Cybriant offers tiered cyber security services through PREtect. Each service offered through PREtect has a solution that will help you meet the NIST cybersecurity framework.
Which cybersecurity framework do you use? We discussed the importance of a framework in this previous post. A framework is a standardized methodology for selecting, implementing, testing, and maintaining a set of security metrics, also called security controls. There are many frameworks to choose from; NIST, ISO, NERC, PCI, etc., etc. The point is that you want to compare yourself against a known yardstick.
We prefer NIST CSF and recommend this to our clients.
What is the NIST Cybersecurity Framework?
National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (CSF), which calls for “a set of industry standards and best practices to help organizations manage cybersecurity risks.”
Organizations can use the CSF to take a risk-based approach to align their security processes with business requirements. Because the CSF is not intended to be a “one size fits all” approach, Cybriant’s solution is scalable across all organizational sizes and can be adapted for specific use across multiple industries.
The Cybersecurity Framework was released in February 2014 as a result of Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” which was signed on February 12, 2013. The CSF was created through collaboration between the United States government and the private sector and places a focus on aligning business needs and priorities with cybersecurity and risk management. The CSF is comprised of three parts: the Core, the Implementation Tiers and the Profile. The Core identifies cybersecurity activities and practices that share a commonality across critical infrastructure sectors.
These activities and practices are grouped into five Functions: Identify, Protect, Detect, Respond and Recover. The Implementation Tiers provide entities with context for managing cybersecurity risks and applying a plan to their specific organization. Profiles are used to match cybersecurity objectives to business requirements, risk tolerance, and resources.
Let’s talk about PREtect.
PREtect is a tiered cybersecurity service that will help optimize the protection of data assets and the detection of malicious events by addressing the most common vulnerabilities in the enterprise.
PREtect is offered in 3 tiers:
CORE: Continuous cyber threat detection through Managed SIEM
ADVANCED: CORE plus Managed Endpoint Detection and Response
PREMIUM: ADVANCED plus vulnerability and patch management
It’s possible to leverage Cybriant PREtect PREMIUM to help meet the guidelines and practices outlined in the CSF through automation of its technical controls.
How to use PREtect PREMIUM to meet NIST Cybersecurity Framework Guidelines
From a network security feature set, PREtect PREMIUM supports over 90% of the CSF’s technical controls. With our real-time vulnerability management solution, it is also extremely powerful for communicating CSF conformance results in many different internal and external stakeholders.
PREtect gives you continuous assurance that your security program is working. Capabilities include:
- Information on which assets are connected to the network and how they are communicating
- Active monitoring of host activities and events, including who is accessing them and what is changing
- Identification of previously unknown resources, changes in behavior and new application usage
- Near real-time metrics for continuous security and compliance
- Correlation of real-time activity with the state-based vulnerability
- Highly customizable dashboards, reports, and workflows for rapid response
- Communication of consolidated metrics
- Trends across systems, services, and geographies
- Controls team member permissions by role
- PREMIUM analytics with actionable information and trending to prioritize events/alerts
PREtect PREMIUM enables organizations to automate the NIST Cybersecurity Framework’s technical controls by bringing active scanning and passive monitoring, configuration auditing, host event, and data monitoring and analysis, reporting and alerting together with risk classification, assessment, and mitigation in a scalable enterprise security system.
Once an organization begins to use the NIST Cybersecurity Framework Core as a baseline for its cybersecurity and risk activities, PREtect PREMIUM makes it easier to take the step towards developing a detailed Target Profile that is both achievable and manageable.
Definitions of each function are quoted from the NIST Cybersecurity Framework, and several examples are explained below.
The activities in the Identify Function are foundational for effective use of the NIST Cybersecurity Framework.
Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enable an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy.
Using the Risk Assessment category as an example, there are three technical controls, all of which can be automated or supported with the use of PREtect PREMIUM. Subcategory ID.RA-2 requires that “Threat and vulnerability information is received on a daily basis from information sharing forums and sources.”
Through our technology partners, PREtect PREMIUM updates its vulnerability information and threat intelligence, provided by multiple third parties, on a daily basis. The Risk Assessment category has two other subcategories that state “Asset vulnerabilities are identified and documented” and “Threats, both internal and external, are identified and documented.” Both of these subcategories are also automated through active scanning, passive monitoring and event analysis.
The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology.
Using the Information Protection Processes and Procedures category as an example, PREtect has numerous capabilities to automate the technical controls. Examples include:
- PR.IP-1: Baselines are created and maintained
- PR.IP-2: System development lifecycle to manage systems is implemented
- PR.IP-3: Configuration change control processes are in place
The CSF contains 22 technical subcategories for Protect, 19 of which are automated or supported by
PREtect PREMIUM. For example, PREtect PREMIUM performs baseline audits, which allows Cybriant to scan systems based on a “standard image” by which to compare other systems, and can also alert when there are configuration changes made on endpoint devices and systems.
The Detect Function enables the timely discovery of cybersecurity events. Examples of outcome Categories within this Function include Anomalies and Events; Security Continuous Monitoring; and Detection Processes.
Using the Security Continuous Monitoring category as an example, PREtect PREMIUM has numerous automated capabilities to fulfill these controls. Examples include:
- DE.CM-1: Network is monitored to detect potential cybersecurity events
- DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events
- DE.CM-4: Malicious code is detected
- DE.CM-5: Unauthorized mobile code is detected
The CSF contains 14 technical subcategories for Detect, 13 of which are automated or supported by PREtect PREMIUM. For example, through active and agent scanning, continuous listening and host data analysis, PREtect PREMIUM can observe network and user activity, detect vulnerabilities and events, and alert and report on these as part of an overall cybersecurity plan.
The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include Response Planning; Communications; Analysis; Mitigation; and Improvements.
The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include Recovery Planning; Improvements; and Communications.
The Respond and Recover Functions are comprised of categories and subcategories that are mostly administrative in nature, such as “Response plan is executed during or after an event,” “Recovery plans incorporate lessons learned,” and “Public relations are managed.” PREtect PREMIUM’s capabilities are focused primarily on the CSF’s technical controls, and although some exceptions exist, PREtect PREMIUM does not provide full support for the administrative Respond and Recover Functions.
Concurrent and Continuous Monitoring
Strong security, as prescribed in the CSF, requires broad visibility of extended networks, including IT systems, industrial control systems (ICS), virtual infrastructure, cloud, and BYOD. This visibility cannot rely solely on point-in-time data acquisition; it requires continuous, real-time data. The technology behind PREtect PREMIUM acquires security data from across organizations, using sources such as network traffic, virtual systems, mobile device management, patch management, host activity, and monitoring, as well as external sources of threat intelligence to feed an intelligent monitoring system. It analyzes this data to identify and prioritize anomalies and suspicious behavior so our team can effectively investigate and resolve them.