Getting to Grips with NIST, Time to Focus on Discovery, Prevention and Response of Cyber Threats

Cyber Security Framework

The National Institute of Standards & Technology’s (NIST) cybersecurity framework is seen by many as a global gold standard when it comes to keeping businesses safe from cyber threats.

In many ways it’s the cyber security ‘bible’, so while it contains a huge amount of useful information, it’s all too easy to get lost in the detail…

To help you use the NIST framework more effectively, we are going to specifically look at the discovery of threats, how to prevent a breach, and how to respond to a cyber security incident.

No one wants to be breached, but speed is of the essence if you are…

The timely discovery of a cyber breach is critical to any organisation. The ‘identify’ and ‘detect’ elements of the NIST framework advises organisations to develop and implement effective ways to detect the occurrence of a successful cyber security breach. This can take many forms, but some of the key tools in an organisation’s arsenal include behaviour anomaly detection and the continual monitoring of systems.

However, scanning for breaches, anomalous behaviour and constantly checking data that hasn’t been infected by a virus is time consuming work – especially if conducted manually by internal staff. Automating this process can go a long way towards helping to lighten the load on security teams.

Powered by the latest AI and machine learning capabilities, a Security Information & Event Management (SIEM) platform can help automate many of your cyber security processes. This frees up cyber security teams to investigate potentially more serious breaches that can’t be dealt with automatically. If you do fall victim to a cyberattack, knowing about it quickly is an essential and can go a long way towards helping you minimise the damage.

Avoiding an attack in the first place

Not being breached in the first place should always be the aim. This is where the ‘protect’ element of the NIST framework comes in. At its core, protection is about developing and implementing appropriate safeguards to ensure critical business infrastructure is protected and services delivery ensured.

When it comes to prevention, three core areas are worth considering: network, cloud and end point. The network perimeter is changing and becoming ever more virtual, but that doesn’t mean it’s not important to protect with firewall, SD-WAN and DDoS protection technologies. Whether using public, private or hybrid cloud security responsibility lines can be blurred making understanding and enforcement of policy critical to good cyber hygiene. And finally, the end point or user is the most common breach vector so ensuring our users are safe whilst browsing the web, opening emails and downloading files cannot be overlooked as a key step in preventing cyber breaches.

Whilst prevention primarily covers having the right technologies on your side to limit or contain a successful attack, processes and people are important too; according to a report created by the UK government, 48% of businesses have a basic cybersecurity skills gap. Consider outside help in the form of co-managed or fully managed services, or even virtual Security Manager/CISO roles to act as an extension to your IT team.

Great technical defences can also be strengthened with user education. The NIST framework outlines the need for comprehensive awareness and training of all team members. After all, it’s one thing to have systems in place to prevent a hacker accessing sensitive information but quite another if the hacker can’t get in because staff didn’t fall victim to phishing e-mails in the first place.

Where do we go from here? A robust response:

A data breach doesn’t define your cyber security team, but how they respond to it, does. The respond and recover elements of the NIST framework include response planning, mitigation and recovery activities to ensure that the cyber security program is in a state of continuous improvement. Organisations should start with an incident response plan. This means looking at what solutions you have in place and what legal or regulatory requirements need to be taken into account when reacting to a breach (for instance, ensuring you inform regulators in a timely manner). Much like a choreographed fire drill helps to keep everyone calm and move to the nearest exit in an orderly manner, a response plan will ensure you don’t leave systems open to further attack and reduce the damage caused by the attack.

Another aspect to keep in mind is whether you have a backup and way to restore data if it is compromised. Ever-present ransomware attacks pose a huge danger to ‘business as usual’ as they can take systems down for days or even weeks and disrupt global operations. As such, being able to restore systems quickly can minimise the business impact. If the worst does happen, keeping your business running and your customers happy is essential.

Cyber security and operational resilience

This is where your cyber security planning crosses over into other areas of organisational resilience – namely business continuity and ICT continuity (or IT disaster recovery). If a cyber attack has caused a significant IT outage (for example, by corrupting or encrypting data), it’s important that you have the option to recover effectively to the last “clean” backup (your ICT continuity), and that your IT staff have documented, well-practiced procedures to recover the ICT services. It’s equally important that business continuity scenario exercises have been run to practice the senior management team in how they would manage a cyber breach.

It’s important that your cyber response plan links to the business continuity plan and ICT continuity plan to ensure that they will be triggered at the optimal time, and to ensure that the different owners of these plans understand how they fit together.

As part of your response plan, you should also think about what the organisation needs to do after you’ve ensured business as usual operations can continue. The NIST framework outlines that organisations should ensure the swift communication of breaches to all relevant parties, and this is supported in GDPR legislation with significant fines. This doesn’t just mean regulators, but also potentially your suppliers and customers. Once this has been done, it’s also important to take time to look back at what you can learn from a breach in your response planning. By conducting a full investigation, you can learn how cybercriminals breached systems and what can be improved to mitigate future attacks (including updated response plans).

You’re not in this alone

The NIST can be an intimidating framework to put into practice, but it can significantly strengthen your security posture and protect you against cybercrime. Whether it’s providing a complete suite of cyber security solutions that provide end to end protection, including backup and recovery, or filling in the gaps of your current systems, Daisy has your back.