The NIST Cybersecurity Framework: Your Handy How-To Guide
Corporate IT risk continues to increase as data volumes expand, and cybercriminals evolve their arsenal. As noted by Computer Weekly, the volume of malware attacks rose for the third straight year in 2018 thanks to a combination of emerging cyber threats such as in-browser crypto mining and lucrative mainstays including email phishing and permissions-based compromise. Underpinning this malware-driven market are new as-a-service exploit kits hosted (and serviced) on the Dark Web, turning hackers of all skill levels and motivations into potential enterprise threats. A dreary assessment? Absolutely. But it’s not all bad news: Presidential Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity tasked the National Institute of Standards and Technology (NIST) with creating a framework designed to “help an organization to better understand, manage, and reduce its cybersecurity risks.”
Here’s a handy how-to guide for implementing, leveraging and managing the NIST cybersecurity framework across your organization.
What is the NIST Framework?
The NIST framework was developed in conjunction with industry, academic and government leaders during a year-long collaborative process. Version 1.0 of the framework was released in February 2014 and is designed to provide critical guidance for organizations of all sizes as they look to identify key risks, implement new strategies and improve service delivery.
The framework represents an emerging set of security best practices designed to grow with organizations as markets and industries evolve. Last year, NIST released version 1.1 of the framework after a 45-day draft consultation period for both public and industry stakeholders.
Version 1.1 includes five key “framework functions” which help organize high-level cybersecurity activities:
Identify — This function speaks to the need for “an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.” Put simply; companies need to identify at-risk services and components in their IT infrastructure before they can develop an effective defense.
Protect — Here, the focus is on developing and implementing safeguards that protect mission-critical applications and services.
Detect — Effective protection is only possible if companies implement processes capable of detecting potentially malicious cybersecurity events. For example, organizations might leverage managed SIEM solutions to detect and report incidents automatically.
Respond — What happens after a cybersecurity event is detected? This NIST function covers protocols such as incident response planning (and testing), communications, analysis, and mitigation techniques. For example, a response policy based on the NIST framework should describe who’s responsible for making IT decisions and include a call-out list to inform key stakeholders. It should also include explicit descriptions of recovery time objectives and detail the specific tools that will be used to mitigate attack impact. Finally, the policy must include critical metrics that IT teams can use to determine if remediation has been effective.
Recover — Improved protection requires businesses to learn from corporate security breaches — both successful and attempted — and apply this knowledge to develop new processes and procedures. The Recover function speaks to the need for plans that focus on timely restoration of systems and long-term reduction of cyber risks.
Why Does the NIST Cybersecurity Framework Matter?
Data breaches are daily news. New malware strains are in constant development. Hackers are adopting as-a-service models to support their creations without assuming personal risk, and recent survey data found that 90 percent of critical infrastructure providers have been hit by successful cyber attacks.
The result? Organizations need robust cybersecurity strategies in place to ensure they’re ready to respond when (not if) attacks occur. But as noted by Tech Republic, 77 percent of companies “don’t have a consistent cybersecurity response plan.”
In some cases, these missing plans stem from sheer complexity: Expanding networks and cloud-based solutions make it difficult to map, let alone protect, the growing array of user end-points. The cyber skills talent gap is also problematic. Even with post-secondary institutions ramping up course availability and hands-on offerings, there aren’t enough infosec pros to meet the growing demand for cybersecurity expertise.
The NIST cybersecurity framework offers a solid starting point for organizations looking to reduce cyber risk and improve resiliency. Even if they’re short on time and talent, NIST’s guidelines and active community can help companies identify critical infosec shortfalls and implement foundational best practices to help avoid common attack vectors.
Are NIST Guidelines Mandatory?
No. Unlike HIPAA, PCI DSS or GDPR compliance, implementing the NIST framework is not required for organizations. Instead, it’s worth thinking of NIST guidelines like the food pyramid of cybersecurity: Best practices based on solid research and collaboration, but not mandatory.
Just like the food pyramid, it’s possible to ignore well-meaning advice: Organizations can opt for all-cloud buffets of unapproved applications and services for the quick-fix productivity they provide. But they shouldn’t be surprised when security spending tips the scales and overall business health suffers after unvetted apps compromise local networks to install ransomware or steal credentials.
The NIST Compliance Checklist
For many organizations, implementing NIST best practices is on the to-do list but never gets done.
It makes sense: With concerns like mobile device adoption, IoT rollouts, and cloud network management it’s easy for IT teams and executives to get bogged down in day-to-day firefighting. Add in the potential complexity of new framework guidelines, and it’s easy to see why framework functions are often shelved in favor of more pressing concerns.
We’ve got you covered. Here’s a quick NIST compliance checklist to help get your company started on the road to reduced cyber risk:
Set Reasonable Goals — You can’t do everything. No cybersecurity policy is a “silver bullet” to solve every infosec problem. As noted by Security Magazine, it’s therefore critical to set organizational goals around cyber risk, tolerance, and outcomes before implementing the NIST framework. For example, an uptick of mobile devices on your network could make granular app security a priority, and help set budget and timeline expectations for your strategy.
Evaluate Current Security Posture — What you don’t know can hurt you. Before diving into framework applications, it’s critical to evaluate your current infosec environment. Where are controls effective? What potential weaknesses exist? This relates to NIST’s “identify” function: Discover where your security excels and where it needs work to develop an effective implementation plan.
Customize Your Implementation — NIST isn’t all-or-nothing. Instead, the framework is designed to help companies answer critical questions about security by offering research-backed best practices. Confident in your ability to protect current systems and detect attacks but shaky when it comes to response and recovery testing? Use the NIST framework to develop training and incident response strategies.
Deploy Effective Technology — Not all companies have the benefit of full-time CIOs or large IT departments. The result? Implementing NIST strategies depends on effective technology solutions — such as managed security offerings — to ensure framework goals are attainable.
Measure Outcomes — Security isn’t fire-and-forget. Just as the NIST framework is regularly evaluated and updated in response to real-world changes, organizations must measure the efficacy of their security solutions. Consider: If your stated goal is improved incident detection, you need a solution capable of monitoring and reporting IT incidents on-demand.
Streamlining NIST Adoption
Adopting the NIST cybersecurity framework can help organizations reduce total risk and improve their ability to respond and remediate new threats. But the scope and depth of NIST’s framework can be daunting, especially for companies juggling multiple IT demands — cloud adoption, remote working, and granular access permissions to name a few — in addition to cybersecurity.
The ArmorPoint managed SIEM solution can help simplify both cybersecurity and NIST compliance with security that extends beyond basic automation. By combining network visibility, event correlation and threat intelligence, ArmorPoint delivers full-stack detection and response and proactive expert-level protection to empower NIST framework adoption.
Ready to conquer cybersecurity risk and take back control of your IT environment? Make sure you’re protected. Armor up.
ArmorPoint is a security information and event management solution that provides a cost-effective and reliable way to continually protect your business from emerging threats. Through its customizable service pricing model, ArmorPoint’s cost-effective packages and dynamic levels of expert management support the security strategies of all companies, regardless of available budget, talent, or time. And since ArmorPoint offers 24/7 security support with a team of dedicated specialists, they can provide you with the manpower you need to expertly manage all of your cybersecurity initiatives. See how ArmorPoint can make a difference in your security posture with a risk-free 30 day free trial.