The NIST Cybersecurity Framework (NIST CSF) is a helpful guide for organizations of any size that want to make sure they have the cybersecurity basics covered. The framework is structured in a way that lets smaller and newer organizations address key security concerns while enterprises and organizations handling sensitive data can advance through the more detailed recommendations in the full framework.
NIST: Getting Started with the NIST Cybersecurity Framework
Rather than looking at NIST framework implementation as a one-time activity, it’s helpful to think of the framework as a maturity model that your organization can return to and get more value from over time. No matter where you are in your NIST CSF adoption process, a review of the five key functions can show you where you’re on point and where you may need to take more steps to secure your business. Read on for insights on how to use the NIST framework as a maturity model.
Effective security isn’t possible until you have a complete picture of every device, process, data flow, operating system, and application in your environment. That includes both managed and unmanaged networked devices as well as the growing number of OT, ICS, and IoT devices that operate outside a traditional IT network.
Your organization needs policies in place to protect all your assets, and it needs to identify assets’ vulnerabilities, threats, and risk profiles so you can prioritize the steps you’ll need to take to secure them. With complete asset intelligence, including context about an asset’s behavior, you are now ready to move on to the next step.
After you’ve inventoried your assets and assessed their risks, the next function is protection. NIST breaks protection into six steps:
Who’s in your network? Whose devices are operating in your environment? When you have complete visibility into the devices that are in your space, it’s easier to pinpoint the ones that don’t belong.
Likewise, it’s critical to monitor communication among devices in your environment. This can help ensure that sensitive data, such as protected health information or business intelligence, is encrypted when it’s in motion. Communication monitoring can also alert your security team to suspicious activity. For example, data flowing from one of your servers to a new device outside your network is an indicator of malicious data exfiltration.
Preventing delays between an incident and detection requires continuous monitoring. Everything also needs to be logged, and manual logging can be cumbersome and time consuming, if your security data is siloed in different systems. Look for a solution that automatically logs system activity in one place and saves it for a pre-set length of time.
Automating logs will free your security experts to focus on incident prevention and response. Make sure your security team members know who’s responsible for responding to unauthorized devices and activity alerts and have a written plan for them to follow.
As with any type of emergency, teams work more effectively when they’ve practiced their response and know which protocols to follow. Before there’s an incident, your security team should test their response plans, audit the results,make any changes to improve the plan—then test again.
Set up a testing schedule to get recent team members up to speed, to keep responses fresh in your team’s mind, and to adapt the plan to any changes in technology or best practices since the previous test. Discuss your plans and test results with your stakeholders, internal and external, to get feedback and make improvements.Read the Armis Threat Detection and Response Solution Brief.
Beyond the technical response, your plan should include how and when your people will communicate with other stakeholders. For example, your operations, legal, and public relations teams will need to be in the loop. You’ll need to understand your legal and regulatory reporting responsibilities and designate people to hit report deadlines.
For example, if EU customer data is breached, GDPR requires companies to notify regulators within 72 hours of the incident’s discovery. Without a plan and designated communicators, your reporting time could easily slip as you rush to contain an incident. It’s also important to designate a crisis management spokesperson or agency before you have a breach. That way, they will be standing by to activate their communications plans and media strategy and protect your brand image.
Because device identification is the foundation for the other four functions in the NIST CSF framework, finding a solution that provides complete visibility across the environment will be a top priority for most organizations. In some situations, however, other functions may be the top priority. For example, if your organization has comprehensive identification capabilities and some protection, but no response testing or recovery plan, you might debate whether to prioritize expanding protection or implementing response testing for your existing protection.
Once your stakeholders agree on your priorities, you can create a detailed roadmap using the full NIST CSF framework document and the Armis Solution Brief on Alignment to NIST Cyber Security Framework for Unmanaged and IoT Devices. Your roadmap should include a process for regular reviews to assess your progress and adjust priorities as needed.
Armis helps organizations enhance their NIST cybersecurity framework maturity in several key areas:
Armis provides complete device visibility across the environment with comprehensive device hardware and software identification. Our agentless, passive technology allows our platform to see and assess devices that legacy IT scans can miss or disrupt. The Armis platform relies on the Armis Device Knowledgebase, a continuously updated repository of collective intelligence on more than two billion devices, to identify and classify devices and assess their behavior.
Armis monitors every device 24/7 to detect anomalies and status changes. When there’s any change to a device’s communications, software, physical location, risk profile, or activity, the Armis platform can alert your team. Armis also maintains data logs for compliance and incident forensics.
The Armis platform integrates easily with SOC solutions for a single source of device truth that enables faster, easier incident prioritization and response. No more jumping back and forth between OT and IT silos for the data you need to evaluate and manage incidents. With Armis, it’s all in one place. These and other Armis features make it easier for your security team to have timely, clear discussions with stakeholders about incident recovery.
See why Flex, Mondelez, Sysco and other organizations trust Armis to protect their OT devices. Request your demo.
Sign up to receive the latest news