How to Use NIST CSF 2.0 to Identify Security Gaps: Part 3

For those just tuning in, this five-part series is all about how to use a cybersecurity framework - utilizing the updated NIST CSF 2.0 as our foundation - to help organizations identify their strengths, weaknesses and security gaps and provide guidance for how to address those needs. Be sure to read the previous two articles in this series where we introduce NIST Cybersecurity Framework 2.0, as well as how security teams can use a cyber defense matrix to conduct a security assessment.  

Now that we have the foundation in place and have an understanding of what NIST CSF 2.0 is and how it works, we can start to dive into the three parts of the attack chain highlighted in the first blog. Here, we’ll cover the preparation phase. 

Preparation (Pre-Threat) 

As outlined in part one, the preparation phase includes all activities, planning, and tool implementations conducted before an incident or event to reduce risks, address vulnerabilities, and mitigate attacks. It encompasses a wide range of responsibilities, including hiring, team structure, training for the security team and broader organization, the tools implemented, and the plans and processes established to maintain a high security posture. The preparation phase is composed of the first three functions of NIST CSF 2.0 - Govern, Identify, and Protect. Each of these functions are comprised of multiple categories and sub-categories, as outlined in part one. They can be viewed in the NIST CSF 2.0 documentation. 

Govern 

The Govern function establishes how an organization views and prioritizes the other areas of cybersecurity. It’s focused on discussion, communication and planning each of the security outcomes across each of the other five functions. New to CSF 2.0, defining Govern as a distinct, central function highlights the critical role it plays in a comprehensive cybersecurity strategy. Beyond oversight, the Govern function establishes the structure and policies that guide all other aspects of cybersecurity. 

Establish a Governance Framework 

Before delving into specific cybersecurity measures, organizations must first establish a solid governance framework. This ensures that roles, responsibilities, and priorities are clearly defined and aligned across the organization. Start by taking these key steps: 

1. Gather leadership and form a team who will oversee the development and rollout of the cybersecurity program. 

2. This team will then assign roles from leadership on down and communicate that across the org. 

3. The team will assess risks internal to the org as well as with third parties through supply chain and incorporate the learnings into the plan. 

4. Based on team assignments and roles, team members will formulate a cybersecurity plan. 

5. The plan is implemented and pushed out to the organization. 

6. Team members must ensure that organization employees receive proper communication, information, and training to ensure they adhere to the policies and new processes put in place by the cybersecurity plan. 

7. An oversight committee must be established to constantly review the plan and its success with the goal of constant improvement. 

Knowing that this function is primarily concerned with the team being established and the role responsibilities, many of the questions organization’s must ask themselves revolves around their internal expertise: 

1. Does the organization have people with the right security expertise to form and lead a team to develop and implement a proper cybersecurity program? 

2. Does the organization have enough team members to form a cybersecurity team to implement and enforce the new program? 

3. If they do not have expertise or enough people, what is the plan to fill in those gaps? 

a. If not enough security expertise, is the intention to train existing employees, hire for new roles, or partner with a trusted security vendor? 

b. If not enough employees, is the plan to hire for those roles or partner with a service provider? 

With these questions in hand, organizations can better determine their plan of attack to address the requirements under the Govern function. 

Identify and Protect 

The Identify and Protect functions can be connected since it is difficult to implement one without the other. While Identify is primarily focused on discovery, management, and prioritization of an organization’s assets, Protect involves the tools, plans and processes put in place to help secure those assets. Organizations should not implement tools without performing the discovery steps first or else they might purchase and deploy the wrong tools or miss assets that need to be protected leaving them vulnerable. As a refresher, assets can include hardware such as endpoints, data like documents and emails, software used across the organization, and even people, such as identities and login credentials—essentially anything critical to the organization that could be targeted in a cyberattack. 

Identify and Protect Your Assets 

To secure your organization effectively, it's critical to first identify and catalog your assets, followed by implementing the necessary measures to protect them. This process ensures that all critical assets are accounted for and adequately safeguarded. Follow these steps: 

1. Discover and collect an accurate count and assessment of all assets in the organization. 

2. Develop a plan to organize, maintain, and manage those assets. 

3. Procure, deploy, and maintain the necessary tools used to identify and manage the assets. 

a. Assets should be classified and prioritized accordingly based on criticality to the organization. 

4. Assess the risks posed to each asset, identify vulnerabilities. 

5. Risk responses and policies are prioritized and implemented while being recorded and tracked for accountability. 

6. The process including assets, policies, and procedures ae continuously reviewed with the aim to improve security and efficiency. 

7. Security tools for protecting the various assets are researched and acquired. 

8. Someone or a group of security team members are assigned to deploy and manage those tools. 

9. Security awareness training is developed and effectively communicated and pushed out to the rest of the organization. 

The functions under the Identify and Protect functions will involve the people in place having the knowledge needed to identify the assets and knowing how to categorize and prioritize them for protection. In addition, organizations must consider the security tools available to them and what approach makes the most sense for their organization. Does investing in a variety of different security vendors offer better protection or will security vendors that offer a comprehensive platform be more efficient and offer broader protection coverage?  

Some questions to consider: 

1. How large is the organization and how are departments and employee groups currently managed? 

2. How are assets procured, distributed, and managed currently within the organization?  

a. Are there particular departments or employee groups that can purchase and manage assets on their own? 

3. How will the discovery process be performed? 

a. Who is in charge? 

b. How much time will this take? 

c. Do they have other responsibilities that will be impacted by this project? 

4. How is the management plan being developed? 

a. Who is responsible? 

b. How will it be implemented? 

c. Will employee or department workflows be impacted by this? 

5. How are risks and vulnerabilities being assessed and who is responsible for addressing anything discovered? 

6. Finally, who oversees the re-evaluation of the above to identify areas for improvements? 

How Organizations Should Best Prepare 

With the information and questions above, organizations should have a foundation for asking themselves the right questions to determine their path forward and ensure their organization is well prepared for cyber threats. These questions will help identify the resources available to them and whether they have the necessary security expertise in house to move forward with a proper cybersecurity program. 

While factoring in business needs and budgets, organizations can determine their best approach with the options available to them. Organizations can choose to take a vendor agnostic approach, acquiring and implementing different tools and services to meet each of the needs outlined above. And while the tool they choose might be cheaper or more cost effective compared to others, this approach may have drawbacks in creating challenges with managing the tool sprawl. Organizations must weigh the benefits of overall cost savings with a potential loss in efficiency and protection with deploying multiple different security tools. 

Instead, organizations should look for vendors that provide a comprehensive security platform alongside services that support the organization’s business initiatives.  Vendors who provide a suite of security tools alongside a set of services such as advisory, offensive, support, detection and response, etc. can assist with the hiring process, help develop and implement a discovery plan and provide the necessary tools to identify and manage the organization’s assets. These comprehensive platforms can help provide cost savings and efficiency through bundling capabilities and services without sacrificing protection.  

For those looking to learn more about how Bitdefender can help supplement their organization and help build a better cybersecurity program, reach out to us today to learn more. And don’t forget to come back for Part 4 of this series where I’ll go into one of the most difficult aspects of building a cybersecurity program, Detection and Response during the Active Threat phase.

---

If you're looking to get your cybersecurity journey started, check out how Bitdefender's security platform can help you. Read up on our GravityZone XDR solution or learn how our MDR service can help empower your team.