The NIST cyber security framework provides policy and guidance for private sector companies within the United States to prevent, detect, and respond to cyber threats. Depending upon the complexity of the organization, a properly developed NIST framework can be completed in several months to several years. Gartner predicts that post-2020 upwards of 50% of organizations will follow some aspects of NIST, including organizations in all 16 noted critical industries.
To develop a shared understanding of cyber risks that face our organizations, NIST provides a common language that can be shared within all levels and functions of an organization.
Perhaps the most important, and cornerstone component of NIST is Identification, for subsequent functions are simply only as valuable as the accuracy of Identification. When we speak of identification, there are several components that must be properly cataloged in order to confidently move on to Protection. Identifying assets, governance, compliance, risk, regulatory components, and supply chain inputs all factor into the overall business environment a company operates within.
Our cyber and operational teams are then tasked with Protecting the assets identified, which includes proper identity management, training, data security, boundary creation, and the proper procedures and tenants in which the organization must follow to protect assets, both physical and digital.
Once the framework has been agreed upon and put in place to add layers of protection, a robust, real-time, and continuous detection practice to monitor for anomalies, breaches, and security events must be implemented in such a way that is both actionable and manageable. Parsing through thousands of logged alerts may be detrimental when most are false–positive or inconsequential, and the few meaningful events are lost in the noise. Distilling alerts by understanding critical assets and their alerts that require actionable steps will go a long way to focusing SOC efforts on tasks that are meaningful.
Knowing that at some point, there will be a breach goes a long way when planning on the appropriate response, such as a ransomware attack. A breach is bad enough, but not having a plan for how to respond only compounds the issues. Asking the question ‘What should our response be under various circumstances’ will help tremendously.
Lastly, there is the recovery stage, where we do our postmortem analysis review of functions 1-4 above. When combined with periodic penetration testing, all stages and functions of the NIST Framework should continuously be reviewed and revisited as faces change, protection and detection tools evolve, and our response efforts and efficacy can always strive to be better.
The great part of the NIST Framework is that all 5 functions are outcome-driven, and metrics can be put in place to track any organization’s journey throughout the process.