Operationalize the NIST Cybersecurity Framework Without Pulling All Your Hair Out (Part 2 of 3) (2023)

Table of Contents

This is the Part 2 of a 3-part blog on how to use the NIST cybersecurity framework without getting bogged down and lost in the minutia of the specification documents. Part 1 can be found here, and we recommend you read this piece first if you have not already done so.

Operationalize the NIST Cybersecurity Framework Without Pulling All Your Hair Out (Part 2 of 3) (1)Sponsorships Available

(Video) CMMC 2.0 vs. ISO/IEC 27001 vs. NIST 800-171: What You Need to Know

Let’s recall the 5 core functions of NIST.

Operationalize the NIST Cybersecurity Framework Without Pulling All Your Hair Out (Part 2 of 3) (2)

In Part 1 of this blog, we discussed the Identify function and how it is foundational to the NIST cybersecurity Framework. We saw how implementing Identify enables clear communication and decision-making within the cybersecurity team and in the board room.

We also discussed what you need to do in order to gain increased maturity in your implementation of Identify. We defined some KPIs that you can use everyday to track progress in the maturity level of your Identify capabilities.

In this 2nd part, we will discuss how to implement the Protect and Detect functions of the NIST cybersecurity framework.


“The key to protecting the enterprise is to be proactive in managing your vulnerabilities and risk items.”

Your 1st line of defense against cyberattacks consists of the following elements:

(Video) NIST + NICE Cybersecurity Frameworks

  • Firewalls, IPSes, WAFs
  • VPN and BeyondCorp
  • Endpoint security
  • Continuous vulnerability management

Firewalls allow you to implement a set of rules that restrict outside access to your internal network resources. In the old days all you needed to worry about was firewalls at the connection points between your various sites and the Internet. Today, you also need to worry about deploying and appropriately configuring firewalls at your cloud-based data centers (e.g., AWS VPCs), and for each mobile endpoint.

Intrusion Protection Systems (IPSes) inspect network traffic and block malicious network traffic, and may be deployed in addition to Firewalls or as part of a consolidated product. Web Application Firewalls are specialized systems designed to protect your public web-based applications.

Firewalls, IPSes and WAFs help you “lock down” access to your distributed enterprise. In order to support authorized users to securely access your network, Virtual Private Network (VPN) systems can be implemented. Some organizations, e.g., Google, have moved away from VPNs by implementing a different paradigm based on adaptive trust called BeyondCorp.

Moving from the network to individual endpoints, you may want to consider if you need additional specialized software to protect your endpoints from attacks, beyond the basic protections that come out-of-the box. There is a host of modern endpoint security offerings available in the market for you to consider, e.g., Crowdstrike Falcon, Cylance Protect, Sentinel One.

This brings us to what is probably the most overlooked component of Protect capabilities– vulnerability management. As programmers develop and enhance software, they will often inadvertently introduce security bugs in their code, which can serve as vectors by which attackers can gain unauthorized access to your systems and your data. Similarly as system administrators configure complex enterprise software, they will sometimes make configuration mistakes which can also serve as attack vectors. Such vulnerabilities are continuously exploited by attackers to compromise enterprises that have properly deployed Firewalls, VPNs and Endpoint security tools. In fact, it is not uncommon for vulnerabilities to exist in your security tools themselves.

Vulnerabilities are not rare. Actually, quite the opposite. In recent times, Microsoft alone releases critical security patches for 100s of vulnerabilities across all their products, each month. Across the industry, there were over 17,000 vulnerabilities tracked by Mitre in 2019.

(Video) Cybersecurity – 4 Steps to GDPR Compliance & NIST Cybersecurity Framework

With so many unpatched vulnerabilities and hundreds of security patches being released each month, it is difficult for IT teams to keep up. For business critical enterprise applications, any software patch needs to be tested to make sure that it does not break the application. Also, some software updates related to security are simply not feasible.

As you can imagine, poor vulnerability management is the #1 deficiency in the Protect strategy of many cybersecurity programs. The mean-time-to-patch (MTTP) for known vulnerabilities, even for Internet-facing, is more than 30-90 days for most organizations. What this means is that during these days, attackers can use a known vulnerability to gain unauthorized access to your systems in a straightforward fashion. This includes ransomware, data stealing attacks as well as attempts to compromise the integrity of your systems.

If you do not have good vulnerability management in your organization, you must make immediate efforts to implement a risk-based vulnerability management program. AI-powered vulnerability management approaches, such as Balbix’s, enables you to prioritize the discovery, prioritization and mitigation of your vulnerabilities as a continuous process. Vulnerabilities are continuously discovered and prioritized based on vulnerability severity, threat level, asset exposure and your existing security controls (some of which may be capable of protecting you even with the open vulnerability). Assets are also categorized into groups based on business criticality. You can define target SLAs and set up mitigation workflows for different classes of vulnerabilities as they emerge. Dashboards and leaderboards allow you to track and motivate the different risk owners in your enterprise. You can learn more about this here.

Operationalize the NIST Cybersecurity Framework Without Pulling All Your Hair Out (Part 2 of 3) (3)

As you strengthen your Protect capabilities, your users will emerge as your weakest link, subject to attacks that employ phishing and poor password hygiene habits. In order to get to the Repeatable level for the NIST Protect function, you will also need to implement Strong Identity and Access Control using some multi-factor authentication system, e.g., Okta. You will also need to make Continuous Security Training a part of your company’s mandatory periodic training, and start segmenting your network.

To get to the Adaptive level, your vulnerability management program will need to have a short mean-time-to-resolve (MTTR) and you will need to implement the Adaptive Trust Paradigm for controlling who gets access to what. This last piece ensures that cybersecurity compromises are localized and the breach of a single enterprise system does not lead to a large enterprise-wide data breach or other disruption.

Operationalize the NIST Cybersecurity Framework Without Pulling All Your Hair Out (Part 2 of 3) (4)

The picture above shows specific capabilities you need to implement in order to move up the maturity level for the NIST Protect function.

(Video) Cybersecurity Incident Response Tabletop Exercise Scenario | Cybersecurity Leadership | Day 3 – Ep3

Balbix can also generate continuous dashboards and reports that tell each risk owner what open vulnerabilities, risk items and tasks that they need to worry about. Risk owners can be compared against each other and incentivized to be at the top of the cybersecurity leaderboard. This can go a long way in developing a culture of shared risk ownership and driving down MTTR and risk.

Operationalize the NIST Cybersecurity Framework Without Pulling All Your Hair Out (Part 2 of 3) (5)

One final point to be made here. In order to do a good job of NIST Protect capabilities for your cybersecurity program, you must be quite mature in your Identify capabilities. After all you cannot protect what you don’t know about. You also need to know the relative business importance of your assets and their owners, otherwise you have no way to prioritize your Protect improvements, and assign risk mitigation tasks to the right stakeholders.


“the opportunity of defeating the enemy is provided by the enemy himself.”

Despite the best of your efforts in shoring up your Protect capabilities, some attacks will get through. Hopefully you have segmented your network and the compromise is contained. In any case, you need to detect the fault, respond and recover.

The workhorse of your NIST Detect function is your Security Information and Event Management system (SIEM) and your Security Operations Center (SOC). A SIEM aggregates event logs from many sources including firewalls, endpoint security systems, other security tools, as well as servers, databases, applications. These events are then correlated and analyzed for common attributes that might be indicative of a compromised system. Dashboards and Alerts provide SOC personnel with information that something might be amiss.

Key challenges in any SOC is keeping up with too many security events. False positives have to be tolerated since it is critical not to miss a true compromise. In advanced SOCs, automated playbooks are implemented on Security Orchestration, Automation and Response (SOAR) platforms for high volume high quality event analysis. In order to get to Adaptive levels of maturity in detect, you will need to use risk context as a way of sorting and prioritizing security events for analysis.

(Video) NIST Cybersecurity Framework for Small & Midsize Businesses

Operationalize the NIST Cybersecurity Framework Without Pulling All Your Hair Out (Part 2 of 3) (6)

In the final part of this blog, we will discuss the Respond and Recover functions of the NIST cybersecurity framework. In the meantime you can get started on aligning your cybersecurity program on Identify, Protect and Detect by leveraging Balbix. You can request a demo or start your free trial.


What are three steps in the NIST Cybersecurity Framework? ›

The NIST Cybersecurity Framework consists of three parts:
  • Framework Core. The “Framework Core” consists of an assortment of activities and desired outcomes. ...
  • Implementation Tiers. ...
  • Framework Profile.
1 Nov 2021

What are the 5 steps of the NIST framework for incident response? ›

NIST Incident Response Steps
  • Step #1: Preparation.
  • Step #2: Detection and Analysis.
  • Step #3: Containment, Eradication and Recovery.
  • Step #4: Post-Incident Activity.
21 Oct 2022

What is the 3rd phase of NIST Cybersecurity Framework? ›

It encompasses six steps: 1) limit access to compromised assets, 2) educate the organization's personnel, 3) manage the company's information according to a defined risk strategy, 4) use security procedures to protect the organization's systems and data, 5) perform necessary maintenance and repairs, and 6) make use of ...

What are the 5 categories of activities in the NIST Cybersecurity Framework? ›

This learning module takes a deeper look at the Cybersecurity Framework's five Functions: Identify, Protect, Detect, Respond, and Recover.

What are the main three 3 objectives of security? ›

Included in this definition are three terms that are generally regarded as the high-level security objectives – integrity, availability, and confidentiality.

What are the 3 parts of the security structure? ›

The physical security framework is made up of three main components: access control, surveillance and testing. The success of an organization's physical security program can often be attributed to how well each of these components is implemented, improved and maintained.

What are the six steps of the NIST Risk Management Framework? ›

The NIST management framework is a culmination of multiple special publications (SP) produced by the National Institute for Standards and Technology (NIST) - as we'll see below, the NIST RMF 6 Step Process; Step 1: Categorize/ Identify, Step 2: Select, Step 3: Implement, Step 4: Assess, Step 5: Authorize and Step 6: ...

Which is the most important step of the NIST incident response lifecycle? ›

Learning and improving after an incident is one of the most important parts of incident response and the most often ignored.

What are the process steps of the NIST Framework? ›

  • Step 1: Prioritize and scope. ...
  • Step 2: Orient. ...
  • Step 3: Create a current profile. ...
  • Step 4: Conduct a risk assessment. ...
  • Step 5: Create a target profile. ...
  • Step 6: Determine, analyze and prioritize gaps. ...
  • Step 7: Implement action plan.
23 Dec 2019

What are the 3 key ingredients in a security framework? ›

An Introduction to the Components of the Framework

The Cybersecurity Framework consists of three main components: the Core, Implementation Tiers, and Profiles. The Framework Core provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand.

Why is NIST the best framework? ›

The NIST Framework provides organizations with a strong foundation for cybersecurity practice. As regulations and laws change with the chance of new ones emerging, organizations that choose to implement the NIST Framework are in better stead to adapt to future compliance requirements, making long term compliance easy.

What is the purpose of NIST framework? ›

The NIST Cybersecurity Framework (NIST CSF) provides guidance on how to manage and reduce IT infrastructure security risk. The CSF is made up of standards, guidelines and practices that can be used to prevent, detect and respond to cyberattacks.

What is an example of a cyber security framework? ›

HIPAA. The Health Insurance Portability and Accountability Act (HIPAA) is a cybersecurity framework that requires healthcare organizations to implement controls for securing and protecting the privacy of electronic health information.

What NIST best practices? ›

Taking the NIST's standards and the FTC's posted enforcement actions together, the following guidelines are some cybersecurity best practices:
  • Security. Start with Security. ...
  • Identify. ...
  • Protect. ...
  • Detect. ...
  • Respond. ...
  • Recover.
29 Mar 2018

What is the first step in the NIST Cybersecurity Framework? ›

It is broken down into five steps: Identify, Protect, Detect, Respond, and Monitor.

What are the 5 basic security principles? ›

The Principles of Security can be classified as follows:
  • Confidentiality: The degree of confidentiality determines the secrecy of the information. ...
  • Authentication: Authentication is the mechanism to identify the user or system or the entity. ...
  • Integrity: ...
  • Non-Repudiation: ...
  • Access control: ...
  • Availability:
5 Jun 2022

What are 3 security measures? ›

There are three primary areas or classifications of security controls. These include management security, operational security, and physical security controls.

What are the 4 basic security goals? ›

Those are the factors that should determine the solutions you need to meet your objectives for data availability, integrity, confidentiality and traceability.
  • Availability. ...
  • Integrity. ...
  • Confidentiality. ...
  • Traceability.
10 Mar 2022

What are the 3 strategies for security management? ›

Three common types of security management strategies include information, network, and cyber security management.
  • #1. Information Security Management. ...
  • #2. Network Security Management. ...
  • #3. Cybersecurity Management.

What are the three 3 categories of threats to security? ›

In particular, these three common network security threats are perhaps the most dangerous to enterprises: malware. advanced persistent threats. distributed denial-of-service attacks.

What activities occur in step 4 of the Risk Management Framework RMF assess security controls? ›

7.0 RMF Step 4—Assess Security Controls

Determine the extent to which the security controls are implemented correctly, operating as intended, and producing the desired outcome in meeting security requirements.

What is the last step step 4 of a NIST risk assessment? ›

In this guide, NIST breaks the process down into four simple steps: Prepare assessment. Conduct assessment. Share assessment findings.

What is NIST Checklist? ›

The National Checklist Program (NCP), defined by the NIST SP 800-70, is the U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications.

What are the 4 NIST implementation tiers? ›

The National Institute of Standards and Technology Cyber-Security Framework (NIST) implementation tiers are as follows.
  • Tier 1: Partial.
  • Tier 2: Risk Informed.
  • Tier 3: Repeatable.
  • Tier 4: Adaptive.

What are the 3 phases of the Major Incident process? ›

Detection engineer Julie Brown breaks down the three phases of incident response: visibility, containment, and response.

What are the 4 phases of the incident response lifecycle defined by NIST? ›

They should be based on the incident response policy and plan and should address all four phases of the incident response lifecycle: preparation, detection and analysis, containment, eradication and recovery, and post-incident activity.

What are the 3 steps of security risk assessment? ›

3 Steps to Perform a Data Security Risk Assessment Successfully
  • Identify what the risks are to your critical systems and sensitive data.
  • Identify and organize your data by the weight of the risk associated with it.
  • Take action to mitigate the risks.
25 Nov 2022

How do I use NIST Cybersecurity Framework? ›

You can put the NIST Cybersecurity Framework to work in your business in these five areas: Identify, Protect, Detect, Respond, and Recover.
  1. Identify. Make a list of all equipment, software, and data you use, including laptops, smartphones, tablets, and point-of-sale devices. ...
  2. Protect. ...
  3. Detect. ...
  4. Respond. ...
  5. Recover.

What are 3 of the most important attributes for staff that perform security functions to have? ›

All Security companies have to exercise caution, and hire people who are mature and trustworthy, and Sterling Protective Services goes above and beyond in this matter.
5 Attributes of a Great Security Officer
  • Alertness. ...
  • Honesty. ...
  • Physical Fitness. ...
  • Good Communication Skills. ...
  • Ability to Serve Client's Needs.
5 Jun 2013

Is NIST the best framework? ›

As we discussed with George, the NIST Cybersecurity Framework is a voluntary approach that represents the collective experience of thousands of information security professionals. It is widely recognized as an industry best practice and the most comprehensive, in-depth set of controls of any framework.

What is the best framework for cyber security? ›

Top Cyber Security Frameworks
  1. The NIST Cyber Security Framework. ...
  2. The Center for Internet Security Critical Security Controls (CIS). ...
  3. The International Standards Organization (ISO) frameworks ISO/IEC 27001 and 27002. ...
  4. The Health Insurance Portability and Accountability Act.
23 Nov 2022

What are the 3 main pillars of cyber security? ›

The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability. Each component represents a fundamental objective of information security.

What are the 3 correct steps to be taken to simplify the complexity of cybersecurity? ›

8 Steps to Simplify Cybersecurity
  1. Step 1: Shrink the stack. ...
  2. Step 2: Automate wherever possible. ...
  3. Step 3: Integrate. ...
  4. Step 4: Orchestrate. ...
  5. Step 5: Measure. ...
  6. Step 6: Communicate. ...
  7. Step 7: Educate. ...
  8. Step 8: Practice good hygiene.

What are the three types of security controls NIST? ›

The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for a system to protect the confidentiality, integrity, and availability of the system and its information.

What are the 3 key principles of security? ›

What are the 3 Principles of Information Security? The basic tenets of information security are confidentiality, integrity and availability. Every element of the information security program must be designed to implement one or more of these principles. Together they are called the CIA Triad.

What are the 5 C's of Cyber security? ›

The five C's of cyber security are five areas that are of significant importance to all organizations. They are change, compliance, cost, continuity, and coverage. The top priority of organizations all over is having security protective of their digital and physical assets.

What are the 3 key prevention measures of cyber attacks? ›

Essential cyber security measures
  • Use strong passwords. Strong passwords are vital to good online security. ...
  • Control access to data and systems. ...
  • Put up a firewall. ...
  • Use security software. ...
  • Update programs and systems regularly. ...
  • Monitor for intrusion. ...
  • Raise awareness.

What are the four 4 cybersecurity risk treatment mitigation methods? ›

There are four common risk mitigation strategies. These typically include avoidance, reduction, transference, and acceptance.

Which three 3 Three key factors should be considered when looking at an endpoint security solution? ›

Five Key Considerations for Purchasing An Endpoint Security Solution
  • Know Why You Are Purchasing an Endpoint Security Solution. ...
  • Consider Scalability and Capacity. ...
  • Purchasing an Endpoint Security Solution for the Right Industry. ...
  • Budget, Budget, Budget. ...
  • Know What You Need.
25 Sept 2019

What is NIST method? ›

The testing methodology developed by NIST is functionality driven. The activities of forensic investigations are separated into discrete functions or categories, such as hard disk write protection, disk imaging, string searching, etc. A test methodology is then developed for each category.


1. NIST Cyber Security Professional (NCSP) training and certification overview Midday Mentors
(APMG International)
2. "Information Security Management Frameworks" by Chris Lincoln
(Canadian Institute for Cybersecurity)
3. Jumpstart Your NIST CSF Maturity
(S4 Events)
4. 2017 08 31 12 02 Using the NIST Cybersecurity Framework to Guide your Security Program
5. Cybersecurity Supply Chain NIST 800-161r1 Review
(Gerald Auger, PhD - Simply Cyber)
6. How to GRC Like A Boss with Erika McDuffie
(Gerald Auger, PhD - Simply Cyber)
Top Articles
Latest Posts
Article information

Author: Barbera Armstrong

Last Updated: 12/12/2022

Views: 5328

Rating: 4.9 / 5 (79 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Barbera Armstrong

Birthday: 1992-09-12

Address: Suite 993 99852 Daugherty Causeway, Ritchiehaven, VT 49630

Phone: +5026838435397

Job: National Engineer

Hobby: Listening to music, Board games, Photography, Ice skating, LARPing, Kite flying, Rugby

Introduction: My name is Barbera Armstrong, I am a lovely, delightful, cooperative, funny, enchanting, vivacious, tender person who loves writing and wants to share my knowledge and understanding with you.