On February 12, 2013, President Obama signed an executive order named “Improving Critical Infrastructure Cybersecurity”. From this directive, the National Institute of Standards and Technology was tasked with the development of what has become the granddaddy of cybersecurity frameworks. The government may have its challenges in many areas, but I’ll give credit where credit is due. NIST did a pretty darn good job organizing the massively broad topic of cybersecurity.
Mention the term “cybersecurity framework” with most business folks and you’re likely to see their eyes glaze over. I get it. That topic has three ingredients that make for a pretty dry discussion: cybersecurity, framework, and government-made. I was not born a fan of compliance frameworks and, in fact, it took many years of dealing with security as a function of my responsibilities to develop the appreciation I now have. Yes, I’m a cyber-geek.
NIST 800-171, the framework suggested for non-governmental organizations, consists of 110 controls, which are basically requirements organizations should meet. That’s a lot of controls, right? So now I’m getting to my point. With so many controls, NIST knew it would make sense to categorize these controls into groups that they call Functions. These five functions are the highest level of abstraction of the framework and represent the five pillars that every organization should use to build their cybersecurity program.
The first is Identify. This may sound like a no brainer, but you’d be absolutely shocked at how many organizations are weak in this area. “Identify” is all about enumerating your systems, people, assets, and data in order to properly manage the cybersecurity risk. Peter Drucker famously said, “If you can’t measure it, you can’t manage it.” Cybersecurity professionals resoundingly agree. How can your team know to check if software is upgraded if they don’t know the software exists? How can they know if an account being used within your network is legitimate if there is no list of legitimate accounts? If you can’t list it, you can’t protect it!
The next function is Protect. Just protect everything and we’re good, right? I wish it were that easy. The Protect function can be difficult as there is so much change in our environments. Included are tasks such as using proper access control procedures, building your “human firewall” with staff awareness training, configuring network firewalls, patching every piece of software and operating system in use, and ensuring that your endpoint protection is best-in-class. Believe me, there’s a lot to execute in this area.
Next up is Detect. If your organization’s perimeter protections were breached, likely because of unmitigated known vulnerabilities, then a solid “defense-in-depth” strategy means you will need systems in place that can detect bad actors in your environment. The cornerstone of detection is monitoring which means utilizing automated systems, often leveraging AI, to spot malicious activity. This area is most often outsourced due to the labor and expense required to execute it yourself.
In the event malicious activity has been detected in your environment, guess what? You will need to Respond, which is the fourth NIST function. This function requires the deployment of systems and processes that allow taking action against an attack. This often includes isolating the danger, managing communications, analysis, and finally mitigation activities. These activities are often managed by an organization’s Managed Service Provider (MSP) or, even better, an Incident Response Service Vendor. An IR vendor can manage the analysis, containment, eradication, and even recovery from a cybersecurity incident.
