As a gold-standard for cybersecurity and the foundation for many of the new standards and regulations starting to emerge today, the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework is more important than ever. Developed as a public and private sector collaboration led by NIST under a presidential executive order to improve critical infrastructure cybersecurity, the NIST Cybersecurity Framework soon scaled beyond energy and critical infrastructure - its outcomes-based approach allowed it to apply to almost any sector and any business size. The NIST Framework is built on three main pillars: the Framework Core, Profiles, and Implementation Tiers. Here, we’ll be diving into the Framework Core and the five functions within it: identify, protect, detect, respond, and recover.
NIST defines the framework core as "a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors . The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level".
The first function of the framework, NIST defines the identify function as calling on the need to "develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities". The focus of identify is on the business and how it relates to cybersecurity risk, especially taking into account the resources at hand. The outcome Categories associated with this function, for example, are:
- Asset Management
- Business Environment
- Risk Assessment
- Risk Management Strategy
The identify function lays the groundwork for cybersecurity-related actions that your organization will take moving forward. Identifying what exists, what risks are associated with those environments and how that relates in context with your business goals are crucial to having success with the Framework.
Successful implementation of the identify function leads organizations to have a strong grasp on all assets and environments apart of the enterprise, defining the current and desired states of controls to protect those assets, and a plan to go from current to desired states of security. The result is a clearly defined state of an organization’s cybersecurity posture that can be articulated to both technical and business-side stakeholders.
Overall, NIST states that the Framework functions "aid an organization in expressing its management of cybersecurity risk by organizing information, enabling risk management decisions, addressing threats, and improving by learning from previous activities".
The protect function is important because its purpose is to "develop and implement appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Identity Management and Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology" according to NIST.
Where identify focuses primarily on baselining and monitoring, protect is when the Framework starts to become more proactive. The protect function covers categories such as access control and awareness and training. The manifestation of these categories and the protect function as a whole is seen in two- and multi-factor authentication practices to control access to assets and environments as well as employee training to reduce risk of accidents and socially engineered breaches.
With breaches becoming increasingly common, employing proper protocols and policies to reduce the risk of a breach is becoming especially crucial. The protect function of the Framework acts as the guide and dictates the necessary outcomes to achieve that goal.
The detect function requires the development and implementation of the appropriate activities to recognize the occurrence of a cybersecurity event.
"The detect function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes".
- Anomalies & Events: The program will detect unusual activity as soon as possible, and the impact of events is understood by everyone on your team and beyond.
- Security & Continuous Monitoring: The monitoring information systems and environments at specified intervals to identify cyber events within the organization.
- Detection Processes: Procedures and processes for detection are put in place and tested in order to ensure timely and broad awareness of cyber events.
The detect function is a critical step to a robust cyber program - the faster a cyber event is detected, the faster the repercussions can be mitigated.
Examples of how to accomplish steps towards a thorough detect function:
- Anomalies & Events: Prepare your team to have the knowledge to collect and analyze data from multiple points to detect an event.
- Security & Continuous Monitoring: Make your team able to monitor your assets 24/7 or consider involving a MSS to supplement.
- Detection Processes: Attempt to know about a breach as soon as possible and follow disclosure requirements as needed. Your program should be able to detect inappropriate access to your data as soon as possible.
Detecting a breach or event can be life or death for your business, making the detect function of the Cybersecurity Framework absolutely critical to both security and business success. Following these best practices and implementing these solutions will help you scale your program and mitigate cybersecurity risk.
NIST defines the respond function as "Develop and implement appropriate activities to take action regarding a detected cybersecurity incident".
"The Respond Function supports the ability to contain the impact of a potential cybersecurity incident. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements".
The respond function employs response planning, analysis, and mitigation activities to ensure that the cybersecurity program is in a state of continuous improvement.
Starting with an incident response plan is a strong first step to adopting the respond function - ensuring compliance with necessary reporting requirements for a given location and industry. A good next step is a mitigation plan - what are the steps that your team will take to remediate identified risks to your program and organization?
"The Framework Core then identifies underlying key Categories and Subcategories for each Function and matches them with example Informative References such as existing standards, guidelines, and practices for each Subcategory" - NIST CSF
According to NIST, Recover is defined as the need to "develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
The Recover Function support s timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcomes for this function include: Recovery Planning, Improvements, and Communications."
Recover includes these areas:
- Recovery Planning: Recovery procedures are tested, executed, and maintained so that your program can mitigate the effects of an event sooner rather than later
- Improvement: Recovery planning and processes are improved when events happen and areas for improvement are identified and solutions put together
- Communication: Coordinate internally and externally for greater organization, thorough planning, and execution
The recover function is important not only in the eyes of the business and security team but also in the eyes of customers and the market. Swift recovery with grace and tactfulness puts businesses in much better positions internally and externally than otherwise. Aligning a recovery plan will help ensure that, if a breach does occur, the business will be able to stay on track to achieve the necessary goals and objectives.
Implementing the NIST Cybersecurity Framework
Cybersecurity based on the NIST Cybersecurity Framework can be a challenge. Regardless of how challenging it could be, it will be worthwhile, though. Given that the Framework is based on outcomes rather than specific controls, it allows organizations to build from a strong foundation and supplement to achieve compliance with new regulations as they emerge. Further, a NIST Cybersecurity assessment will help empower continuous compliance as well as support communication between technical and business-side stakeholders.