Posts

Continuing our series of the NIST CyberSecurity Framework (CSF), we now come to the Detect function.  The Detect function is the simplest and most straightforward function within the CyberSecurity Framework.  The work of this function is to create an Information Security Continuous Monitoring (ISCM) program.  The NIST 800-137 publication is helpful for explaining the best process for creating and executing an ISCM for your organization.

Here are the six steps to building an effective ISCM as outlined in that document:

1. Define the ISCM strategy

A proper ISCM starts with the leaders of the organization.  If the leaders do not take security seriously, it’s likely that no one else in the organization will see it as important either.  What does it look like for leaders to take security seriously?  The best way is for leaders to inform and shape the narrative of what information is important to the organization, what levels of risk they deem acceptable and unacceptable, and to engage with management and IT to develop appropriate risk governance policies and procedures to protect the organization. 

Simply put, the leaders define the key performance indicators (KPIs) for security, along with the policies and procedures necessary to ensure the best outcomes possible with relation to those performance indicators. Naturally, the leaders will leverage input of from the rest of the organization to help them in this strategic process, but the responsibility of defining these key security performance indicators and governance policies falls on the leadership itself.

Here is a helpful diagram from NIST 800-137 illustrating how the entire organization should be involved in this process:

Figure 2-1. Organizational-wide ISCM from NIST 800-137

It’s important for the leaders of the organization to view the ISCM as an ever-evolving approach to securing the organization.  Subordinates (Tier 2 and Tier 3) should regularly report back relevant data to the leaders (Tier 1) of the organization, so that policies and procedures can be updated for better efficiency, accuracy, and effectiveness.  The security posture of the organization, thus, should improve continuously over time.

2. Establish your ISCM program

Once the leaders of the organization define the ISCM program, managers (Tier 2) of the organization should leverage tools to automate the data collection and sort data into digestible formats for review.  The aim here is to develop the mechanisms by which data will be collected (automatically and/or manually) and how often that data will be reported back to the leaders of the organization. The leaders should maintain some sort of dashboard to actively monitor the key security performance indicators, so they are aware when security-related events are occurring within the organization.

Once managers establish the tools and mechanisms for monitoring and maintaining security KPIs, then they should define the metrics for how often IT will monitor and assess the data, how often that data gets updated to the leadership of the organization, and how often the mechanisms will be reviewed for best results.  Finally, checklists for IT should be created to ensure that IT is following the policies and procedures defined by leadership.

3. Implement the ISCM program

Implementation simply is executing the plan and program established in Steps 1 and 2.  This should be performed in a checklist format that is consistent with the strategic policies and procedures defined by organizational leadership.  The IT representative should sign and date the checklist to inform management who performed the work and when.  This provides assurance and accountability for implementation. 

4. Analyze and Report the findings of your program

The first data collection serves as a security baseline for where the organization is currently.  Comparisons back to the baseline over time can indicate when abnormal activity or changes are occurring within the organization.  Gradually, the baseline can grow to become more informative.

As abnormalities appear in the reporting and analysis process, those findings are submitted to authorities according to the defined policies and procedures for them to make decisions regarding the risks associated with that abnormality.  Early on in this process, there can be a lot of noise generated; but as the reporting and analysis window grows, IT can identify abnormalities with greater accuracy.

5. Respond to those findings

Knowing how to respond to security events is more of an art than a science, because every environment is different.  Every organization, even within the same industry, has a different approach and perspective on risk tolerance and mitigation.  The policies and procedures created in the strategic phase of the ISCM will guide IT on how to respond appropriately to security events. 

There will be times when a security event exposes a weakness overlooked in the initial strategic planning process.  This should be expected.  Technology is ever-changing.  Hardly ever is the first attempt perfect.  There is not a perfect approach to security, so when a weakness is detected, avoid the temptation to point fingers and assign blame.  Then, proceed to step 6.

6. Review and Update your ISCM strategy and program

As stated above, going through the exercises of analyzing and reporting will inevitably expose weaknesses in your ISCM.  The important point here is that the organization is growing and maturing with relation to its security posture and awareness.  What are new ways to detect abnormalities which would be more efficient?  What new ways has IT discovered to monitor for security-related abnormalities?  What new policies and procedures could be adopted to mitigate the associated risk of this new weakness?  These questions, and ones like them, can help you refine your ISCM over time.

Here is another helpful illustration from NIST 800-137 for how this process should look:

Illustration 3-1. ISCM Process from NIST 800-137

Conclusion:

Creating and performing an ISCM is something like learning any new skill. It will take a while before you become adept at identifying security risks within your organization and mitigating them to an acceptable level.  At first, it can feel awkward, and it’s easy simply to procrastinate.  The important thing is that you start and stick with it. Over time, you will grow and become more adept.

Sometimes, it’s helpful to have someone assist you in these exercises.  That’s where TCS can help.  We support and manage security for various regulated industries (health, finance, defense, local government, and beyond).  We use that collective experience to create a unique, client-focused approach to security.  TCS can work with you to grow your security posture over time by road-mapping solutions on a scheduled timetable and performing routine security assessments both to demonstrate your past growth and effectively plan for better security where weaknesses are identified. Contact us today, if you would like to know more about how TCS can assist your organization with its cybersecurity needs.

Note: This article was written from resources found at the following site:  https://www.nist.gov/cyberframework/detect

Continuing our NIST CyberSecurity Framework (CSF) series, the second function of the CSF is Protect.  If Identify is the “what” of cybersecurity, Protect is the “how” of cybersecurity.  As we will see in this article, the “how” of protection not only is complicated, but it also varies from organization to organization. 

There simply is no one-size-fits-all approach to securing a business or organization.  Your approach to cybersecurity depends upon the unique and specific devices your company utilizes, how those devices communicate, the layout of your office workers (local, remote, hybrid), the ways in which your users communicate between themselves, the location of your critical data, the use of cloud platforms and software as a service, and more.

There are five primary aspects to the Protect function:

1. Access Control and Authentication

Access Control and Authentication and be summed up as Identity Management.  This is a fairly straight-forward concept – how do you know only authorized users have access to critical datasets?  How do you know that when a user gains access to critical data, it is really the intended user?  What technologies will you leverage to ensure that impersonators are not accessing your critical data?

How you answer those questions is where this aspect of the Protect function gets complicated.  For instance, if you use a PIN (like an ATM code), you will have different policies and procedures for how to properly use PINs versus a company who chooses to leverage smart cards for identity management.  Each of those solutions has different ramifications and implications for how to successfully use them.  If you decide to leverage both technologies, you create even more complications.  Now, multiply that times the various identity management tools and technologies possible, and you have an idea at just how complicated keeping track of all the technologies and ensuring they are utilized securely can be.

2. Security Awareness Training

The second aspect to the Protect function is Security Awareness Training.  The easiest avenue for hackers in today’s world is the end user.  We want our employees to be helpful and efficient when they are dealing with those outside our organizations.  Hackers know this and they often are masters at using that helpfulness to their advantage.

Some things you need to consider when creating a security awareness training program for your users are:

  • What needs to be included in the training material based on the needs and risks particular to your organization?
  • Who will be responsible for performing the training?
  • How often should the training be performed?
  • What methods will be used to perform the training?
  • How will you measure the success of the training for each employee?
  • How will you measure the success of the training program over time and evaluate its effectiveness?

Once the training program has been outlined, then you must execute that training.  After measuring the training for results and getting feedback from employees as to how the training can be improved, you must then make the necessary adjustments to enhance the training over time.

3. Data Security

Data security falls into the triad objective of Confidentiality, Integrity, and Availability.  This triad over time has become known as the Security CIA triad (not to be confused with the Central Intelligence Agency).  The principle is simple enough to grasp.  You want your critical data to remain private (Confidential), you want to ensure that everyone who should have access to that data does (Availability), and you want to ensure the data is accurate and tamper-free (Integrity).

One of the primary ways data is protected is via encryption.  Confidential data should be encrypted at all times – even when that data is in motion.  It’s easy to encrypt data at rest, most storage platforms have those capabilities built in.  The difficulty arises in tracking the various ways that data is accessed (internally, remotely, from a Cloud platform, etc.) and ensuring that the data remains encrypted at the appropriate levels during the transport from the datacenter to the end-user.

Finally, for those who have mobile devices (laptops, tablets, smartphones, etc.) in their workforce, you must have adequate levels of mobile device management.  Some examples of features required for effective mobile device management are as follows:  device location, remote wipe, remote lock, enforced encryption, enforced device idle timeout/lock, approved applications, and advanced logging.

4. Policies and Procedures

The general rule as it applies to policies and procedures is document, document, document!  The more you can document concerning the different policies and procedures your company considered implementing and why those policies were/weren’t adopted, the better. 

Security for any device starts at the configuration level, so be sure to document policies outlining configuration baselines and standards by which everything in your environment will be configured.  You will need to review those baseline configurations and standards annually to ensure they remain up-to-date.  These baselines not only include your workstations, servers, and endpoints.  They also include your firewall/router, your wireless setup, your phone system configuration, and every other technology (both hardware and software) your organization uses to perform its business.

Once you have created policies and procedures for how each device and application is to be configured along with the hardware specifications required for such a configuration to perform efficiently, you will need to write policies and procedures for what your users can and can’t do.  In those policies, you will want to include expectations of privacy (if any and to what degree), define what devices and applications are permitted for company use, define whether or not devices can be used for personal purposes, define how users will employ devices in a secure manner, etc.  Again, the more specific you can be in these policies and procedures, the better.

5. Protective Technologies

The final aspect of Protect is working to ensure your policies, procedures, and agreements align with the implementation of your technical environment.  This means, for instance, that you regularly analyze your VoIP phone system to ensure that your setup is aligned with your policies and procedures.  This also means that you are auditing your wireless network setup to ensure it is properly secured.  The same would be true of your endpoint devices, servers, switches, and firewalls.  Finally, you will want to revisit your application whitelist to ensure it is updated, as well.

Conclusion:

As you can see from this post, to perform the Protect function of CSF, you will need to take a lot of things into consideration.  You don’t have to start from scratch, however.  While each organization and business looks different in the details, the starting point is often similar.  TCS can help you analyze the standards and appropriate them to your specific business.  We have experience across a broad range of industries and use cases that can help you save time building these policies and procedures.

Note: All the resources used for this article can be found at the following site: https://www.nist.gov/cyberframework/protect

Last week, we started our NIST CyberSecurity Framework (CSF) series with an introductory article.  In that article, we outlined the five functions of the NIST CSF:  Identify, Protect, Detect, Respond and Recover.  This article will dive a little bit deeper into the first function – Identify.

Whenever we think about a holistic protection plan for anything, we need to start with the obvious – what needs to be protected, and what substructure needs to be in place to ensure its protection?  That in essence is what the Identify function of the CSF seeks to accomplish.

There are six primary aspects to the Identify function:

1. Asset Management

Simply put, you can’t create an effective strategy to protect key assets without knowing exactly what assets exist to protect.  This step requires creating and maintaining an active inventory of hardware and software.  From the hardware perspective, this would include not only servers and workstations, but also network infrastructure (switches, routers/firewalls, wireless access points, etc.).  Some larger organizations will use an asset tag to track hardware in the organization.

On top of the hardware, you also need to maintain an active inventory of software, as well.  Most people think of operating systems when software is mentioned, but this instance of software would include third-party applications, such as Adobe Reader, Office Applications, and endpoint security.  On the software side, you need to be able to identify what versions are being employed and whether those versions are properly patched and updated.

Be sure to include documented onboarding and offboarding policies for how IT should introduce new hardware and software into your environments. Your offboarding documentation needs to include any destruction requirements necessary to fulfill your regulatory obligations.

2. Business Environment

The business environment needs to be defined.  What is the mission of the company?  How is that mission going to be accomplished?  Who are the stakeholders of that mission?  How are the various activities of that mission going to be prioritized and assigned to employees?  How are those activities going to be safeguarded against security threats?  These are some of the questions that need to be answered in this subsection.

The Critical Success factors for this subsection are (1) Strong Upper-Level Management Support, (2) Practical Information Security Policies & Procedures, (3) Quantifiable Performance Measures, and (4) Results-Oriented Measures and Analysis. Here is a helpful visual from NIST 800-55:

NIST 800-55 – Figure 1-1. Information Security Measurement Program Structure

Notice that we start with the strong upper-level management. Upper-level management should not only provide a vision and a commitment to these objectives, they should model that commitment to everyone in the organization. So often, we see the CEO and other members of upper management trying to be the exception to the security rule. Be advised, upper-management, if you don’t take this seriously, your employees won’t either.

Also, take note of the emphasis on “practical” policies. If you don’t make security policies easy to follow, users will find ways to subvert and circumvent them. We see this regularly with users employing personal versions of Dropbox, personal email, and other means to avoid the hurdles of cumbersome security policies. Security done right is user-friendly and efficient, even when it’s not necessarily convenient.

Finally, security measures must be in place to quantify user adherence to those policies and procedures. Management should maintain goals and objectives surrounding these key security performance indicators. These performance metrics need to be analyzed and reported on a regular basis to ensure they are being met. Management should use these measurables to identify what further can be done to improve effectiveness and efficiency.

3. Governance

The management team of any organization must be involved in the governance of information security. This means they are the ones who create, enforce, and oversee the security policies and procedures of an organization. They also have a hand in choosing the support tools to deliver and enforce their security policies. Smaller organizations often employ third-party managed services providers to assist them in these areas, but the governance of them ultimately falls on management. In those instances, management holds the third party accountable for maintaining their security posture. Nevertheless, even though management isn’t actually doing the work, they are responsible for ensuring the work gets done via routine reporting evaluations back to management.

4. Risk Assessment

In order for a risk assessment to be successful, four components must be present: framing risk, assessing risk, responding to risk, and monitoring risk.  The framing of risk simply is defined as determining the personnel who make risk-based decisions within the organization along with the context in which those personnel make risk-based decisions. The NIST 800-39 document includes a helpful diagram for this process:

Figure 1 of the NIST 800-39 document.

Once that risk context and the risk decisions have been framed, you need to delineate the boundaries around those decisions. Each risk frame exposes potential harm to the organization. The more adverse the impact of a decision, the more risk it carries. Typical risk assessments include a scoring matrix that accounts for cost/severity, percentage of likelihood, and the level of controllability. The composite risk score for each area is often rank ordered to help an organization prioritize their risk reduction efforts.

Note: Performing risk assessments should occur on a regular cadence appropriate for your organization.

5. Risk Management

Based on the scoring system of the risk assessment above, the next step is to respond by managing risks. There are a number of responses to risks: risk acceptance, risk avoidance, risk mitigation, risk sharing, risk transfer, and any combination of these responses.  Be sure to document whatever response you choose for each particular risk.  Finally, once you have documented the risk responses, management must formulate plans to implement those responses and monitor those implementations to ensure their overall effectiveness. 

6. Supply Chain Risk Management

This might sound like a subset of Risk Management, but this aspect of the Identify function is a bit different.  Instead of organizational risk management, this is a very specific kind of risk management. When you are a provider of communications products or employ those products in your company, you must guard against fraudulent counterfeits, tampered equipment, and the insertion of malicious software, firmware, or hardware from your vendors.  This requires vetting the vendors for quality controls and manufacturing standards appropriate to the regulative requirements for your organization.

Some questions you might consider for this exercise are:  Are these components manufactured and assembled in a hostile country?  What is the chain of custody from the vendor to the end user?  How does the manufacturer ensure their components are tamper-free upon arrival?  Then, train your personnel how to inspect those items on arrival before you implement them into your IT environment.

Conclusion

As you can see, there are many facets to the Identify function within the CSF. Even then, this article simply scratches the surface.  It’s not uncommon to feel overwhelmed by all this information. If this overview seems overwhelming, and you need a partner to assist you with your cybersecurity efforts, TCS would be honored to have a conversation with you about how we can help bolster your cybersecurity posture.

For a list of documents that informed this article, please see the following website: https://www.nist.gov/cyberframework/identify