How to Meet the Guidelines for the NIST Cybersecurity Framework

How to Meet the Guidelines for the NIST Cybersecurity Framework

Cybriant offers tiered cyber security services through CybriantXDR. Each service offered through CybriantXDR has a solution that will help you meet the NIST cybersecurity framework.

Which cybersecurity framework do you use? We discussed the importance of a framework in this previous post. A framework is a standardized methodology for selecting, implementing, testing, and maintaining a set of security metrics, also called security controls. There are many frameworks to choose from; NIST, ISO, NERC, PCI, etc., etc. The point is that you want to compare yourself against a known yardstick.

We prefer NIST CSF and recommend this to our clients.

What is the NIST Cybersecurity Framework?

National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (CSF), which calls for “a set of industry standards and best practices to help organizations manage cybersecurity risks.”

Organizations can use the CSF to take a risk-based approach to align their security processes with business requirements. Because the CSF is not intended to be a “one size fits all” approach, Cybriant’s solution is scalable across all organizational sizes and can be adapted for specific use across multiple industries.

The Cybersecurity Framework was released in February 2014 as a result of Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” which was signed on February 12, 2013. The CSF was created through collaboration between the United States government and the private sector and places a focus on aligning business needs and priorities with cybersecurity and risk management. The CSF is comprised of three parts: the Core, the Implementation Tiers and the Profile. The Core identifies cybersecurity activities and practices that share a commonality across critical infrastructure sectors.

These activities and practices are grouped into five Functions: Identify, Protect, Detect, Respond and Recover. The Implementation Tiers provide entities with context for managing cybersecurity risks and applying a plan to their specific organization. Profiles are used to match cybersecurity objectives to business requirements, risk tolerance, and resources.

CybriantXDR enables organizations to automate the NIST Cybersecurity Framework’s technical controls by bringing active scanning and passive monitoring, configuration auditing, host event, and data monitoring and analysis, reporting and alerting together with risk classification, assessment, and mitigation in a scalable enterprise security system.

Once an organization begins to use the NIST Cybersecurity Framework Core as a baseline for its cybersecurity and risk activities, CybriantXDR makes it easier to take the step towards developing a detailed Target Profile that is both achievable and manageable.

Definitions of each function are quoted from the NIST Cybersecurity Framework, and several examples are explained below.


The activities in the Identify Function are foundational for effective use of the NIST Cybersecurity Framework.

Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enable an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy.

Using the Risk Assessment category as an example, there are three technical controls, all of which can be automated or supported with the use of CybriantXDR. Subcategory ID.RA-2 requires that “Threat and vulnerability information is received on a daily basis from information sharing forums and sources.”

Through our technology partners, CybriantXDR updates its vulnerability information and threat intelligence, provided by multiple third parties, on a daily basis. The Risk Assessment category has two other subcategories that state “Asset vulnerabilities are identified and documented” and “Threats, both internal and external, are identified and documented.” Both of these subcategories are also automated through active scanning, passive monitoring and event analysis.


The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology.

Using the Information Protection Processes and Procedures category as an example, CybriantXDR has numerous capabilities to automate the technical controls. Examples include:

  • PR.IP-1: Baselines are created and maintained
  • PR.IP-2: System development lifecycle to manage systems is implemented
  • PR.IP-3: Configuration change control processes are in place

The CSF contains 22 technical subcategories for Protect, 19 of which are automated or supported by CybriantXDR


The Detect Function enables the timely discovery of cybersecurity events. Examples of outcome Categories within this Function include Anomalies and Events; Security Continuous Monitoring; and Detection Processes.

Using the Security Continuous Monitoring category as an example, CybriantXDR has numerous automated capabilities to fulfill these controls. Examples include:

  • DE.CM-1: Network is monitored to detect potential cybersecurity events
  • DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events
  • DE.CM-4: Malicious code is detected
  • DE.CM-5: Unauthorized mobile code is detected

The CSF contains 14 technical subcategories for Detect, 13 of which are automated or supported by CybriantXDR. For example, through active and agent scanning, continuous listening and host data analysis, CybriantXDR can observe network and user activity, detect vulnerabilities and events, and alert and report on these as part of an overall cybersecurity plan.


The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include Response Planning; Communications; Analysis; Mitigation; and Improvements.


The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include Recovery Planning; Improvements; and Communications.

The Respond and Recover Functions are comprised of categories and subcategories that are mostly administrative in nature, such as “Response plan is executed during or after an event,” “Recovery plans incorporate lessons learned,” and “Public relations are managed.” CybriantXDRs capabilities are focused primarily on the CSF’s technical controls, and although some exceptions exist, CybriantXDR does not provide full support for the administrative Respond and Recover Functions.

Concurrent and Continuous Monitoring

Strong security, as prescribed in the CSF, requires broad visibility of extended networks, including IT systems, industrial control systems (ICS), virtual infrastructure, cloud, and BYOD. This visibility cannot rely solely on point-in-time data acquisition; it requires continuous, real-time data. The technology behind CybriantXDR acquires security data from across organizations, using sources such as network traffic, virtual systems, mobile device management, patch management, host activity, and monitoring, as well as external sources of threat intelligence to feed an intelligent monitoring system. It analyzes this data to identify and prioritize anomalies and suspicious behavior so our team can effectively investigate and resolve them.

Protect Your Business with Cybriant’s IT Security Best Practices Checklist


Get Started With CybriantXDR

Is My Company Secure?

Is My Company Secure?

Saying “My company is secure” is like saying “My team scored 27 tonight”. The metric doesn’t matter if you have nothing to compare it against.

Enter the framework.

A framework is a standardized methodology for selecting, implementing, testing, and maintaining a set of security metrics, also called security controls. There are many frameworks to choose; NIST, ISO, NERC, PCI, etc., etc. The point is that you want to compare yourself against a known yardstick.

Without this comparison, it is very easy to enter a never-ending cycle of buying the next security wiz-bang product, implementing the wrong controls for your environment, or hiring a consultant to test something that really doesn’t need to be tested. Frameworks are like a lighthouse in the middle of fog as they help guide you to your objective, overall security, by steering you around would be obstacles. So how do you choose a framework?


Often the framework is chosen for you. Maybe you have credit card data (PCI), health information (HIPAA), or are a publicly traded company (SOX) in which it is mandated that you comply. There may be a push from upper management to appease a customer or the latest hack has scared them straight. In that case, you need to establish the framework that fits your corporation best. Choosing the framework is outside the scope of this article, but there are many sources on choosing a framework.

Once you have chosen a framework the real work begins. Each framework is unique, but they all follow the same basic pattern. Select the security controls for your environment, implement those controls, test the effectiveness of the controls, and finally make sure that controls are persistent as the environment inevitably changes.

Related: Security Benefits of Identity and Access Management

Selecting a Security Framework

In this portion of the process, we will be selecting which controls apply to your environment. For example, let’s say we process credit cards. While one company may take the credit card data and use it in a self-developed system to acquire information, another may never see that data by using a point-to-point encryption device. This would completely change how to apply the PCI framework to our environment. The framework will provide instructions and rules on how to apply the framework to your environment and what should be included or not but, ultimately it will be an interactive process with data owners and security.

Related: The Case for Cyber Threat Hunting


The rubber meets the road at this stage. Here we will be applying the security control requirements to the pertinent systems. This is not going to be a step-by-step guide. Remember the framework is built so that many different organizations with different technologies can apply the recommendations to their environment. This will require converting phrases such as “the organization approves and monitors non-local maintenance and diagnostic activities” into auditing SCOM events.


Far too many people jump to this stage of the process. Many consider testing the definition of information security. Penetration testing, vulnerability scans, and social engineering produce volumes of “look what we did” reports. However, a stack of paper defining what should be done at this moment is not a plan, it’s a band-aid. The question is, what is the use of trying to follow a framework and implementing a slew of security controls only to say, “I think it’s working”. We must verify.


Now for the boring phase. This is the day-to-day assurance that what you have put in place is working. Think “who watches the watchers”. We are wanting to put in place the tools that will alert us to any deviation to the plan. Perform security is not a point in time point-in-time is now, it is looking ahead to what could be and be planning for many contingencies as possible. Monitoring is a critical step in not only establishing our security program but, the success of that program over time.

By using a framework, we are converting information security from something that is at best a hodgepodge of duct tape into a strategy. The strategy takes us from reaction to prevention and that takes us from front news to boring company a that protects its customers. In security, you want to be boring.

Cybriant is a holistic cybersecurity service provider which enables small and mid-size companies to deploy and afford the same cyber defense strategies and tactics as the Fortune 500. We design, build, manage, and monitor cybersecurity programs. Follow Cybriant @cybriantmssp and cybriant.com.



Top Cyber Security Testing Tools

Related: https://cybriant.com/cyber-security-assessment/

Not sure where to start?

Schedule a conversation. We are really nice cybersecurity experts. We’ll walk you through the process and if you would like to use our services, great. If not, that’s fine, too. We are here to help.
Why do you need a Managed Security Service Provider (MSSP)?

Why do you need a Managed Security Service Provider (MSSP)?

MSSPs today offer extremely advanced tools and possess the expertise needed to run them. But, it’s understandable that your company may have some concerns about turning over any security-related functions to an outside provider.

An Enterprise Strategy Group survey reported that 57% of 340 surveyed IT and security professionals reported that they are currently using an MSSP in some capacity to protect their company. The reasons may include the fact that many internal security initiatives struggle to get adequate funding and teams often lack the skills, tools, and people to deploy security programs to their enterprise.

According to Tech Target, the pros of outsourcing security services to an MSSP include the following:

  • Capital expenditures are kept to a minimum.
  • There’s a dedicated expert staff for the protection of critical assets.
  • Typically, the largest expenditure—for IT personnel – is greatly reduced.
  • There is continuous security monitoring.
  • Enterprises do not have to spend funds on training, office space, equipment, software tools, and other operating costs.
  • The cost of a managed service is significantly less than maintaining the same level of service in-house.

While the financial benefits are significant, your organization will still need a foundational security program, like NIST CSF.

NIST CSF is guidance, based on standards, guidelines, and practices, for organizations to better managed and reduce cybersecurity risk. The recommended cybersecurity framework includes 5 functions:

Identify – develop the organizational understanding of managed cybersecurity risk to systems, assets, data, and capabilities.
Protect – Develop and implement the appropriate safeguards to ensure the delivery of critical infrastructure services.
Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

Find out more about our managed services. 

Have you heard of PREtect?