With Other Cybersecurity Frameworks, CSF Can Help Enhance Organizational Cybersecurity Posture
As a security architect, I want more people to notice that NIST's CSF can be a valuable tool for organizations to improve their security maturity. Hopefully, looking to lower organizational risk and shield critical infrastructure.
Recently, the National Institute of Standards and Technology (NIST) has requested that interested parties provide comments on how to improve Cybersecurity Framework (CSF). But before NIST publish the comments and updates on CSF, in this article, I will take further steps to align CSF objectives to make this easier to understand.
One example is to map with actual threats by leveraging MITRE's ATT&CK Evaluations, which emulate MITRE's Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) against security products.The second application is to help you start the adoption of Zero Trust Architecture (ZTA) with the CSF and other practical frameworks.What is CSF?
The NIST Cybersecurity Framework is a set of best practices organizations can use to secure their data. Built by the National Institute of Standards and Technology, the Framework was designed to make cost-effective security possible for organizations of any size.
The CSF came out with the cybersecurity executive order (EO13636) from 2013 by President Obama. It directed NIST to work with stakeholders to develop a voluntary framework for reducing risk to critical infrastructure. It does this by focusing on three key areas:
- information sharing,
- privacy, and;
- the adoption of cybersecurity practices.
The latest version of the CSF is version 1.1, updated in April 2018. And for 2022, CSF would have a planned update to keep its current and ensure that it is aligned with other tools. In addition, to promote further adoption of the CSF, NIST has published guidance including:
- NISTIR 8170 — Approaches for Federal Agencies to Use the Cybersecurity Framework, and
- NISTIR 8286 — Integrating Cybersecurity and Enterprise Risk Management (ERM).Three Components of the CSF
At its basis, the CSF has three components: the Core, Implementation Tiers, and Profiles.
- The Core is a set of preferred cybersecurity exercises and results. It guides organizations in managing and reducing their cybersecurity risks in a way that complements an organization's existing cybersecurity and risk management processes.
- Implementation Tiers are used by adopting organizations to give context regarding how organizations view cybersecurity risk management. The Tiers guide organizations to consider the appropriate level of rigor for their cybersecurity program and are often used as a communication tool to discuss risk appetite, mission priority, and budget.
- Framework Profiles help provide customized alignment with organization requirements and objectives to achieve outcomes and reduce organizational and even industry-wide risk. Profiles are primarily used to identify and prioritize opportunities for improving cybersecurity at an organization.
Within these three components are additional categories and subcategories within functions that link to outcomes for a cybersecurity program. NIST has already produced several example framework profiles for manufacturing, elections, and the smart grid.
Five Functions of the CSF
One of the most recognizable aspects of CSF is the functions it breaks down activities into — Identify, Protect, Detect, Respond and Recover. Below are the five functions and the roles they play in supporting cybersecurity.
Identify
The first function, Identify, focuses on assessing and identifying risk in your business and IT infrastructure, which requires a thorough check of your current security practices. The following actions fall under Identify:
- Asset Management
- Business Environment
- Governance
- Risk Assessment
- Risk Management Strategy
- Supply Chain Risk Management (Critical due to recent incidents such as Kaseya, Log4Shell, and Colonial Pipeline)
Protect
This function focuses on cybersecurity controls that can help you maintain "CIA" — Confidentiality, Integrity, and Availability. The implementation of the security controls we saw every day under this function.
Identity Management and Access ControlAwareness and TrainingData SecurityInformation Protection Processes and ProceduresMaintenanceProtective TechnologyDetect
To minimize the number of security incidents when the previous function (Protect) failed, you need ways to detect events when they occur. The Detect function includes the following steps:
- Anomalies Detection and Events Baselining
- Continuous Security Monitoring
- Detection Processes
Respond
When a security incident occurs, time is critical. Thus, you need to respond swiftly to any sign of an incident by taking the following steps:
- Response Planning (pre-work)
- Communications plan and drill (pre-work)
- Analysis and Investigation
- Impact Mitigation
- Improvements (post-work)
Recover
Finally, the last steps you take in the cybersecurity framework are focused on recovering data and resuming business lost or compromised. Use these steps to ensure a smooth recovery:
- Recovery Planning
- Improvements
- Communications
Why is the CSF So Widely Recognized?
Because it is both practical and logical, the CSF aligns with the activities and lifecycle of cybersecurity and risk management within an organization's security program. These functions are also applicable to organizations across many industries and verticals, making CSF dynamic and adaptable.
Since CSF is built on top of existing standards, guidelines, and practices, it includes activities shared among other industry-leading guidance such as CIS Critical Controls, which is evident through activities such as "identify critical enterprise processes and assets."
The CSF also has "Informative References" that align under each function and point to existing framework security controls and references to better leverage existing standards, guidelines, and practices.
When the CSF Meet MITRE ATT&CK
One great way to align the CSF objectives to real cyber threats is by leveraging MITRE's ATT&CK Evaluations, which emulate adversarial tactics and techniques against leading cybersecurity products.
The information is then made available to industry end-users to see how products are performed and align with organizational security objectives. Another excellent resource from MITRE is the Center for Threat-Informed Defense mapping MITRE ATT&CK and NIST 800–53.
By using these mappings, organizations could cross-reference the mapping from the Center to the Informational References in the CSF, tied to specific functions and categories.
When the CSF Meet Zero Trust
In May 2021, the US government issued another EO on improving the nation's cybersecurity. A significant aspect of the EO was the push for agencies to adopt zero trust (mentioned 11 times here). So again, organizations can see substantial synergies between CSF and the EO objectives.
For example, when it comes to Zero Trust, the NIST National Cybersecurity Center of Excellence (NCCoE) has guided that maps relevant Zero Trust components to CSF functions, categories, and subcategories (i.e., NIST SP800–27). These are core Zero Trust components, such as policy engines, administrators, enforcement points.
Another helpful resource is the whitepaper from NIST — Planning for a Zero Trust Architecture, which describes how to leverage CSF and the NIST Risk Management Framework (RMF) (SP800–37) in the journey of migrating to a Zero Trust Architecture.
Federal agencies and organizations can leverage the CSF to map security program objectives across the five CSF functions, categories, and subcategories. With that in mind, which includes mapping tools and aspects of the technology stack to CSF criteria.
Final Words — CSF is Flexible
We can use self-assessment and measurement through the CSF to improve decision-making about investment priorities regarding actual threats. A limited set of resources and funding is a reality for all security leaders, regardless of industry. Identifying gaps in the security program and driving investments to the areas that present the most significant risk can provide massive benefits.
This is why CSF is essential for security leaders to ensure that security controls and activities are tied to organizational outcomes and business objectives. Doing so ensures alignment with business leadership supports buy-in for security initiatives.
NIST's CSF is a flexible framework for managing organizational risk and security program maturity. Its use cases include managing cyber requirements, reporting cybersecurity risks, and integrating and aligning cyber and acquisition processes. All these use cases apply to meeting the slew of tasks and objectives that came out in the 2021 cybersecurity EO.
Although the Cybersecurity Framework is not a "one-size-fits-all" approach to managing cybersecurity risk for organizations, it is ultimately aimed at reducing and better managing these risks. Therefore, this guide is intended for any organization regardless of sector or size.
Organizations will vary in how they customize security practices described in the CSF. However, organizations can determine important activities to critical service delivery and prioritize investments to maximize impact. This Quick Start Guide intends to provide direction and guidance to those organizations — in any sector or community — seeking to improve cybersecurity risk management via the utilization of the NIST Cybersecurity Framework.
----
Thank you for reading. May InfoSec be with you🖖.