In the aftermath of the Marriott breach, one of the biggest data breaches we’ve seen in 2018, it’s relevant to revisit some core security principles and how they can help you improve the security your data.
One such principle is the National Institute of Standards and Technology Framework (or NIST Framework for short). NIST released the first version of their Framework back in February of 2014, and more recently released the updated version in April of 2018.
The Framework is broken down into three main components; Implementation Tiers, Framework Core and Profiles. In terms of getting your organization better suited to detecting and preventing cyberattacks, it would be useful to get a better understanding of the Framework Core; and so, this is what we are going to focus on in this blog.
An Introduction to the NIST Framework Core
The NIST Framework Core is essentially a list of activities that you should be undertaking to improve your cybersecurity posture, organized into categories. The way the Core is written is using inclusive, non-technical language designed to be communicated easily across departments.
It’s broken down into five main functions, each of which we will go through here in a bit of detail to give you an idea of how you can apply them to your cybersecurity strategy.
Identify Where Sensitive Data is and Who Privileged Users Are
First thing you need to do is to determine where your biggest areas of risk are. These areas of risk generally come down to your most sensitive data and your privileges users. Identify where your data containing personally identifiable information, financial information, corporate secrets and other sensitive content resides. This may require the use of a data discovery and classification tool or, if you are reliant on Windows File Server, you may be able to do this through the native File Classification Infrastructure.
Once you have determined where sensitive data is, you should know which users and groups have access to it. It would also be wise to identify any factors in your environment that could be putting your data at risk, such as large numbers of stale users creating a large potential attack surface.
Protect Your Data by Being Proactive
Take the first steps to improving your data security based on the identification phase. Limit access to your most sensitive data by adopting a policy of least privilege. Review all of the privileged users you identified; do all of them need elevated access rights?
If you have identified open shares take steps to remove them. If you identified a large number of users with passwords set to never expire, then ensure you revise your policy on password rotation. If you identified a large number of inactive users, take steps to reduce them if possible. There are many proactive steps you can take to improve your data security simply based on the identification function of the NIST Framework.
Detect Anomalous User and Entity Behavior
Once you have started being proactive, this function is all about keeping up a continuous effort to detect unusual activity surrounding your data. Many user and entity behavior analytics solutions provide a feature known as anomaly spotting where, using a predefined learning period, they determine what is normal behavior and alert on abnormal activity.
You should also be able to detect when changes to permissions occur that could affect your most sensitive data. Make sure that you maintain that policy of least privilege by identifying and reversing unnecessary or unwanted permission changes.
If you are able to identify and receive real time alerts on whenever a suspicious change occurs to a file containing sensitive data or the surrounding permissions, you are well placed to deal with a potential security threat. To do this, you should define an incident response plan that details the exact steps you should take should you detect something that requires action.
Respond to Suspicious Changes
If you have created a detailed incident response plan, as stated in the previous Function, then you should be well placed to quickly respond to any potentially harmful changes. This response may be to revoke privileges, shut down a computer or server or simply reverse an unwanted change to a file or folder.
Recover and Learn
Have a plan in place to recover should the worst happen. Importantly, this Function focuses mainly on learning how to improve your overall cybersecurity posture and inter-departmental communication by taking lessons from security incidents. Data security is an ongoing, continuous and constantly evolving process that requires constant vigilance from all departments.
When implementing the NIST Framework in your organization, it’s important to make sure that you relate it to a data-centric audit and protection (DCAP) model of data security. That way, you can be sure that you don’t get lost in what can be a convoluted and complex set of functions, categories and informative references.