NIST Cybersecurity Framework 2.0: Protect
Authors: Steve Foret, Mark kepplerCybersecurity Frameworks Series, part 6
Today, we dive into the third sub-function of the NIST CSF 2.0. Now that we, as an organization, know what assets we have (per the IDENTIFY function), we must apply data protections appropriate to the value and risk of those assets.
Sub-functions of PROTECT include:
Identity Management, Authentication, and Access Control (PR.AA):
Physical and logical access is limited to approved and authorized users, services, and hardware and managed with processes and technology based on assessed risk of unauthorized access
This sub-function does not change much overall so there is not much to discuss beyond the expected control identities through their life, including user accounts, privileged accounts, service accounts, token accounts, certificate accounts, and other machine accounts. Continue to be mindful in protecting the credentials for identities, rotating at an acceptable rate or in exposure. Additionally, have authorization match the role of privilege required with separation of sensitive access or key business decisions.
The intent is to manage and maintain identity lifecycle and supporting architectures through all operational phases. It also focuses on enhancing limiting, and recovering from unknown events that could impact operations. To comply with the domain, an organization needs to have a sound understanding of the identity lifecycle, tools supporting the lifecycle and monitoring account use in alignment with its cybersecurity risk and resiliency strategy.
Our experience is that most organizations are very focused on this now given zero trust and migration to the cloud. Where organizations commonly fall short is by having a complete identity strategy in conjunction with identity services and supporting technology.
Awareness and Training (PR.AT):
The organization’s personnel are provided with cybersecurity awareness and training so that they can perform their cybersecurity-related tasks
This sub-function does not change much overall so there is not much to discuss.
Our experience is that most organizations are continuing to work hard at education and awareness and some form or phishing testing, but may fall short of non-email based training.
Data Security (PR.DS):
Data are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information.
This sub-function goes deep into data protection to manage data in alignment with the organization’s risk strategy and defined protection techniques for confidentiality, integrity, and availability of information (CIA). The main intentions include protecting data:
At-rest (with proper usage justification and access controls, encryption, hashed, truncated, redacted, masking, not used, etc)
In-flight (protect interception, tampering, forwarding, decapsulation)
Lifecycle management (asset removal, transfer, disposal)
Lifecycle availability (Capacity, Redundancy, High Availability, etc)
Leakage controls to prevent, detect, respond, recover/destroy from a data beach (may be based on error, theft, extortion)
In all aspects of use cases with proper role separation and access (Production, Development, Testing, Data Exchanges/Transfers, etc)
Hardware/Software integrity monitoring/reporting for changes (authorized/unauthorized)
Using C, I, A while in active use (proper access [role, restricted], system level protection [memory, disk, etc], and securely eradicated when done to leave no trace (in disk, logs, reports, memory, etc)
With highly effective backups through creation, maintenance, and recovery with necessary testing to confirm recovery and continuity.
The intent is to define the protection mechanisms in place and what it means to properly manage and secure them. An organization can align its data management practices with its risk strategy and enhance its overall data security posture. It is important to note that compliance is an ongoing process and requires continuous evaluation and adaptation to emerging threats and changes in the organization’s risk landscape. Compliance is not just about technology solutions; it also involves people, processes, and policies working together to protect data assets.
Our experience is that most organizations are not as mature in their data security and defensive programs as necessary, especially where there are high volumes of sensitive data and a large portion of the business teams require access. Where organizations commonly fall short is by having an incomplete understanding of data flows, systems to system data exchanges (internal and external) and not having a clear definition of what needs data protection. Most organizations do not have an data inventory of data or flow diagrams (organizations under PCI may be exceptions but, even then, those organizations tend to only have data flow diagrams for apps in the scope of PCI).
Platform Security (PR.PS):
The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization's risk strategy to protect their confidentiality, integrity, and availability.
This sub-function goes deep into managing hardware, software and services security (design, build, deployed, maintain, patch) on all technologies and service stacks in a highly secure way where necessary. All technologies includes the entire stack: physical, network, operating systems, virtualization, containers, software, cloud, mobile, SaaS, etc.
This requires an absolute mastery of applying security-centric system hardening of technology, hardening system-to-system interactions (e.g services, IAM, secure communications), hardening service to service communication, and everything else. In all scenarios, an attack leverages an accessible service and an Identity. So, if an organization is running a service with high privileges and no password, it is only a matter of time…
A deep understanding of the operating environment, business requirements and resilient and isolating technology strategies will help reduce impacts of cyber attacks. If you treat your environment as untrusted and always exploited, your ability to absorb threats against your technology stack and defenses will be drastically enhanced.
Recent cybersecurity breaches have indeed underscored the importance of managing hardware and software to protect against threats. Here are some notable incidents:
Microsoft Security Failures: Microsoft has had a series of security breaches, including one where a China-based hacking group named Storm-0558 breached Microsoft’s Azure service and collected data for over a month before being discovered.
CISCO Vulnerabilities: The front door to gain access to companies, CISCO is under constant analysis and attacks, recently DOU, VPN were a big target.
Our experience is that organizations with physical, on-premises networks that are aging are highly focused on migrating to a cloud. The primary reason is that they can simply turn off legacy technologies that are becoming hard to adequately secure and monitor. Where most organizations commonly fall short is by having a process and cross organizational engagement to patch and harden systems. This process is matrixed between business teams, development teams, network teams, platform teams, virtualization teams, security teams, and more.
Technology Infrastructure Resilience (PR.IR):
Security architectures are managed with the organization's risk strategy to protect asset confidentiality, integrity, and availability, and organizational resilience.
This sub-function goes well beyond the basics of protection. Technology Infrastructure Resilience emphasizes a robust architecture and resilient technology solution that can adapt and succeed through time and threats against data, systems, and networks. It requires a deep understanding of the operating environment, business requirements, and resilient technology strategies.
This is one of the bright spots as it dives into understanding and managing your environment. Though we may think of PROTECT as being focused on stopping attacks, you really must consider PROTECT as being focused on resiliency to unknown active threats. Treat your environment as untrusted and always exploited and your ability to absorb threats against your technology stack and defenses will be drastically enhanced.
Focus on creating a security control environment with security patterns and threat controls using resiliency as a factor for robust and adaptive environment that can course correct as threat and business requirements change. These tactics support maintaining security in a shifting environment even in the face of disruptions or cyberattacks.
The intent is to manage, plan, and maintain organization security control architectures through the design, implementation, and maintenance phases aligned to the overall risk strategy. It also focuses on enhancing organizational resiliency through anticipating, withstanding, and recovering from unknown events that could impact operations. To comply with the domain, an organization needs to align how it manages its security architectures in alignment with its cybersecurity risk and resiliency strategy.
Our experience is that most organization do some, but not all, of the above well as the volume of cybersecurity breaches has been steadily increasing and the impacts are more compelling. Where organizations commonly fall short is by having a complete defensive in depth technology control environment and strategy that includes overlapping or connected controls to break or kill cyberattack chains before the foothold or exfiltration has occurred. Key drivers to this domain are the dependencies on the precursor domains in that you can’t protect the unknown or contingencies with a strong risk posture approach that creates the thought and testing processes.
Recent cybersecurity breaches continue to underscore consequences of failures in managing security architectures aligned with an organization’s risk strategy. Here are a few examples where this domain has broken down:
Ransomware Attacks
Exploitation of Vendor Systems/Services/Software
Human Element
That concludes our deep dive into the PROTECT function. We will take a deep dive into the DETECT function next. In the meantime, if you are not sure or would like to discuss, please feel free to reach out to SEVN-X. Our goal is to help you Achieve Better Cybersecurity and we’re happy to help!
Previous Blog:
Cybersecurity Frameworks Series part 5, NIST Cybersecurity Framework 2.0: Identify
Next Blog:
Cybersecurity Frameworks Series part 7, NIST Cybersecurity Framework 2.0: Detect