The National Institute of Standards and Technology (NIST) has a number of guidelines and best practices for cybersecurity concerns across industries; one of their most well-known guides is their Cybersecurity Framework, originally created in February 2014, with a major revision underway as of January 2017. This Framework was penned specifically for critical infrastructure organizations “to better manage and reduce cybersecurity risk,” and it outlines key cybersecurity concepts and processes needed to:
Though NIST created its Cybersecurity Framework primarily for critical infrastructure organizations, its guidance is designed to be universal and applicable to almost any industry. Indeed, NIST advises against viewing its Framework as a one-size-fits all approach and emphasizes that organizations should implement and adapt measures to fit any organization’s unique configurations and challenges.
Organizations are encouraged to use the NIST Cybersecurity Framework as a practical exercise to determine what processes and controls are most relevant to their enterprise’s unique challenges, and how best to implement and test the efficacy of the security measures put in place at every stage of the security lifecycle. It is not a small task by any means, so to help make this process more manageable, NIST classifies its guidance into five Functions—categories that contain key concepts and activities at all stages of the security lifecycle: Identify, Protect, Detect, Respond, and Recover.
To use the Framework, an organization should go through each of the five Functions systematically, identify where their business needs and current infrastructure align with the Functions’ categories, and create their “Current Profile.” From there, the organization should then identify their aspirational state, or “Target Profile.” For example, an organization’s Current Profile might identify that they currently do not have a complete inventory of all physical devices and systems within all of their office locations. In this case, the Target Profile would ideally include a complete physical asset and systems inventory.
NIST Cybersecurity Framework also helps organizations characterize their overall risk management state in a variety of situations, which they call their Framework Implementation Tiers. These Tiers are not meant to be punitive or suggest security maturity, but to help understand if they are managing an acceptable amount of risk in any number of scenarios given their unique characteristics.
With knowledge of an organization’s Current Profile, Target Profile, and Implementation Tier levels, organizations can begin to understand the gap between their current and improved states, identify opportunities to improve their security programs, and quantifiably measure their progress as they work to bridge the gap between their current and improved states in an actionable and prioritized manner.
What does the NIST Cybersecurity Framework recommend for critical infrastructure organizations?
We can best understand NIST’s recommendations for critical infrastructure by taking a closer look at each of the five Cybersecurity Functions and the categories within them. As you can see below, the key concepts are presented at a high level in relatively non-technical language so they may be more easily communicated to multifunctional stakeholder teams.
Identify: Asset Management, Business Environment, Governance, Risk Assessment, Risk Management Strategy
The Identify function gives you the lay of the land from both a technical and organizational point of view, so you can gain visibility into all the infrastructural data, assets, systems, and people that need to be protected from risk and prioritized accordingly. It also takes into account the kind of business your organization is running, which will determine a number of different prioritizations unique to you, as well as the industry-specific regulations that your organization may need to comply with.
Protect: Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, Maintenance, Protective Technology
Once you’ve determined who and what needs protecting in the Identify function, the Protect function is where you define the proactive concrete actions, tools, and processes in place to secure that protection. This includes security functions put in place that dedicated security and IT personnel are responsible for, as well as larger training and governance procedures that may apply more broadly and cross-functionally across all personnel in your organization.
Detect: Anomalies and Events, Security Continuous Monitoring, Detection Processes
The Detect function ensures that organizations following the Framework have systems in place to actively and continuously monitor for potential security events and intrusions, and that they have processes to allow these events to be quickly flagged and investigated.
Respond: Response Planning, Communications, Analysis, Mitigation, Improvements
Should a security event occur, the Respond function defines the processes to mitigate the threat and its impact, execute a comprehensive internal and external communications plan to all stakeholders, and also to learn from the breach and improve systems accordingly so that similar attacks might be prevented in the future.
Recover: Recovery Planning, Improvements, Communications
The Recover Function is a continuation of a number of steps already begun in the Respond function, though Recover takes place once the imminent threat has been dealt with so normal business can be restored. Communications and improvements continue in earnest, including postmortem reviews of all processes, so the organization can gather key learnings and communicate them to stakeholders.
How Bradford Networks helps you achieve NIST best practices for your organization & secure your network
Network Sentry delivers enterprise network security by enabling better visibility, control, and response to critical infrastructure organizations looking to model all Functions of the NIST Cybersecurity Framework.
Identify: Network Sentry is truly foundational for the NIST Cybersecurity Identify function, giving visibility into all devices on the network, allowing organizations to inventory endpoints, control user and device access, and mitigate overall risk. Network Sentry also aids in NIST compliance with visibility controls by seamlessly populating any Configuration Management Database (CMDB) with up-to-date information on all endpoints and devices on your network.
Protect and Detect: Once you understand what you have, you can better control what happens to it—Network Sentry allows enterprises to control network access for every asset connected to their networks, regardless of the device, user, or location. It provides both pre-connect security to ensure the device is authorized and meets minimum network security standards, as well as continuous post-connect monitoring to ensure a device does not fall out of compliance. Should a device connect to the network that isn’t compliant—or should a device fall out of compliance, or become compromised—Network Sentry quickly and automatically works to isolate that device or endpoint.
Organizations working to model NIST’s Protect and Detect Framework Functions can keep business functions running smoothly while protecting key assets and flagging any potential events before they become full-fledged security issues. Network segmentation via Network Sentry also helps protect PII and intellectual property should an attacker infiltrate the network, minimizing their chances of pivoting and raiding key data stores. It also can also stop an employee trying to access unauthorized data purposely or inadvertently, stopping the attack in its tracks if they’re acting maliciously, or if their endpoint has been infected with malware.
Respond and Recover: Should an alert sound, fast action is key—Network Sentry has automated threat response capabilities for comprehensive security automation and orchestration. Cutting through the noise and effectively triaging the alerts that matter enables quick, effective responses to potential threats—mitigating or containing them if needed—in real time.
To learn more about how Bradford Networks solutions work within the NIST Cybersecurity Framework to enable faster, more effective responses to threats, read our whitepaper on Reducing the Critical Time from Incident Detection to Containment.
For more information on NIST, download our Network Sentry and NIST use case.
*We value your privacy and use a variety of security measures to protect your personal information.
Our email is permission-based and we will only send you relevant information.