Building a Solid Security Foundation to Support the NIST Framework
By Jamie Hynds, SolarWinds Security Product Manager
Last year, the White House issued an Executive Order designed to strengthen cybersecurity efforts within federal agencies. The EO requires agencies to adhere to the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity, popularly known as “the framework.”
Henceforth, the agencies are expected to follow a five-step process:
This creates near-term challenges with potentially long-term benefits. In the near term, agencies will need to implement the framework right away and modernize their security and IT infrastructures, without the benefit of additional funding or resources. Over the long-term, their actions will likely improve security and result in cost savings. But they must overcome some significant hurdles first.
The frame receives mixed reviews
A recent SolarWinds survey of federal IT professionals found a mixed view of the NIST framework. While 51 percent of respondents claimed that the framework contributed to their agencies’ successes, 38 percent stated that it posted a challenge to managing risk.
In addition, while 55 percent of respondents felt that the framework has succeeded in promoting a dialogue around risk management, 38 percent felt that the framework remains misunderstood.
However, we also found a pearl of wisdom that agency IT professionals, faced with the new EO, can grasp. More than 8 out of 10 respondents indicated that their agencies are at least somewhat mature in each of the framework’s five-step areas, although respond and recover remain relatively weak.
That maturity appears to tie direction into the types of controls these agencies are using. When asked about the speed at which their systems can detect security threats, respondents, who felt their security controls were either excellent or good, indicated that could more quickly respond to network threats than ones rating their controls as fair or poor.
Modern systems provide a solid foundation
The message is clear. Agencies with modern, robust systems and processes have set themselves up for security success. The are well on their way toward building a solid foundation upon which they can implement and follow the framework’s five-step process.
What makes them so different? Let’s take a look at each of the five steps and explore some of the solutions they are using to eliminate any weak links they might have in their networks.
In this first step, administrators and security managers must look at the risk landscape and ascertain where threats may materialize. They have to consider all of the various aspects that could pose threats to their networks, including devices, applications and servers.
Organizations with robust network network monitoring policies tend to do better in this area because they have more effective risk management planning support. Notably, survey respondents highlighted file integrity monitoring and SIEM tools as effective security solutions, while 46 percent states “tools to monitor and report risk” have contributed to successful risk management.
This is all about implementing appropriate security controls and safeguards. The idea is to contain or completely mitigate the impact of a threat event.
Our survey respondents mentioned a variety of solutions that helped improve their protection efforts. They specifically called out patch management and network configuration management tools as useful threat deterrents. Other approaches, including log and network performance monitoring, can be used to help ensure that these controls are working as expected and generate reports to prove their efficacy. This is important, as detailed reporting is another required component of the president’s EO.
Detection involves identifying the occurrence of a cybersecurity event. Administrators must have the means to discover and track anomalies and suspicious network activity.
The framework itself specifically calls for continuous monitoring as a component of this step. Log and event and security information management fall under this category. Administrators should also consider implementing traffic analysis procedures that can alert teams to irregular traffic patterns and provide deep forensics information on network activity.
Respond and recover
Let’s lump these last two steps together, since 12 percent of respondents indicated that their agencies were “not at all mature” in each of these two areas. They feel their organizations are great at detection, but lack the ability to quickly respond to and recover from attacks.
In terms of response, log and security event management products have proven beneficial. Once a threat is detected, they can immediately block IPs, stop services, disable users, and more. All of these steps can effectively contain and limit potential damage.
Still, not every attack will be denied, and agencies must step up their disaster recover efforts in the event of a successful threat. Taking days to recover from an attack, similar to the one that took place across the world earlier this year, is simply not an option. In such cases, network configuration management solutions can be used to backup device configurations for easy recovery in the event that the system goes down, greatly reducing recovery times.
Reducing complexity is key
“Easy” is not a word that has been traditionally associated with the framework or other regulations and mandates. Indeed, one survey respondent remarked that the “complexity of regulatory frameworks adds to the challenges.”
Fortunately, the government recently took steps to alleviate some of the complexities associated with the framework by issuing a draft of NIST 1.1, which, according to NIST, is designed to “clarify, refine, and enhance the Cyber-security Framework, amplifying its value and making it easier to use.” The draft clarifies much of the language surrounding security measurement and provides additional security guidance, with the goal of making thing simpler and clearer for those using the framework. It is a step in the right direction. Added complexity is the last thing that agencies need as they deal with rising and more sophisticated threat vectors from enterprising hackers and the mistakes made by careless insiders.
While the government works to improve the framework, administrators can continue to do their part to reduce much of the complexity and many of the challenges involved in following its step-by-step process. Implementing modern tools and policies throughout the framework’s five steps created a solid support structure for threat identification, protection, defense, response, and recovery.
Find the article on Federal News Radio