NIST Cybersecurity Framework Series Part 2: Protect

In the second part of our series, we take a look at the Protect function of the NIST CSF.

A key goal of many chief information security officers is to bolster the protections the company uses to safeguard its most critical assets. This type of priority isn’t difficult to understand in the current cybersecurity landscape – 360,000 new malicious files were discovered every day in 2017, and many of these threats have continued into 2018.

However, creating a cohesive security posture is easier said than done for today’s enterprises. As TechRepublic contributor Brandon Vigliarolo pointed out, challenges like a lack of information sharing can create gaps in overall data protection.

In order to establish more standardized information security standards, the National Institute of Standards and Technology created its Cybersecurity Framework to provide a guide for CISOs and internal security stakeholders.

In the previous part of this series, we provided a primer on the NIST CSF, and examined the first function. To recap, the Identify function requires that organizations develop a better understanding of the systems that make up their critical infrastructure, as well as the risks associated with each of these platforms. Click here to revisit Part 1 of our Cybersecurity Framework Series.

The Identify function provides the foundation, enabling deeper knowledge and understanding. The Protect function of the NIST Framework builds upon this, and offers actionable steps for enterprises to take to ensure the security of their critical informational assets.

cybersecurity

Protect: A definition

The second function within NIST’s Framework calls for CISOs and their teams to “develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services,” according to the Framework document. During this function, security stakeholders should look to reduce the impact of a possible cybersecurity event by leveraging best practices for data protection and overall security. 

The functions of the framework take place in a logical order. In this way, CISOs can view the Identify function as the foundation for their company’s security posture, and can treat the Protect function as the framing. From here, the other three functions – Detect, Respond and Recover – fill out the rest of the Framework.

The Protect function revolves around limiting and controlling secure access to essential systems and assets, both physical and digital, and putting protections in place to prevent any unauthorized access.

Categories and tasks under Protect 

As explained in the primer section of Part 1 of this series, the NIST Framework is made up of the five functions, each of which has its own categories, subcategories and tasks. Let’s examine the categories and tasks that CISOs and their teams should take under the Protection function:

  • Access control: As noted, much of this function revolves around creating secure access protections for authorized users while ensuring that unauthorized users aren’t able to view, access or change the company’s systems, data and assets. First, CISOs and their teams must ensure that the identities and credentials related to their pool of authorized users are appropriately managed. From here, security stakeholders should look to manage and protect physical as well as remote access to their IT assets.
  • Awareness and Training: A critical part of the Protect function also involves supporting efforts with security education. Under this category, security decision-makers must train personnel so that they can efficiently and effectively carry out the protection tasks outlined in the company’s policies and vendor agreements. 
  • Data Security: Once CISOs and their counterparts have appropriately managed access credentials and have provided security education for their workforce, they can move on to data security efforts. Within this category, security stakeholders work to consistently manage data in a way that aligns with the business’s risk strategy, and support the confidentiality and integrity of information while also ensuring its availability.
  • Information Protection Processes and Procedures: This category involves maintaining and leveraging security policies, processes and procedures to adequately protect critical data and the systems that support it. These policies were initially created under the Governance category of the Identify function.
    Building upon the efforts taken during that function, this category also calls for the creation and management of plans for incident response, business continuity, incident recovery and disaster recovery, as well as testing for the response and recovery plans in particular. 
  • Maintenance: Here, CISOs and their stakeholders should ensure that maintenance takes place in a scheduled manner, and that any remote maintenance is done carefully so as to avoid unauthorized access.
  • Protective Technology: This category focuses on the technical security solutions, and calls for the documentation, implementation and review of audit and log records, and the protection of removable media and communications and control networks.

Protect in the real world: Ransomware 

One of the most pressing threats currently is ransomware, and this infection strategy deeply underlines the importance of deploying safeguards to specifically ensure users can access and use technology supporting crucial business activity. 

As Trend Micro research shows, ransomware has been a pervasive threat for some time, with the earliest cases being reported in 2005 and 2006. Ransomware samples have come a long way since then, allowing hackers to expand their reach as well as the ransom amounts demanded. 

The common thread running through every ransomware sample and attack is the compromise of critical business functions. Ransomware leverages strong encryption to prevent users from accessing the essential data and applications required for important, daily enterprise activity, thereby stimulating victims to pay the ransom. The approach of hackers here is, “I’ve locked you out of your critical business functions, so your company is losing money. Pay the ransom, or continue on without access to your most essential infrastructure platforms.” 

Whereas early ransomware focused on the reward of payment, today’s attacks utilize more of an extortion style. Going back to the definition of Protect under the NIST Framework, this function revolves around putting safeguards in place to ensure the access to and delivery of critical infrastructure systems. In this way, ransomware demonstrates the essential importance of protections for critical business functions. 

“Ransomware attacks are all about speed and impact,” said Ed Cabrera, Chief Cybersecurity Officer at Trend Micro. “Cybercriminals know that the faster they can attack and disrupt critical data and systems the higher the likelihood they will be paid and paid well. CISOs have to respond in kind to this evolving risk to operations and develop dynamic protection strategies that focus on prevention.” 

Protection efforts will touch every corner of the enterprise, and will involve every employee from the CISO and his or her team to each individual worker. In addition, leveraging a layered approach to data security can help ensure that protection extends across the entire company.

Check in later to read the next part of our series, where we’ll discuss the facets of the Detect function.