If you are reading this, you may have decided to upgrade your ad-hoc cybersecurity program to be compliant with the NIST Cybersecurity Framework. Your CEO or audit committee might have asked about this, or perhaps one of your CISO-friends suggested this.
First off, you should know that your cybersecurity program can never be compliant with the NIST Cybersecurity Framework. Why? Because NIST says so. According to NIST, companies can use the Framework to determine and express their cybersecurity requirements. But, there is no such thing as complying with the Framework. In the words of NIST, the Framework should be thought of as something to be “used” and “leveraged”, or “aligned with”.
The NIST framework is absolutely worth adopting, provided you do it properly. It will make your cybersecurity program stronger. The fog of cybersecurity complexity will lift, and communication and decision-making will become easier.
This is the 1st installment of a 3-part blog on how to use the NIST cybersecurity framework without getting bogged down and lost in the minutia of the specification documents.
So, how exactly can you use the NIST Cybersecurity Framework?
Before we get into the details of NIST, let’s take a step back and list the cybersecurity issues that are probably top of mind.
- You worry about unseen risks and vulnerabilities.
- You do not have an accurate inventory of assets that need to be protected.
- Your team spends much effort chasing items that will not have impact, while you would like them to focus on real risk
- You want to know how to address risk items given your current tools and what’s available in the marketplace
- Your colleagues outside the security team do not understand cyber risk and therefore fail to “own” critical mitigation tasks
- Your board is beginning to ask you about quantifying the risk reduction outcomes from the strategic cybersecurity plan that your team has been executing. “Are we compliant with NIST”?
In this blog series, we will show how the NIST framework can help you with these challenges.
The NIST Cybersecurity Framework
The NIST framework itself is easy enough to understand. There are 5 core functions:
Aligning with the framework means enumerating all your cybersecurity capabilities, projects, processes, daily activities and labelling these elements with one of these 5 function labels.
For example, the Identify label will be for tools that help you inventory your assets. Tools like Firewalls and Crowdstrike will go into Protect. However, depending on their capabilities you would also put them in Detect along with your IDS and SIEM. Your incident response tools and playbooks go into Respond. Your backup and recovery tools are part of Recover. You get the idea?
Once you have gone through this exercise, some of your buckets may feel more empty than others and you may feel uncomfortable about the corresponding function description in the picture above. That’s good — now you can articulate what your cybersecurity program is missing. The NIST framework takes this a step further, and guides you to think about “maturity levels” for each of these functional areas. In NIST language, these levels are called “implementation tiers” to avoid confusion with CMMI’s Levels.
NIST Implementation Tiers
The idea is that as you add capabilities, you go to higher implementation tiers. The tier names Partial, Informed, Repeatable and Adaptive imply exactly what their English language meaning says. The holy grail is the “Adaptive” tier — which means your cybersecurity program is as good as it gets. You might even choose to draw a line (“Peer Benchmark”) for where you want to get to based on your knowledge of other companies that are similarly situated as yours do.
Let’s take a deeper look at each NIST function.
“You cannot protect what you don’t know about.”
The Identify function is all about developing an accurate IT asset inventory, and understanding the criticality of assets. Identify is also concerned about discovering vulnerabilities that attackers can exploit. You estimate your organization’s likelihood of breach and quantify and prioritize your vulnerabilities and risk items. It is about creating a clear map between vulnerabilities and risk items at the endpoint and network level and the business units.
Implementing the Identify function is hard. The enterprise attack surface is massive with practically unlimited permutations and combinations of ways in which attacks can happen. You need 4 capabilities.
- Automatic and comprehensive discovery of enterprise assets (devices, applications, services and users) across on-prem, cloud and 3rd parties.
- The ability to continuously assess all enterprise assets and all your people for vulnerabilities and risk items across 100+ attack vectors.
- The ability to map risks and vulnerabilities at the device-network level to business units and risk owners, and quantifying risk in money terms.
- The ability to see how attacks can propagate across the enterprise network, and what mitigation measures will stop lateral movement by the adversary.
IDENTIFY Implementation Tiers
The picture above shows the specific capabilities you need to implement in order to move up the maturity level.
Because of the size and complexity of the attack surface, “Identify” is not a human scale problem anymore. You can’t do this by collecting together a bunch of reports from different scanners and network management tools. We created Balbix to harness the power of advanced AI and enable you with the Identify capabilities that you need to achieve the Adaptive tier in the NIST Cybersecurity Framework. Balbix provides a single, comprehensive, and up-to-date picture of your security posture. You can read more about Balbix here.
Identify is foundational to the NIST cybersecurity Framework. You will not be able to make progress with Protect, Detect, Respond and Recover unless you have an accurate understanding of your overall cybersecurity posture. The simplest way to understand this to recall that your cybersecurity is only as strong as your weakest link. If there is a critical asset that you don’t know about, or a unpatched Internet-facing system that you don’t know about, or if one of your privileged users reuses passwords, you could be one bad click from a major cybersecurity incident even though you are using the latest and greatest EDRs, VPN and Web Proxies.
The Identify Function is Foundational
Here are some KPIs for Identify that you might find useful.
- What % of enterprise assets are being monitored in real time?
- Can we categorize these assets into types and subtypes?
- What % of these are Internet-facing, either as servers or as user client machines?
- What % of monitored assets are being analyzed for unpatched vulnerabilities and risk items?
- What % of monitored assets have an identified risk owner?
- Do we understand the impact in $ terms if a particular asset is compromised. Can we articulate this for all assets? Do the risk owners agree with this $ value assessment?
- Do we understand the amount of risk reduction in $ terms that each of our Protect tools is delivering?
Now what does your board presentation look like? You will be able to show slides like these:
Your Boardroom conversation will get out of the weeds and you will be able to discuss your strategic plan recommendations and how much risk reduction each project/initiative is expected to deliver.
In the next part of this blog, we will discuss the Protect and Detect functions of the NIST cybersecurity framework. In the meantime you can get started on aligning your cybersecurity program on Identify by leveraging Balbix. You can request a demo or start your free trial.