Get My Score

Blog

I am pleased to announce the availability of DISA STIGs on the Cavirin’s next generation Platform. Cavirin DISA STIG support provides several new security baselines for assessing and securing mission critical and several value-adds to DISA STIG assessments that ease implementation and usability.  These include browsing, as well as assessment and reporting.

 

DISA STIGs Browsing

DISA does not provide an easy to navigate mechanism for browsing the STIGs, requiring the user to work with XML and stylesheets.  There are no spreadsheets, pdfs, or detailed documentation, requiring the user to  work with the XML and the enclosed stylesheets to browse the content. If you are like me, perhaps, you have been using the STIG viewer for a long time.

0
0
0
s2sdefault

With the release of Cavirin 1.2, we’re upping the game in providing a comprehensive hybrid infrastructure security solution that spans on-premise, multiple clouds, and Docker. Note that this solution goes beyond cloud-account level security provided by CISPA (Cloud Infrastructure Security Posture Assessment) vendors or most CWPPs (Cloud Workload Protection Platforms).  Our belief is that true control of the cloud can only be accomplished by both cloud account as well as individual virtual or Docker instance level visibility, and the two must tie together. Key new capabilities include multi-cloud support, continuous monitoring, ‘Cavirin Secure’ DevSecOps scripting, true enterprise scalability, and additional 3rd party integrations. The platform’s scalability, usability, and DevOps capabilities were also recognized in a recently published SC Magazine product review with both a 5-star rating and recommendation.

True Multi-Cloud Support

As enterprises migrate critical workloads to the cloud, they increasingly leverage or are planning to leverage multiple CSPs.  For example, they may initially deploy on AWS, but place live or standby workloads on Azure for resiliency, geography, cost, or application compatibility reasons.  Cavirin now supports workloads across the three major clouds – AWS, Azure, and GCP – and has built a powerful abstraction layer that will permit our customers to deploy across other CSPs in the future.  The new hybrid enterprise requires a solution that spans all four deployment domains – on-premise, the cloud platform, cloud instances, and containers. We uniquely deliver a solution meeting this requirement.

0
0
0
s2sdefault

The need to have strong security practices in place to protect sensitive government data from outside threats has never been greater.  By December 31, 2017, the Department of Defense will require NIST SP 800-171 compliance for all its contracts that handle controlled unclassified information (CUI) outside of government agencies. 

According to the U.S. Nation Archives and Record Administration “CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended”.  In other words, it’s unclassified sensitive information that the US federal government believes should be protected to assure minimal risk of cyberattacks on America.  This includes citizen’s financial, legal, higher education, immigration, tax and healthcare records plus organizations patent, proprietary business, and SAFETY Act Information.   You can find the complete list of categories and sub-categories (with descriptions) on the National Archives Web site.  

0
0
0
s2sdefault

There is a great deal of interest in the NIST CSF and how to apply it within an organization.  Cavirin recently hosted a webinar detailing the rationale behind the framework, the suggested implementation process, and most importantly, the actual mapping to specific policies and controls.  Here, we detail this third point.

The CSF outlines five major functions – Identify, Protect, Detect, Respond, and Recover.  Using Identify as an example, the workflow is as follows:

So, mapping of the CSF to an organization’s environment is first accomplished by selecting the proper reference and control, and then selecting the Target of Evaluation, aka the operating system to which the control applies.  In the example above, ‘Ensuring separate partition exists for /tmp’ is one of literally dozens of controls that apply to RHEL7 and within ID-RA-1.  The audit and remediation for this is detailed within the CIS Red Hat Enterprise Linux 7 Benchmark, and specifically section 1.1.2.

We detail how this workflow matches the Cavirin Platform implementation, in our new infographic, as well as in a whitepaper available via NIST.   Visit https://www.cavirin.com/solutions/nist-support.html to learn more!     

 

0
0
0
s2sdefault

Cavirin provides vulnerability assessments for your operating systems (in the cloud, on-premise or hybrid) as well as Docker Images. This article shares vulnerability trending insights we have seen when working on vulnerability analysis project and training our risk reporting algorithms. 

Cavirin platform uses a synchronized feed from the NIST National Vulnerability Database. This feed directly provides the Common Vulnerabilities and Exposures (CVEs) severity and base score that is used in its risk scoring algorithm to project the risk posture from unpatched vulnerabilities

0
0
0
s2sdefault

From minimal use just a few short years ago, containers, and most notably Docker, has gained nearly 30% penetration. This container penetration is primary with DevOps; but it crosses production environments and all sizes of environments. Unfortunately, with early adoption there was less of a focus on security. This has been rectified over the past year or so, with security solutions for images, containers, and orchestration now available. However, any container security solution must be agile enough to echo the speed at which containers are created and destroyed if the chance of a breach is to be minimized. Legacy scanning architectures won’t suffice. 

0
0
0
s2sdefault

© 2018 Cavirin Systems, Inc. All rights reserved.