How to Meet the Guidelines for the NIST Cybersecurity Framework
Cybriant offers tiered cyber security services through CybriantXDR. Each service offered through CybriantXDR has a solution that will help you meet the NIST cybersecurity framework.
Which cybersecurity framework do you use? We discussed the importance of a framework in this previous post. A framework is a standardized methodology for selecting, implementing, testing, and maintaining a set of security metrics, also called security controls. There are many frameworks to choose from; NIST, ISO, NERC, PCI, etc., etc. The point is that you want to compare yourself against a known yardstick.
We prefer NIST CSF and recommend this to our clients.
What is the NIST Cybersecurity Framework?
National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (CSF), which calls for “a set of industry standards and best practices to help organizations manage cybersecurity risks.”
Organizations can use the CSF to take a risk-based approach to align their security processes with business requirements. Because the CSF is not intended to be a “one size fits all” approach, Cybriant’s solution is scalable across all organizational sizes and can be adapted for specific use across multiple industries.
The Cybersecurity Framework was released in February 2014 as a result of Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” which was signed on February 12, 2013. The CSF was created through collaboration between the United States government and the private sector and places a focus on aligning business needs and priorities with cybersecurity and risk management. The CSF is comprised of three parts: the Core, the Implementation Tiers and the Profile. The Core identifies cybersecurity activities and practices that share a commonality across critical infrastructure sectors.
These activities and practices are grouped into five Functions: Identify, Protect, Detect, Respond and Recover. The Implementation Tiers provide entities with context for managing cybersecurity risks and applying a plan to their specific organization. Profiles are used to match cybersecurity objectives to business requirements, risk tolerance, and resources.
CybriantXDR enables organizations to automate the NIST Cybersecurity Framework’s technical controls by bringing active scanning and passive monitoring, configuration auditing, host event, and data monitoring and analysis, reporting and alerting together with risk classification, assessment, and mitigation in a scalable enterprise security system.
Once an organization begins to use the NIST Cybersecurity Framework Core as a baseline for its cybersecurity and risk activities, CybriantXDR makes it easier to take the step towards developing a detailed Target Profile that is both achievable and manageable.
Definitions of each function are quoted from the NIST Cybersecurity Framework, and several examples are explained below.
Identify:
The activities in the Identify Function are foundational for effective use of the NIST Cybersecurity Framework.
Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enable an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy.
Using the Risk Assessment category as an example, there are three technical controls, all of which can be automated or supported with the use of CybriantXDR. Subcategory ID.RA-2 requires that “Threat and vulnerability information is received on a daily basis from information sharing forums and sources.”
Through our technology partners, CybriantXDR updates its vulnerability information and threat intelligence, provided by multiple third parties, on a daily basis. The Risk Assessment category has two other subcategories that state “Asset vulnerabilities are identified and documented” and “Threats, both internal and external, are identified and documented.” Both of these subcategories are also automated through active scanning, passive monitoring and event analysis.
Protect:
The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology.
Using the Information Protection Processes and Procedures category as an example, CybriantXDR has numerous capabilities to automate the technical controls. Examples include:
- PR.IP-1: Baselines are created and maintained
- PR.IP-2: System development lifecycle to manage systems is implemented
- PR.IP-3: Configuration change control processes are in place
The CSF contains 22 technical subcategories for Protect, 19 of which are automated or supported by CybriantXDR
Detect:
The Detect Function enables the timely discovery of cybersecurity events. Examples of outcome Categories within this Function include Anomalies and Events; Security Continuous Monitoring; and Detection Processes.
Using the Security Continuous Monitoring category as an example, CybriantXDR has numerous automated capabilities to fulfill these controls. Examples include:
- DE.CM-1: Network is monitored to detect potential cybersecurity events
- DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events
- DE.CM-4: Malicious code is detected
- DE.CM-5: Unauthorized mobile code is detected
The CSF contains 14 technical subcategories for Detect, 13 of which are automated or supported by CybriantXDR. For example, through active and agent scanning, continuous listening and host data analysis, CybriantXDR can observe network and user activity, detect vulnerabilities and events, and alert and report on these as part of an overall cybersecurity plan.
Respond:
The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include Response Planning; Communications; Analysis; Mitigation; and Improvements.
Recover:
The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include Recovery Planning; Improvements; and Communications.
The Respond and Recover Functions are comprised of categories and subcategories that are mostly administrative in nature, such as “Response plan is executed during or after an event,” “Recovery plans incorporate lessons learned,” and “Public relations are managed.” CybriantXDRs capabilities are focused primarily on the CSF’s technical controls, and although some exceptions exist, CybriantXDR does not provide full support for the administrative Respond and Recover Functions.
Concurrent and Continuous Monitoring
Strong security, as prescribed in the CSF, requires broad visibility of extended networks, including IT systems, industrial control systems (ICS), virtual infrastructure, cloud, and BYOD. This visibility cannot rely solely on point-in-time data acquisition; it requires continuous, real-time data. The technology behind CybriantXDR acquires security data from across organizations, using sources such as network traffic, virtual systems, mobile device management, patch management, host activity, and monitoring, as well as external sources of threat intelligence to feed an intelligent monitoring system. It analyzes this data to identify and prioritize anomalies and suspicious behavior so our team can effectively investigate and resolve them.
Protect Your Business with Cybriant’s IT Security Best Practices Checklist
