Where’s Your Organization in the NIST Cybersecurity Framework Now, and Where Can You Improve?

The NIST Cybersecurity Framework (NIST CSF) is a helpful guide for organizations of any size that want to make sure they have the cybersecurity basics covered. The framework is structured in a way that lets smaller and newer organizations address key security concerns while enterprises and organizations handling sensitive data can advance through the more detailed recommendations in the full framework.

NIST: Getting Started with the NIST Cybersecurity Framework

Rather than looking at NIST framework implementation as a one-time activity, it’s helpful to think of the framework as a maturity model that your organization can return to and get more value from over time. No matter where you are in your NIST CSF adoption process, a review of the five key functions can show you where you’re on point and where you may need to take more steps to secure your business. Read on for insights on how to use the NIST framework as a maturity model.

Function 1: Identify all Devices in Your Environment and How They Interact

Effective security isn’t possible until you have a complete picture of every device, process, data flow, operating system, and application in your environment. That includes both managed and unmanaged networked devices as well as the growing number of OT, ICS, and IoT devices that operate outside a traditional IT network.

Your organization needs policies in place to protect all your assets, and it needs to identify assets’ vulnerabilities, threats, and risk profiles so you can prioritize the steps you’ll need to take to secure them. With complete asset intelligence, including context about an asset’s behavior, you are now ready to move on to the next step.

Function 2: Protect Your Assets, Devices, and Data

After you’ve inventoried your assets and assessed their risks, the next function is protection. NIST breaks protection into six steps:

1. Access management, including implementing strong user authentication practices, good password hygiene, and role- or hierarchy-based access to data and physical device access. These practices ensure that only people who are supposed to have access to your systems do, and they can make it easier to spot unauthorized use or attempts to use your systems.
2. Sensitive data protection, including encryption in motion and at rest, data-change monitoring to prevent data corruption, and secure disposal of data that you no longer need or are no longer required to store.
3. Scheduled backups. Regular backups of operating systems, apps, and databases are your protection against a destructive incident. Store these backups in a secure location, whether that’s onsite or in the cloud. NIST also recommends storing a regular backup offline “to protect it against ransomware.”
4. Intrusion prevention using firewalls, endpoint security, and other tools. NIST recommends securely disposing of devices at the end of their lifecycle, so they don’t fall into malicious hands.
5. Continuous device assessments for newly discovered vulnerabilities, software updates, and patches. Armis automates risk assessment, delivers scores to help your team prioritize remediation, and can automatically apply updates and patches.
6. User training to refresh and update employees’ security practices, like creating secure login credentials and knowing how and when to report suspicious activity.

Function 3: Detect Suspicious Data Flows, Intrusions, and Other Events

Who’s in your network? Whose devices are operating in your environment? When you have complete visibility into the devices that are in your space, it’s easier to pinpoint the ones that don’t belong.

Likewise, it’s critical to monitor communication among devices in your environment. This can help ensure that sensitive data, such as protected health information or business intelligence, is encrypted when it’s in motion. Communication monitoring can also alert your security team to suspicious activity. For example, data flowing from one of your servers to a new device outside your network is an indicator of malicious data exfiltration.

Preventing delays between an incident and detection requires continuous monitoring. Everything also needs to be logged, and manual logging can be cumbersome and time consuming, if your security data is siloed in different systems. Look for a solution that automatically logs system activity in one place and saves it for a pre-set length of time.

Automating logs will free your security experts to focus on incident prevention and response. Make sure your security team members know who’s responsible for responding to unauthorized devices and activity alerts and have a written plan for them to follow.

Function 4: Respond Effectively to Incidents With Tested Security and Communications Plans

As with any type of emergency, teams work more effectively when they’ve practiced their response and know which protocols to follow. Before there’s an incident, your security team should test their response plans, audit the results,make any changes to improve the plan—then test again.

Set up a testing schedule to get recent team members up to speed, to keep responses fresh in your team’s mind, and to adapt the plan to any changes in technology or best practices since the previous test. Discuss your plans and test results with your stakeholders, internal and external, to get feedback and make improvements.Read the Armis Threat Detection and Response Solution Brief.

Function 5: Recover from Security Incidents With Technical, Communications, and Crisis-management Plans

Beyond the technical response, your plan should include how and when your people will communicate with other stakeholders. For example, your operations, legal, and public relations teams will need to be in the loop. You’ll need to understand your legal and regulatory reporting responsibilities and designate people to hit report deadlines.

For example, if EU customer data is breached, GDPR requires companies to notify regulators within 72 hours of the incident’s discovery. Without a plan and designated communicators, your reporting time could easily slip as you rush to contain an incident. It’s also important to designate a crisis management spokesperson or agency before you have a breach. That way, they will be standing by to activate their communications plans and media strategy and protect your brand image.

Set Priorities for Improving Your Organization’s NIST CSF Maturity

Because device identification is the foundation for the other four functions in the NIST CSF framework, finding a solution that provides complete visibility across the environment will be a top priority for most organizations. In some situations, however, other functions may be the top priority. For example, if your organization has comprehensive identification capabilities and some protection, but no response testing or recovery plan, you might debate whether to prioritize expanding protection or implementing  response testing for your existing protection.

Once your stakeholders agree on your priorities, you can create a detailed roadmap using the full NIST CSF framework document and the Armis Solution Brief on Alignment to NIST Cyber Security Framework for Unmanaged and IoT Devices. Your roadmap should include a process for regular reviews to assess your progress and adjust priorities as needed.

Choose a Device Security Solution That Supports the NIST Framework

Armis helps organizations enhance their NIST cybersecurity framework maturity in several key areas:

Armis provides complete device visibility across the environment with comprehensive device hardware and software identification. Our agentless, passive technology allows our platform to see and assess devices that legacy IT scans can miss or disrupt. The Armis platform relies on the collective asset intelligence engine, a continuously updated repository of collective intelligence on more than two billion devices, to identify and classify devices and assess their behavior.

Armis monitors every device 24/7 to detect anomalies and status changes. When there’s any change to a device’s communications, software, physical location, risk profile, or activity, the Armis platform can alert your team. Armis also maintains data logs for compliance and incident forensics.

The Armis platform integrates easily with SOC solutions for a single source of device truth that enables faster, easier incident prioritization and response. No more jumping back and forth between OT and IT silos for the data you need to evaluate and manage incidents. With Armis, it’s all in one place. These and other Armis features make it easier for your security team to have timely, clear discussions with stakeholders about incident recovery.

See why Flex, Mondelez, Sysco and other organizations trust Armis to protect their OT devices. Request your demo.