Building a solid security foundation to support NIST’s framework

Last year, the White House issued an Executive Order designed to strengthen cybersecurity efforts within federal agencies. The EO requires agencies to adhere to the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity, popularly known as “the framework.”

Henceforth, agencies are expected to follow a five-step process:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

This creates near-term challenges with potentially long-term benefits. In the near term, agencies will need to implement the framework right away and modernize their security and IT infrastructures, without the benefit of additional funding or resources. Over the long-term, their actions will likely improve security and result in cost savings. But they must overcome some significant hurdles first.

The framework receives mixed reviews

A recent SolarWinds survey of federal IT professionals found a mixed view of the framework. While 51 percent of respondents claimed that the framework contributed to their agencies’ successes, 38 percent stated that it posed a challenge to managing risk.

In addition, while 55 percent of respondents felt that the framework has succeeded in promoting a dialogue around risk management, 38 percent felt that the framework remains misunderstood.

However, we also found a pearl of wisdom that agency IT professionals, faced with the new EO, can grasp. More than 8 out of 10 respondents indicated that their agencies are at least somewhat mature in each of the framework’s five-step areas, although respond and recover remain relatively weak.

That maturity appears to tie directly into the types of controls these agencies are using. When asked about the speed at which their systems can detect security threats, respondents, who felt their security controls were either excellent or good, indicated they could more quickly respond to network threats than ones rating their controls as fair or poor.

Modern systems provide a solid foundation

The message is clear. Agencies with modern, robust systems and processes have set themselves up for security success. They are well on their way toward building a solid foundation upon which they can implement and follow the framework’s five-step process.

What makes them so different? Let’s take a look at each of the five steps and explore some of the solutions they are using to eliminate any weak links they might have in their networks.

 Identify

In this first step, administrators and security managers must look at the risk landscape and ascertain where threats may materialize. They have to consider all of the various aspects that could pose threats to their networks, including devices, applications and servers.

Organizations with robust network monitoring policies tend to do better in this area because they have more effective risk management planning support. Notably, survey respondents highlighted file integrity monitoring and security information and event monitoring tools as effective security solutions, while 46 percent stated “tools to monitor and report risk” have contributed to successful risk management.

Protect

This is all about implementing appropriate security controls and safeguards. The idea is to contain or completely mitigate the impact of a threat event.

Our survey respondents mentioned a variety of solutions that helped improve their protection efforts. They specifically called out patch management and network configuration management tools as useful threat deterrents. Other approaches, including log and event and network performance monitoring, can be used to help ensure that these controls are working as expected and generate reports to prove their efficacy. This is important, as detailed reporting is another required component of the president’s EO.

Detect

Detection involves identifying the occurrence of a cybersecurity event. Administrators must have the means to discover and track anomalies and suspicious network activity.

The framework itself specifically calls for continuous monitoring as a component of this step. Log and event and security information management fall under this category. Administrators should also consider implementing traffic analysis procedures that can alert teams to irregular traffic patterns and provide deep forensics information on network activity.

Respond and recover

Let’s lump these last two steps together, since 12 percent of respondents indicated that their agencies were “not at all mature” in each of these two areas. They feel their organizations are great at detection, but lack the ability to quickly respond to and recover from attacks.

In terms of response, log and security event management products have proven beneficial. Once a threat is detected, they can immediately block IPs, stop services, disable users, and more. All of these steps can effectively contain and limit potential damage.

Still, not every attack will be denied, and agencies must step up their disaster recovery efforts in the event of a successful threat. Taking days to recover from an attack, similar to the one that took place across the world earlier this year, is simply not an option. In such cases, network configuration management solutions can be used to back up device configurations for easy recovery in the event that the system goes down, greatly reducing recovery times.

Reducing complexity is key

“Easy” is not a word that has been traditionally associated with the framework or other regulations and mandates. Indeed, one survey respondent remarked that the “complexity of regulatory frameworks adds to the challenges.”

Fortunately, the government recently took steps to alleviate some of the complexities associated with the framework by issuing a draft of NIST 1.1, which, according to NIST, is designed to “clarify, refine, and enhance the Cyber-security Framework, amplifying its value and making it easier to use.” The draft clarifies much of the language surrounding security measurement and provides additional security guidance, with the goal of making things simpler and clearer for those using the framework. It is a step in the right direction. Added complexity is the last thing that agencies need as they deal with rising and more sophisticated threat vectors from enterprising hackers and the mistakes made by careless insiders.

While the government works to improve the framework, administrators can continue to do their part to reduce much of the complexity and many of the challenges involved in following its step-by-step process. Implementing modern tools and policies throughout the framework’s five steps creates a solid support structure for threat identification, protection, defense, response,and recovery.

Jamie Hynds is a senior product manager for SolarWinds.

DISCLAIMER: This document is provided for informational purposes only and should not be relied upon as legal advice. SolarWinds makes no warranty, express or implied, or assumes any legal liability or responsibility for the information contained herein, including for the accuracy, completeness, or usefulness of any information.