The National Institute of Standards and Technology created the Cybersecurity Framework (NIST CSF) four years ago under the Obama administration. Recently, the framework received added attention when President Donald Trump signed a cybersecurity executive order in May 2017, mandating that government agencies leverage the framework to support data protection and manage risks.
Jun 21, 2018 - Tips for starting a new CISO or Security Leadership gig, broken down. You have be careful not to overstep your role and responsibility on the. Structuring the Chief Information Security Officer (CISO) Organization Structuring the Chief Information Security Officer (CISO) Organization. (NIST) Special Publication. Detailed in our blog post and technical note as a guideline for structuring a CISO organization and for allocating roles and responsibilities to its various.
As TechRepublic pointed out, however, the NIST CSF isn’t just applicable for government agencies – chief information security officers in organizations across every industry sector can put this framework and its categories to good use within their own organizations.
NIST CSF: A primer
NIST authored the framework in 2014 after President Obama’s Improving Critical Infrastructure Cybersecurity Executive Order. The framework includes its core, encompassing five basic functions that help create a more robust approach to cybersecurity and protecting essential infrastructure systems.
Each function includes categories and subcategories, which lay out the individual tasks and processes that should fall under each specific function. In this way, the framework offers a comprehensive roadmap for pinpointing risks, guarding against threats, responding to security incidents and recovering from any potential incidents.
In addition, the framework also includes implementation tiers tailored to outline different levels of NIST CSF deployment maturity. Overall, the CSF will only become a more important and prevalent resource in the cybersecurity industry, and it provides best practices for closing gaps in organizational security.
Within this series, we’ll take a closer look at each of the functions of the NIST framework and provide tips and optimal processes for CISOs to follow as they implement and improve their cybersecurity using this roadmap.
Identify: A definition
According to the NIST Framework document, the Identify function is the first of five functions, and it calls for organizations to develop a better understanding of how to manage risks associated with the systems, data and capabilities that are included in their critical infrastructure. The Identify function represents the foundation for the NIST CSF.
“Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs,” NIST stated.
In this way, the Identify function revolves around pinpointing all of the systems and platforms included in the company’s infrastructure. This helps combat shadow IT and ensures that no important IT assets fall under the radar of protective efforts.
Identify also encompasses recognizing the potential risks that could impact the systems the business uses to support its daily operations and critical corporate activities. As NIST noted, this allows the CISO to better prioritize the enterprise’s cybersecurity efforts according to the IT systems they use and the specific threats that could potentially impact these assets.
Categories and tasks under Identify
As noted, the NIST CSF also includes categories under each function that describe the types of processes and tasks companies should take part in during each level of the framework. The Identify function includes five key categories:
Asset management: First, the CISO and security stakeholders must pinpoint the systems, devices, users, data and facilities that support key, daily business processes, and these items are then managed according to their critical importance.
Business environment: This category covers the prioritization of the company’s mission, goals, stakeholders and processes, which is then leveraged to inform the creation of roles, responsibilities and key security decision-makers.
Governance: Here, the CISO and security stakeholders seek to glean a full understanding of the enterprise’s policies and procedures for managing and monitoring regulatory, legal, risk, environmental and operational requirements, according to the NIST framework.
Risk assessment: This category calls for CISOs and their security stakeholders to ensure a full understanding of the cybersecurity risks that could impact the business, its users and the critical IT systems and platforms they use to complete daily operations.
Risk management strategy: The final category within the Identify function relates to establishing the company’s priorities, challenges, risk tolerances and assumptions, and then using these to enable the best operational risk decisions on the part of CISOs and their security stakeholders.
Identify in the real world: Eternal Blue
A recent real-world example that demonstrates the importance of the Identify function comes in the form of the EternalBlue exploit. EternalBlue hit center stage last May as it became the common denominator in the global ransoware attacks in 2017 from WannaCry, Petya and NotPetya to cryptocurrency mining campaigns. In WannaCry alone, over 300,000 computers in over 200 countries were effected.
EternalBlue is a vulnerability in Windows SMB 1.0 (SMBv1) servers that, if successfully exploited, can allow attackers to execute arbitrary code in the targeted systems creating a wormlike capability. This and other exploits were released by the hacking group Shadow Brokers.
As WIRED noted, users were first widely made aware of the EternalBlue flaw in March of 2017. Despite a patch being issued by Microsoft ahead of these more large-scale attacks, many organizations did not carry out their due diligence when it came to EternalBlue, and therefore fell victim to the attack. In fact, Microsoft identified this as such a severe threat, that the tech giant even released a critical update for its Windows XP systems, despite ending support for the platform in 2014.
“Risk based vulnerability management is critical to organizations today. The speed at which disclosed vulnerabilities are weaponized requires CISOs to deploy timely and targeted patches.” Ed Cabrera, Chief Cybersecurity Officer at Trend Micro.
Through the lense of the NIST Framework Identify function, the EternalBlue exploit underscores the criticality of asset management, risk assessments and risk management. CISOs and their teams must identify the critical data and systems that are essential to business operations, as well as the threats against them. Then they must continuously monitor their corresponding critical applications and operating systems for known vulnerabilities but more so prioritize their patch cycle on vulnerabilities being exploited in the wild. Microsoft platforms like those impacted by EternalBlue should have been identified as critical, and patched immediately upon identification of the EternalBlue threat.
What CISOs should know about the Identify function
It’s also imperative to understand the NIST CSF is an ongoing process. The framework itself is continually growing and evolving based on emerging technologies and threats. In this way, CISOs and security stakeholders should know that the tasks and procedures outlined in each function should and will take place on a regular basis within the organization to ensure full protection. As the threat environment develops, so too must enterprise security practices.It’s important that company security stakeholders understand that the Identify function helps provide the foundation for the other four functions within the framework. Taking the time to identify critical systems within the infrastructure, the risks that could impact these and the roles and responsibilities of internal staff and external partners will help streamline efforts that come as part of the Protect, Detect, Respond and Recover functions.
Overall, elements including visibility, division of roles and responsibilities and knowledge of potential threats are crucial for the Identify function.
Identify is just the first piece in the puzzle when it comes to the NIST Cybersecurity Framework. Tune in for the next part of our series, where we’ll cover the Protect function and the categories and tasks related to this key process. And to learn more about the type of Connected Threat Defense that can help keep your organization on the cutting edge of security, reach out to our Trend Micro protection experts today.
Click here to read Part 2.
Related posts:
A proactive threat defense is an absolute must in the current cybersecurity landscape. Chief information security officers should put measures in place that can identify suspicious activity and other anomalies in as timely a manner as possible. But when a cybersecurity event is detected, what comes next?
The National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity encompasses the five key functions organizations need to understand and implement to support a more unified data protection stance. In the previous parts of this series, we examined functions including:
Identify
Protect
Detect
Once an enterprise’s CISO and IT stakeholders have an understanding of the key systems in their infrastructure, have worked to protect the delivery of critical services and are able to pinpoint activity related to a cybersecurity event, the next step is to respond to this activity. It’s imperative that this response includes efforts to contain and mitigate the damage, but it’s important to understand that efforts shouldn’t end there.
Today, we’re closely examining the Respond function, which includes the processes CISOs and their teams should follow after threat detection.
Respond: NIST Framework definition
Through the lens of the NIST Framework, the purpose of the Respond function is to establish and put in place the necessary procedures that enable stakeholders “to take action regarding a detected cybersecurity event.” This function builds upon the efforts CISOs and their teams have taken under the Identify, Protect and Detect functions, and encompasses mitigation of the detected threat, as well as other critical steps.
While each part of the framework is critically important, the processes and activities carried out as part of the Respond function can very easily make or break the outcome of a cybersecurity event. Timely detection of the threat is incredibly helpful, but making quick efforts to analyze the issue, contain the damage and carry out response plans can mean the difference between a large scale breach, or unsuccessful intrusion on the part of hackers.
Respond categories
To respond to a threat appropriately, there are a few key processes to plan and put in place ahead of time. In this way, the CISO can effectively direct efforts and security teams understand their roles and responsibilities in responding to anomalous network activity while safeguarding the business’s most crucial informational assets and supporting systems.
Categories included in the Respond function are:
Response planning: Upon the threat being recognized as part of the Detect function, the Respond function begins with the execution of previously created response procedures. These response plans must be carried out in a timely fashion, either while the cybersecurity event is still taking place, or after, depending upon the timeliness of threat detection.
Communications: This category will lean heavily upon the CISO and his or her team. Here, internal and external stakeholders – typically lead by the CISO and IT admins – coordinate response activities, and may reach out to law enforcement for support, if needed. During this process, individuals follow response plans and understand their roles therein, the initial threat event and any other associated events are reported on, and this data is shared with stakeholders to ensure coordinated consistency according to response plans. In addition, details about the event can be voluntarily shared with key stakeholders outside the company.
Analysis: During this process, CISOs and their teams examine and investigate detection system notifications to analyze the impact of the event, as well as the adequacy of the enterprise’s response. This is also when forensics are performed.
Mitigation: This critical step includes processes to contain the incident, prevent it from spreading and mitigate the potential damage of the threat. In addition, any new vulnerabilities not identified in the past are documented and included as part of the company’s overall understanding of risks.
Improvements: Finally, CISOs and other stakeholders examine the lessons learned from responding to the threat, and work to incorporate these findings into future response strategies.
Similar to the Detect function, timeliness is critical during an organization’s response. Any delay in carrying out response plans and mitigation can create additional opportunities for malicious actors to expand the reach of the threat, and potentially make off with stolen data or interrupt key services. In this way, CISOs must ensure their teams fully understand their roles and responsibilities as part of response plans, and can carry these out in an expert and streamlined manner.
Responding to today’s threat environment: Targeted attacks
Let’s take a look at a real-world threat that underscores the importance of a quick and decisive response. In the current threat landscape, targeted attacks that hone in on a specific victim or industry are becoming increasingly common.
As Trend Micro researchers explained, these cybersecurity incidents can be motivated by an array of different factors, but one of the most powerful and popular goals among hackers is information theft. Malicious actors will focus their efforts against a certain business or group in order to make off with highly sensitive and highly valuable data assets, which can range from company intellectual property to customer data and beyond. Once the target organization is breached, hackers move laterally to support data collection and then exfiltrate the data, which can then be used for further malicious activity like fraud, or sold on underground marketplaces. Overall, 25 percent of all data breaches over the last decade were targeted attacks motivated by information theft.
Targeted attacks could also be driven by espionage, such as when hackers attack and breach the systems of government organizations, activist or political groups. A prime example of this includes hacking group Pawn Storm (APT28, Fancy Bear), which attacked the systems of victims associated with government, security research and political organizations.
Whatever the goal, the potential damage of a targeted attack can be considerably severe, and can include:
Data or intellectual property loss
Disruption of key business operations
Loss of customer data
Reputation and monetary impacts, encompassing loss of customer trust and legal fees
Mitigating damage with robust response
Particularly when an organization is targeted by an attack, it’s imperative that CISOs are able to expertly direct response efforts in a way that can help prevent the damages described above. Targeted attacks are typically carried out by motivated hackers seeking out specific results, but by following through with strong response plans and containing the damage, CISOs and their stakeholders can effectively reduce the level of impact their company incurs.
“It is imperative that an incident response plan as well as an overarching crisis management plan be developed, deployed and tested regularly prior to a cyber attack,” said Ed Cabrera, Trend Micro Chief Cybersecurity Officer. “After all, the cybercriminals attacking your business have thoroughly prepared their attack. Organizations need to respond with the same level of focus, expertise and diligence.”
The NIST Cybersecurity Framework includes one final function: Recover. After CISOs apply the lessons learned as part of their response efforts and work to improve future procedures, it’s essential that they help the company adequately recover from the attack.