What is the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework is a technology neutral security structure built upon cutting-edge global standards, existing guidelines, and developed practices that is capable of evolving to meet business requirements and keep up with technological advancement. The NIST Cybersecurity Framework is intended as a complement to an organization’s existing cybersecurity strategy and risk management plan. It provides the means to continue with current policies and procedures, while also discovering areas of potential improvement, better means of communication, and/or increased industry alignment.
The NIST Cybersecurity Framework Core can be used by any sector with any infrastructure because it is adaptable, flexible, and based on business-driven implementation. The NIST Cybersecurity Framework is a top-ranked structural foundation on which a company can build the cybersecurity program best suited to their unique business profile.
The Core breaks the controls and practices into five service lanes to be addressed concurrently:
- Identify (ID)
- Protect (PR)
- Detect (DE)
- Respond (RS)
- Recover (RC)
Importance of the NIST Cybersecurity Framework
The NIST Cybersecurity Framework is built upon tried-and-true practices, so you can apply proven solutions to real problems by leveraging the framework for guidance. It enhances compliance with industry standards and regulations, as well as helps mitigate vulnerabilities by exposing previously unseen risk.
The framework also aids with zeroing in on a company’s true risks, increasing both efficiency and resource management. In addition, the NIST Cybersecurity Framework (CSF) refines asset management to ensure the company maintains accurate inventory.
While security teams understand the threat landscape and cybersecurity needs, stakeholders and other company teams don’t have this detailed understanding. NIST CSF bridges the gap between IT and business departments by laying a reasonable path that focuses on specific outcomes. The framework enhances conversations with these groups and helps explain why certain actions and resources are necessary to achieve a fully mature cybersecurity solution.
The five core functions of the NIST Cybersecurity Framework allow for a company to start at any point. Whether your company is using cutting edge cybertech or relying on legacy systems, there are benefits to be reaped by employing the framework.
When applying NIST CSF, a practitioner should leverage the framework against a controlset outlined by the NIST publication they are attempting to adhere to. For example, 800-53 rev5 (Security and Privacy Controls for Information Systems and Organizations) are often used as the core set of standards for healthcare organizations as it helps in protection of personally identifiable information (PII). The control spreadsheet outlines a list of controls or control enhancements outlined by the control text column (that is to say, ‘do i have this control?’). Often controls are satisfied by technologies you have or need to have in your environment. A solution such as Ordr could help meet the requirements of CM-8 (System Component Inventory) and satisfy PM-5 (System Inventory) requirements. These controls speak directly to the framework.
Let’s take an example for 800-53 mapped to the CSF for ID.AM-1: Physical devices and systems within the organization are inventoried. To satisfy this functional category and subcategory you need controls CM-8 and PM-5. As you see, to satisfy the CSF you need to first decide what publication you would like to adhere to. 800-53 is popular but others may be relevant to your organization and contain similar control maps.
The NIST Cybersecurity Framework Core Elements
The Core framework divides security activities into five high-level functions that include Identify, Protect, Detect, Respond, and Recover. As a whole, these functions provide a company with the means of managing risks by organizing all pertinent information, addressing potential threats, and continuously learning from previous ventures.
1. Identify (ID)
Identify is the NIST Cybersecurity Framework function that brings together business context, critical support functions and resources, and risk management. The goal of Identify is to define the critical business landscape for your organization so adequate protection can be implemented around it. Organizations should also consider all processes, procedures, and policies that revolve around the organization’s compliance regulation, legal considerations, risk factors, operational requirements, and environment.
This includes the following recommended tasks:
- Establish Asset Management policies and procedures, and identify all physical devices, systems, software platforms, and applications that are IT assets, including their criticality where possible.
- Establish an organization-wide security policy, and address cybersecurity issues/risks via governance and risk management policies and procedures.
- Determine the legal requirements and regulations to be enforced, including privacy requirements or civil liberties, and develop a method for the management of such.
- Identify and document any asset vulnerabilities, and utilize vulnerability and threat information available from information sharing forums and sources.
- Determine and document potential threats from both internal and external threat actors and evaluate threats, vulnerabilities, probabilities, and impacts to determine risks.
- Identify how the organization supports the business environment, including any supply chain roles or critical infrastructure implications.
- Identify constraints, priorities, assumptions, and risk tolerances to develop a supply chain risk management strategy.
Your organization should employ a platform that allows for passive discovery with in-depth details, agentless software tracking, and data flow monitoring. Ideally, this includes support of connected devices such as IoT, IoMT, and OT devices. This platform will be capable of providing relevant information to assist the risk management process, such as risk scores per device. The platform also should be able to identify and manage devices and/or communications that involve regulated data, such as payment card industry (PCI) data or medical information protected by HIPAA such as protected health information (PHI).
Consider a solution that can monitor incidents and risk for both traditional devices and IoT devices. The solution should be able to detect anomalies and network intrusions, as well as bad URL/site connections, with detailed trend analysis. A platform such as Ordr also provides a risk score to assist with prioritization, and should be capable of both scheduled and ad-hoc reporting.
2. Protect (PR)
The Protect function is about safeguarding to prevent, limit, or contain any impacts from potential cybersecurity incidents. It’s a crucial piece of ensuring the continued delivery of vital services.
This includes the following tasks:
- Manage both credentials and identities for authorized users and devices.
- Manage remote access.
- Use separation of duties and the principle of least privilege to help develop a robust method of access management.
- Protect network integrity, including network segregation where warranted.
- Protect data-at-rest.
- Formally manage assets in the transfer, removal, and disposition stages.
- Implement protections against data leaks.
- Keep the production environment separate from testing and development environments.
- Create and maintain a baseline configuration of IT/OT control systems.
- Implement a system development life cycle (SDLC) to manage systems.
- Develop and implement a vulnerability management plan.
- Control access to assets and systems while keeping in mind the least functionality principle.
- Protect both control networks in communications.
- A key piece of implementing Protective Technology is using a system that can restrict access to IoT and OT devices. Ordr’s offering is capable of tracking said devices and the communication patterns of each system.
A good solution should employ artificial intelligence (AI) that can establish baseline communication behavior and transform the baseline into security policies that are device specific, such as limiting traffic to only approved systems to reduce the IoT/IoMT/OT attack surface. As an example, microsegmentation policy can be created to limit IoT/IoMT/OT device communications such as restricting external communications as well as communications with internal systems not required for normal operations. A security platform such as Ordr can continuously monitor all communication and detect devices trying to connect to malicious sites, unauthorized networks, or receive malicious communications. Such a solution also provides domain separation between environments by creating and enforcing microsegmentation policy. Choose a solution that can track an asset’s SDLC as it relates to cybersecurity.
Another capability to look for in a solution is the ability to integrate security intel feeds as well as integration with a vulnerability management platform. Security intel feeds provide insights into known vulnerabilities and associated risk with the ability to identify impact to your environment. Vulnerability management capabilities will help to ensure that remediation and mitigation tasks can be coordinated and tracked across teams as you look to reduce or eliminate risk. Ordr’s offering is capable of integrating security intel feed data to identify connected devices with known vulnerabilities. The solution also provides native vulnerability management capabilities as well as the ability to integrate with other 3rd party vulnerability management tools.
3. Detect (DE)
Detect is the section of the NIST Cybersecurity Framework that focuses on the development and implementation of capabilities, tasks, and activities required to identify incidents precipitated by a cybersecurity event. This functionality enables the organization to discover cybersecurity incidents quickly and efficiently.
Consider these tasks:
- Establish a baseline of network operations and expected data patterns for systems and users and ensure it stays maintained.
- Analyze all detected events to understand attack methods and intended targets.
- Aggregate and correlate event data from multiple sensors and sources.
- Determine the impact of events.
- Establish incident alert thresholds.
- Monitor the network to detect any potential cybersecurity events.
- Monitor the physical environment to detect potential cybersecurity incidents.
- Use monitoring to detect unauthorized connections, software, devices, or personnel.
- Perform vulnerability scans.
- Communicate event detection information to all appropriate parties.
Choose a platform that provides the ability to detect malicious activity as well as a security dashboard based on a consolidated view of events, which can be further enhanced with criticality and MITRE kill chain step data. Your organization also can benefit from a platform that can provide real-time alerts filtered by security event types so specific staff can be notified, based on the affected asset. A high-quality solution should be capable of detecting and logging device moves, adds, and changes.
Ordr continuously monitors the network and employs intrusion detection capabilities to identify known malicious attack traffic. In addition the solution creates a baseline of normal behavior for each connected device and will detect abnormal deviations. With these capabilities Ordr can identify active threats, attempts to exploit vulnerabilities, and indications of compromise. Your platform should work with security information and event management (SIEM) and IT assessment management (ITAM) products so it can seamlessly integrate with existing workflows and procedures.
4. Respond (RS)
The Respond function of the NIST Cybersecurity Framework revolves around containing the impact of a potential cybersecurity event. It includes development and implementation of necessary activities to take action once a cybersecurity event has been detected.
Such recommended tasks include:
- Develop a response planning process and ensure that it’s executed when an incident is detected.
- Contain and mitigate incidents.
- Mitigate newly identified vulnerabilities and/or document them as accepted risks.
- Develop and manage a communication plan for stakeholders, both internal and external, and law enforcement for when incidents occur.
- Determine the impact of incidents by analyzing how effective the response plan is.
- Implement any revisions to the process based on lessons learned from incidents.
Ordr takes pride in being an ideal solution, as our platform uses automation to accelerate your response to an incident with the ability to create and apply next-generation firewall (NGFW) policies, quarantine VLAN assignment, access control list blocks, session termination, and port shutdown with a single click of a button. Ordr also provides details on the physical and network location for each device in the event that a technician needs to physically remove a device from the network or apply a patch by accessing the device directly.
5. Recover (RC)
The ability to recover from an incident needs to be both timely and effective. The quicker system restoration can be performed and operations can be returned to normal, the less impact the cyber incident has on your organization.
The NIST Cybersecurity Framework recommends these steps:
- Execute and maintain recovery procedures and processes to facilitate system restoration.
- Improve recovery processes and planning by incorporating findings and lessons learned into future solutions.
- Coordinate all restoration tasks with both internal and external parties.
Recovery is highly dependent on the circumstances of the attack, the attack method, and the level of complexity in the findings. Ordr’s ability identify the network and physical location of a device can aid in the system restoration process by enabling staff to quickly locate a device impacted by a cyber event that may need to be updated or reimaged. Ordr can also quickly move a quarantined device back to its normal network environment once upgrades, patches, or other remediation methods have been applied.
Use Ordr to Extend the NIST Cybersecurity Framework Throughout Your Organization
The NIST Cybersecurity Framework uses five specific service lanes that should be handled concurrently. The NIST Cybersecurity Framework is highly effective and can be used by any size organization in any industry.
The Identify function determines the who, what, when, and where of the cybersecurity configuration, while the Protect function employs safeguards and protects critical assets. Once you’ve dealt with the Detect function that monitors the network and roots out trouble, the Respond function launches the policies and procedures to combat an active cybersystem attack. Finally, Recovery involves the necessary activities to bring the system back to normal.
Ordr helps organizations extend the NIST Cybersecurity Framework to cover all of your assets, including IoT/IoMT/OT devices. With Ordr, you can rapidly inventory all assets in the domain, automatically classify them based on type and function, and assess each device for risk. It analyzes device communications to learn behaviors and creates device baselines to determine what communications the device requires for normal operations. From this baseline, Ordr can detect malicious activity and create policies to quickly stop active threats and quarantine compromised devices without disrupting the device, network, or enterprise operations. Ordr also uses device baselines to proactively improve protection via microsegmentation to logically segregate devices from non-essential areas.