Why should an organization consider using a security framework?

Historically, organizations have invested significant amounts of time and budgets into their current security posture.  Up until recently, that posture was largely designed to protect the traditional office space.  With more people working remotely than ever, that security posture and program may not fit with the new requirements of protecting employees that may be working anywhere at any time. 

A security framework is designed to help organizations:

• Understand their current cybersecurity posture
• Define or update a cybersecurity program
• Help communicate requirements and future state with stakeholders
• Identify opportunities or needs for new or revised standards
• Assists in prioritizing potential projects to help reduce risk to the company
• Enables investment decisions to address gaps

What is NIST?

The National Institute of Standards and Technology developed its cybersecurity framework to strengthen the security of United States critical infrastructure.  Like most security frameworks, NIST can be applied to any sized organization in any industry.  The NIST framework includes five cores. 

Those are:  Identify, Protect, Detect, Response, and Recover.

Identify

Naturally, most security programs begin with the Identify stage.

• Identify can include the review Inventory of assets, data, Users, Systems, and the boundaries of where all those items can be located.  After which, most will complete assessments, which may include gap analyses, a self-assessment or questionnaire, a review of the technical infrastructure, as well as potentially reviewing those of their supply chain vendors and partners. 
• Assessments are performed to help define risks allowing the organization or that of its partners, to develop the appropriate security controls to address those risks.
• Identify also includes the traditional governance process of building or revising security policies and procedures, change management processes, vendor management processes, and so on.

Protect

Once the identify process has been completed building a security program begins with defining and applying security controls to help mitigate the risks as well as help build processes to protect the organizations’ assets and people.

• The Protect core focuses on building administrative and technical controls to protect data, identifiable information, and all company assets.
• Some tools that assist with this function include building out Identity Management, applying a least privileged access model to limit users’ access to only what they need to complete their daily tasks.  Applying multifactor authentication (MFA) on external-facing systems, limiting access to management interfaces, continuously reviewing and remediating vulnerabilities.
• Building out a cybersecurity training program that should include training of current threats and should include frequent phishing simulations.
• An example of administrative controls can include ensuring no one user can approve a wire transfer without a second person’s confirmation.
• Physical controls can include physical access management through locked doors, badging as well as the use of security cameras.

Detect

As organizations continue to mature Detection and response capabilities become a priority.  The detection core is designed to help build a formal detection process for the various threats organizations face every day. 

• Advanced Detection tools help gather information from disparate systems across the network, from Cloud environments, 3rd party threat intelligence, and system vulnerabilities.  Correlate that information providing event alerts and insights on a variety of threats.  Such as external attacks on systems, anomalous user behavior as well as helping with Data Loss Prevention.  Common detection tools include SIEM solutions, Endpoint Detection, and Response tools.

Response

As organizations mature their detection capabilities the next step would be to respond to detected threats.

• Building out response processes and procedures is also a core capability of NIST. Cybersecurity Incident Response plan is a common 1^st step in building out and formalizing response capabilities.  Understanding that over 94% of organizations had a security event in 2020, building a plan to respond is crucial to help the organization better understand their capabilities and outline how communications flow.
• Once an Incident Response Plan has been developed working through a variety of tabletop exercises will help organizations validate and test their plan and capabilities.
• Tools such as Endpoint Detection and Response are absolutely critical tools that need to be budgeted and deployed for every organization regardless of industry or size. 
• EDR tools have the capability of detecting, shutting down malicious processes, quarantining, ability to remove the malicious file as well as potentially providing valuable logging capabilities for forensic investigation in some cases.

Recover

Developing and implementation of a Disaster Plan is the final pillar of the NIST Framework.

• In the event that all of the other tools and processes don’t stop an event from happening, having a well-documented and tested disaster plan is also needed for every organization.
• Deployment of backup solutions that validate backups, replicates to the cloud, are configured properly, and tested is a requirement for every organization that has any sort of business-critical data, even if that data is stored in the cloud.

Regardless of whether or not compliance is a requirement for your organization, a security framework such as NIST can help provide a solid foundation, through the general guidance, for maturing your security posture.