The NIST Cyber Security Framework (NIST CSF) is the result of a February 2013 Executive Order titled “Improving Critical Infrastructure Cybersecurity” and 10 months of collaborative discussions with more than 3,000 security professionals. It comprises a risk-based compilation of guidelines that can help organizations identify, implement, and improve cybersecurity practices, and creates a common language for internal and external communication of cybersecurity issues. The Framework is designed to evolve in sync with changes in cybersecurity threats, processes, and technologies.

Despite being developed for ‘Critical Infrastructure’, the Framework provides an assessment mechanism that enables organizations to determine their current cybersecurity capabilities, set individual goals for a target state, and establish a plan for improving and maintaining cybersecurity programs.

The framework establishes the five core functions of effective cybersecurity as Identify, Protect, Detect, Respond, and Recover. This post is Part 3, focusing on “Detect”.  Let’s start with what we need to detect. The first NIST category specifies “anomalies and events”. Before we can detect an anomaly, what must we know? We need to know what normal looks like on our network. So do we have baselines of what normal is for us?

Let’s give an example. On a normal day there are no connections from your network to a certain foreign country, then all of a sudden today there are thousands. Would know this is going on? Is there an alert? Is there anyone watching?  What about inside our network?  Normally Jerry in engineering doesn’t copy data up to his personal Dropbox, but today there are gigabytes of data being uploaded. How about a simpler one, a new domain administrator account was added. Do you have a means to detect these things, and someone to help validate if it is innocent (Jerry was uploading personal photos)  or a potential insider threat (Jerry is getting ready to quit and was uploading drawings and bid specs to bring to his new employer who is one of your top competitors)?

Ideally, you should be able to take log data from numerous sources (software, the physical environment, personnel, service providers) and correlate events across multiple devices and sensors to be able to see into the network activity. All these items should be being monitored to detect anomalies and investigate to see if response is needed.

The subcategories of the category ‘Detection Process’ outlines the questions you need to answer to set up your process:

  • Who is responsible to detect anomalies and events?
  • Do they know who they report detections to and what to do about them?
  • Do you have any laws and regulations that dictate what needs to be monitored for detections?
  • If not, what is the management dictating that should be monitored?
  • Do you test your detection?
  • Are you constantly improving detection?

If you can satisfy all of the NIST CSF subcategories for Detect with a high level of maturity, after we have identified and protected, we are ready to move on to how we respond to the detections. Our next blog in this series will cover that very important function of the NIST CSF.