NIST Cybersecurity Framework Series Part 1: Identify

    The National Institute of Standards and Technology created the Cybersecurity Framework (NIST CSF) four years ago under the Obama administration. Recently, the framework received added attention when President Donald Trump signed a cybersecurity executive order in May 2017, mandating that government agencies leverage the framework to support data protection and manage risks.

    As TechRepublic pointed out, however, the NIST CSF isn’t just applicable for government agencies – chief information security officers in organizations across every industry sector can put this framework and its categories to good use within their own organizations.

    NIST CSF: A primer

    NIST authored the framework in 2014 after President Obama’s Improving Critical Infrastructure Cybersecurity Executive Order. The framework includes its core, encompassing five basic functions that help create a more robust approach to cybersecurity and protecting essential infrastructure systems.

    Each function includes categories and subcategories, which lay out the individual tasks and processes that should fall under each specific function. In this way, the framework offers a comprehensive roadmap for pinpointing risks, guarding against threats, responding to security incidents and recovering from any potential incidents.

    In addition, the framework also includes implementation tiers tailored to outline different levels of NIST CSF deployment maturity. Overall, the CSF will only become a more important and prevalent resource in the cybersecurity industry, and it provides best practices for closing gaps in organizational security.

    Within this series, we’ll take a closer look at each of the functions of the NIST framework and provide tips and optimal processes for CISOs to follow as they implement and improve their cybersecurity using this roadmap.

    nist framework

    Identify: A definition

    According to the NIST Framework document, the Identify function is the first of five functions, and it calls for organizations to develop a better understanding of how to manage risks associated with the systems, data and capabilities that are included in their critical infrastructure. The Identify function represents the foundation for the NIST CSF.

    “Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs,” NIST stated.

    In this way, the Identify function revolves around pinpointing all of the systems and platforms included in the company’s infrastructure. This helps combat shadow IT and ensures that no important IT assets fall under the radar of protective efforts.

    Identify also encompasses recognizing the potential risks that could impact the systems the business uses to support its daily operations and critical corporate activities. As NIST noted, this allows the CISO to better prioritize the enterprise’s cybersecurity efforts according to the IT systems they use and the specific threats that could potentially impact these assets.

    Categories and tasks under Identify

    As noted, the NIST CSF also includes categories under each function that describe the types of processes and tasks companies should take part in during each level of the framework. The Identify function includes five key categories:

    • Asset management: First, the CISO and security stakeholders must pinpoint the systems, devices, users, data and facilities that support key, daily business processes, and these items are then managed according to their critical importance.
    • Business environment: This category covers the prioritization of the company’s mission, goals, stakeholders and processes, which is then leveraged to inform the creation of roles, responsibilities and key security decision-makers.
    • Governance: Here, the CISO and security stakeholders seek to glean a full understanding of the enterprise’s policies and procedures for managing and monitoring regulatory, legal, risk, environmental and operational requirements, according to the NIST framework.
    • Risk assessment: This category calls for CISOs and their security stakeholders to ensure a full understanding of the cybersecurity risks that could impact the business, its users and the critical IT systems and platforms they use to complete daily operations.
    • Risk management strategy: The final category within the Identify function relates to establishing the company’s priorities, challenges, risk tolerances and assumptions, and then using these to enable the best operational risk decisions on the part of CISOs and their security stakeholders.

    Identify in the real world: Eternal Blue

    A recent real-world example that demonstrates the importance of the Identify function comes in the form of the EternalBlue exploit. EternalBlue hit center stage last May as it became the common denominator in the global ransoware attacks in 2017 from WannaCry, Petya and NotPetya to cryptocurrency mining campaigns. In WannaCry alone, over 300,000 computers in over 200 countries were effected.

    EternalBlue is a vulnerability in Windows SMB 1.0 (SMBv1) servers that, if successfully exploited, can allow attackers to execute arbitrary code in the targeted systems creating a wormlike capability. This and other exploits were released by the hacking group Shadow Brokers.

    As WIRED noted, users were first widely made aware of the EternalBlue flaw in March of 2017. Despite a patch being issued by Microsoft ahead of these more large-scale attacks, many organizations did not carry out their due diligence when it came to EternalBlue, and therefore fell victim to the attack. In fact, Microsoft identified this as such a severe threat, that the tech giant even released a critical update for its Windows XP systems, despite ending support for the platform in 2014.

    “Risk based vulnerability management is critical to organizations today.  The speed at which disclosed vulnerabilities are weaponized requires CISOs to deploy timely and targeted patches.” Ed Cabrera, Chief Cybersecurity Officer at Trend Micro.

    Through the lense of the NIST Framework Identify function, the EternalBlue exploit underscores the criticality of asset management, risk assessments and risk management. CISOs and their teams must identify the critical data and systems that are essential to business operations, as well as the threats against them. Then they must continuously monitor their corresponding critical applications and operating systems for known vulnerabilities but more so prioritize their patch cycle on vulnerabilities being exploited in the wild.  Microsoft platforms like those impacted by EternalBlue should have been identified as critical, and patched immediately upon identification of the EternalBlue threat.

    What CISOs should know about the Identify function

    It’s also imperative to understand the NIST CSF is an ongoing process. The framework itself is continually growing and evolving based on emerging technologies and threats. In this way, CISOs and security stakeholders should know that the tasks and procedures outlined in each function should and will take place on a regular basis within the organization to ensure full protection. As the threat environment develops, so too  must enterprise security practices.It’s important that company security stakeholders understand that the Identify function helps provide the foundation for the other four functions within the framework. Taking the time to identify critical systems within the infrastructure, the risks that could impact these and the roles and responsibilities of internal staff and external partners will help streamline efforts that come as part of the Protect, Detect, Respond and Recover functions.

    Overall, elements including visibility, division of roles and responsibilities and knowledge of potential threats are crucial for the Identify function.

    Identify is just the first piece in the puzzle when it comes to the NIST Cybersecurity Framework. Tune in for the next part of our series, where we’ll cover the Protect function and the categories and tasks related to this key process. And to learn more about the type of Connected Threat Defense that can help keep your organization on the cutting edge of security, reach out to our Trend Micro protection experts today.

    Post a comment

    Your email address won't be shown publicly.