In honor of global CyberSecurity Awareness Month, 11:11 Systems has decided to devote an entire blog series to the NIST Cybersecurity Framework (now in version 1.1) — what it is and how it can be used to help protect your business.
As you may or may not know, the core of the framework consists of five functions: “Identify,” “Protect,” “Detect,” “Respond,” and “Recover.” Each function is equally important to a proper security posture. Hopefully you’ve already read our first three installments, including Jim’s introduction to “Identify” and Alex’s breakdown of “Protect” (complete with Greek soldiers!). Here, I’m going to tackle the “Detect” function.
The NIST Cybersecurity Framework: Detect
Originally designed for United States government and critical infrastructure entities, the structure, simplicity, and flexibility of the NIST CyberSecurity Framework makes it applicable to any business, large or small, local or international. And while the “CyberSecurity” piece of its name is certainly more SEO-friendly, we must not let it overshadow the equally-important “Framework.” The idea of a framework is critical because it does not convey a rigid, prescriptive set of tasks that must be done in the same way by every organization. Instead, it offers multiple paths or avenues for discussion and readiness assessment in order to meet your company’s business objectives.
This is why NIST goes the extra mile to flesh out its framework, breaking down each of its five functions into categories. When it comes to the “Detect” function in 2022, we’re no longer simply talking about viruses and malware. Security threats are internal and external, technological and human. Being able to discover these threats before they breach your protection or cause damage is key.
Let’s take a look at how the framework chooses to categorize the Detect function, and how your organization can utilize each to enhance its overall security.
Anomalies and Events
In any network, there are events that happen that aren’t inherently malicious. Your CEO should be logging in to their workstation or mobile device, but should that occur 100 times a minute, or across multiple countries and continents on the same day? Of course not. Activity like that needs to be surfaced as quickly as possible. But because threats can be so complex, individually monitoring systems means you will likely miss correlated security events across assets. This is where event and log aggregation will give you a centralized repository of what is going on across the workloads on your network.
However, with the amount of data that produces, it becomes impossible for even a team of security professionals to interpret directly. Enter your Security Information and Event Management System (SIEM). From a technology perspective, a SIEM can aggregate logs for every tool that generates that data, help set a baseline of expected behavior and data flow (key to the recommendations of the Category), and then use its intelligence to automate the detection and correlation of seemingly disparate events in to target event sets to focus on. Given the volume of alerts, they often need to be interpreted by humans who can triage and prioritize them properly and take action if necessary. Once again, that can occupy teams of professionals all day, depending on the size of your infrastructure.
This is where 11:11’s Managed Security Information and Event Management (SIEM), backed by our 24x7x365 Security Operations Center (SOC), can relieve the workload of your IT team. It provides the technology, people, and processes to help you detect and respond to anomalous events without burdening your staff or needing to hire or train specialized, in-demand employees to run an in-house SIEM.
Security Continuous Monitoring
We are no longer in the age of the nightly antivirus scan. Today, all assets need to be closely and continuously watched. Because all activity, especially network activity, isn’t logged, anomalous network behavior detection is also necessary. 11:11’s Managed Firewall offers that as part of its thorough network protection capabilities, which also includes intrusion detection and prevention, and is still backed by the “always on” SOC.
Add to that your mobile, desktop, server, and container workloads, and you’ve got a lot of malicious (or simply unapproved) activity to watch out for. A solution like Endpoint Detection and Response (EDR) can help, which spans multiple NIST Cybersecurity Framework Functions, covering not just Detect, but also Protect and Respond. Leveraging EDR at its heart, 11:11’s Managed Endpoint Detection and Response can reinforce your support staff with our own Security Analysts running the SOC.
Just as new vulnerabilities are discovered every day, so must you be vigilant for which ones are present in your environment. 11:11’s Continuous Risk Scanning (CRS) managed service can isolate critical issues and allow you to shore up your workloads before the malicious activity starts.
EDR and CRS on their own can’t be the sole components of Security Continuous Monitoring, as simple things like physical access and unauthorized personnel need to be taken into account to detect all possible attack vectors.
Detection Processes
Not those kind of processes! killall-HUP won’t serve you well here. This category is all about process and communication, making sure requirements are set (and met), responsibilities delegated and accountability defined, and the detection processes are tested, communicated, and assessed for improvement. Just as the malicious actors are continuously looking for vulnerabilities in your people, process, and technology, so must you if you want to be as prepared as possible when intruders try to, well, intrude (and worse).
Detectives On Call
The NIST Cybersecurity Framework can take the seemingly daunting task of providing a complete security solution for your company and simplify it into a clearly outlined set of goals to achieve in the manner and order that best fits your business outcomes. Whether you need to decide on the tools, or have an open discussion on the areas that need improvement, the framework provides the scaffolding that can help you manage your cybersecurity risk in the most complete manner possible. 11:11 Systems is here with a wide array of Managed Security Services to augment your team that touch not only on Detect, but many of the other functions.
And just like you should be continuously revisiting each of the functions and categories to adapt to a changing threat landscape, so is the NIST Cybersecurity Framework. As part of the Journey To CSF 2.0, NIST is once again taking input from a broad base of organizations, from private and public sector to academic. A 2.0 draft is forthcoming in the near future.