to discover the organization’s target machines and then create asset group(s). During assessment, one may choose an asset group and the platform automatically applies the suitable STIG based on the device type and the chosen profile. This eliminates the need to filter domain controllers from member servers or workstations.
The platform eliminates the complexities of selecting profiles, assigning STIGs, consolidating the results and creating reports.
Once the assessment is complete, the platform presents the rolled-up risk score at the asset group level. It is a combined score of multiple resources (machines) in an asset group.
One may then drill down to the respective machines to determine failure sources.
Recall that we talked about classifying various DISA STIG policies into control families. The above report shows risk scores segregated at the control family level. It also shows a breakup of low, medium and high severities as per DISA STIGs.
This report can be exported in various formats. Also, the interactive tabular results allow you to slice and dice the data and provide you with actionable insights. You could export remediation steps from here, or, if you have deployed DevOps tools such as Chef, then you could launch an enforcement workflow to fix the problems.
So, what do you say? Isn’t applying DISA STIGs easy? The Cavirin platform does the heavy lifting for you and makes it easy for you to apply DISA STIGs and take control of securing your mission critical workloads.