CyberWire Daily - NIST Cybersecurity Framework [Special Editions]
Episode Date: August 30, 2017Having a set of standards by which to measure your security organization, being able to compare your security posture to other organizations, and being able to justify your choices to investors and in...surance firms are all worthwhile goals? It’s beneficial to have widely agreed upon standards of care and measurement in cyber security, to help know where you stand, where there’s room for improvement, and what’s important to you. That’s where frameworks come in, and the NIST cybersecurity framework is one of the most popular in the cybersecurity industry. In this CyberWire special edition, we’ll examine frameworks in general and the NIST cybersecurity framework specifically, to see if adopting them is worth the time, energy and expense it takes. Joining us are Rick Tracy, Chief Security Officer for Telos corporation, Rafal Los, Managing Director of the Solutions and Programs insight group at Optiv Security, and Matt Barrett, Program Manager for the Cyber Security Framework at NIST. Stay with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first
future together. Head to
salesforce.com slash careers
to learn more.
In a darkly comedic look at
motherhood and society's expectations,
Academy Award-nominated Amy Adams
stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Having a set of standards to measure your security organization by,
being able to compare your security posture to other organizations,
and being able to justify your choices to investors and insurance firms,
well, that all sounds good, right?
It's beneficial to have widely agreed upon standards of care and measurement in cybersecurity
to help know where you stand, where there's room for improvement, and what's important to you.
That's where frameworks come in.
And the NIST Cybersecurity Framework is one of the most popular in the cybersecurity industry.
In this CyberWire Special Edition, we'll examine frameworks in general
and the NIST
cybersecurity framework specifically to see if adopting them is worth the time, energy,
and expense it takes. Joining us are Rick Tracy, Chief Security Officer for Telos Corporation,
Rafal Los, Managing Director of the Solution and Program Insight Group at Optiv Security,
and Matt Barrett, Program Manager for the
Cybersecurity Framework at NIST.
Stay with us.
I come from the world of certification accreditation in the late 1980s.
That's Rick Tracy from Telos.
Where every federal government organization did their, what we call now, cyber risk and compliance management.
Every organization did it their own way.
And that creates problems because for you to tell me that your system is secure,
I really don't know what benchmarks or baselines, what process, what workflow,
I really don't understand how you came about determining that you indeed are secure.
Having a framework in place means that you're not off doing something again for the first time
every time, right? It
takes previous knowledge in due effect. That's Rafal Los from Optiv. Somebody has spent some
time to look at a problem, create its abstract, understand the pieces, and then provide prescriptive
at that right level guidance in a way that is repeatable, measurable, and provides actual problem-solving value.
I look at a framework as a structure in which to make a decision.
That's Matt Barrett. He's from NIST.
NIST is the National Institute of Standards and Technology.
We're a part of the United States Department of Commerce.
The big milestone was Executive Order 13636.
That executive order happened in March 2013 from the Obama administration.
Which was Executive Order for Improving Critical Infrastructure and Cybersecurity. And specifically
in Section 7, the Department of Commerce was tasked with coming up with a framework that
would reduce risk for critical infrastructure, private sector owners and operators. Since then, we've actually progressed to the spirit of
Executive Order 13-636 was written into the Cybersecurity Enhancement Act of 2014. And that's
really the charter by which we continue. It was originally intended for critical infrastructure.
And unlike the risk management framework, which is mandatory in
federal agencies, the cybersecurity framework was designed to be a voluntary framework.
They did a really nice job working with industry to develop something that was helpful, yet not
too onerous. It's something that the business community, critical infrastructure sectors,
of which there are 16, could get behind. And so the fact that it was developed in a collaborative way has really made it of interest to industries in
these 16 sectors. The challenges of creating a framework is getting, you know, 10,000 of your
closest friends to agree on a pizza topping. Every company is just a little bit different. Every team
is just a little bit different. Everybody approaches the problem and understands it just a little bit differently. The trick with frameworks and why it's not
something everybody can just sit down and just do in 10 minutes is how do you create a framework
that is applicable to everyone, implementable by everyone, but not so prescriptive that
it excludes any particular use case, right? So it's a very, very delicate balancing act.
And I think that's kind of why it's so hard is, and so many frameworks get this wrong,
you either become under-prescriptive or over-prescriptive.
One of the many things that it does for you is it enables consistent cyber risk communication
across an organization.
cyber risk communication across an organization. And what I mean by that is there are five easy to understand functions, identify, protect, detect, respond, recover. Those are the five.
And those functions then relate to categories of cyber risk objectives, which are then fed by a more granular set of roughly 100 subcategories,
which then make reference to detailed controls. NIST has done a good job of pointing to controls
853 or ISO or various others so that you can, as an organization, understand, oh, this is what
they really mean by this particular subcategory.
This construct of functions, categories, subcategories, and then pointing to references or controls allows an organization to discuss risk at different levels of detail based on who
the audience is, right? So I like to say that you have the ability
to communicate cyber risk objectives and outcomes from the server room to the board room because
there's different levels of detail that are described within the cybersecurity framework core.
Okay, so you got that? Don't worry, there's not going to be a quiz. But basically, the NIST
cybersecurity framework starts with broad high-level categories and drills down from there.
There are multiple layers, so you can choose to dial in how deep you want to dive.
And oftentimes when people think of the framework, they're thinking of the core,
because on high it's just five words, identify, protect, detect, respond, and recover. Now, there's customizing the core for
a given organization or sector or subsector. And when you customize, a big feature of that
is prioritization. Because when we hold all things important, nothing is important,
how do we decide what cybersecurity things are most important to us, that artifact is called a profile.
That's a customization of a core for you.
And thirdly, there's something called implementation tier.
An implementation tier is a high-level measurement of organizational behavior.
It's a one through four scale is the measurement scale there, and it has a bit of a maturity
model feel to it.
But one key feature,
key difference in logic between this and a typical maturity model is the inherent trade-off analysis.
It costs money to be a four on this measurement scale. And so in order to afford to be a four
in one dimension of your business, you might need to be a three or even a two in order to offset
those expenses. I mean, if you look at the NIST CSF, you've got the core, you've got your domains, right?
Identity, that's a big thing, right?
We should be looking at identity, you know, protect, detect, respond, right?
Recover.
I think these are core fundamentals of how we function in security.
And it's just a structured way of thinking about the problem that we're
trying to solve and say, because how many times have I personally gotten, I'm sure those of your
listeners that are listening, not along to this, you ask, you know, how many times have you gotten
asked from an advisory stance, you know, am I doing enough? What is enough? Right. And you could
look at it and say, well, are you checking all these boxes? Right. So that's that's the that's the one thing that I always get from from folks that are detractors that don't like this approach and say, well, all you're doing is giving me a bunch of checkboxes that I can just simply do and get away with.
Yes, that's essentially it's a starting position. Right.
But it gives you all the things that others have thought about, have experienced, have been successful with. It allows you to
have a structured approach, right? So the collective knowledge of thousands, if not
millions of hours of other people's experience delivered to you in a nice document or spreadsheet
or something that you can scroll through and say applies to me, applies to me, applies to me,
doesn't apply to me. And I'm guessing that everything in that, in the CSF, it's going to be hard to find stuff that doesn't apply to you. You don't necessarily default to the
most granular aspect of the framework. Maybe you don't focus right out of the gate on security
controls and understanding at that detail level. Maybe what you do is begin to help people acclimate to these five functions,
identify, protect, detect, respond, recover, and you relate your business security objectives to
those five functions and move as you're comfortable to the right. You would then relate your cybersecurity
business activities to the categories of which there are 22. So it's a little bit more accessible when you think about
it because the categories are a little bit broader and you can begin to become comfortable
understanding the lexicon and how what you do and what your risks are relate to these
fairly high level descriptions of life cycle activities as it relates to cyber risk management.
And then figuratively move to the right.
So from functions to categories to more detailed subcategories.
And then if you desire, really focus on your achievement of detailed security controls
within the organization.
Once you've done that, all of your results then flow through
this construct of subcategories, categories, and functions so that you have the ability to have
this cyber risk conversation throughout an organization. We've had many instances where
somebody will say, well, I'm already an expert at this. I don't really, you know, there's nothing you can possibly teach me.
And so my reply has always been, great.
I'd love to take a look at what I have.
I'd love to learn from you.
And they go, yep, done it, yep, done it, yep, done it, yep.
Oh, I haven't thought of that.
And there's always at least that moment because as smart and intelligent and experienced as any one person is, you're not as smart and experienced and
intelligent as the collective. There's an efficiency and a precision that you gain
in cybersecurity dialogues when you're using the same language. And the framework is the basis
for that language. Framework can be used for a number of important business functions. For
instance, assessing your business objectives, how those business objectives rely on technology and cybersecurity.
In other words, something called a dependency analysis.
That's something that can be performed with the structure of cybersecurity framework.
Also, the structure of cybersecurity framework, because it's really a catalog of cybersecurity outcomes.
That same structure lends itself well to aligning and deconflicting all the cybersecurity
requirements you're beholden to, such that you can develop a cybersecurity program or evaluate your
pre-existing cybersecurity program and make sure that it is truly working to fulfill all of the
cybersecurity requirements that you need to fulfill. Start at the left and move to the right
as it makes sense for you, right? So you don't have to do it all on day one. You can grow into it.
One thing on everybody's wish list is to actually measure the extent to which it reduces risk.
You know, I would love to embark on that sort of effort as well. There's a foundational thing
that's not really available in our cybersecurity ecosystem that kind of effort as well. There's a foundational thing that's not really available
in our cybersecurity ecosystem that kind of prevents us from getting from point A to point B,
and that is there's a lot of work to be done just in the generic cybersecurity measurement space.
Free flow of information for the sake of measuring risk reduction, for instance. So
once we have that space better developed,
I think we'll be better able to answer questions like, is this cybersecurity framework truly
reducing risk in a quantifiable sort of way? In the meantime, what NIST uses is anecdotal
information, which over time becomes more and more empirical, the more parties that we ask,
is it working for you? How is it working for you? What is the feature that's working best for you?
How do you use it? The more parties that we ask that series of questions to can get reasonable
answers back, the more that anecdotal sort of approach becomes empirical. And so we are indeed
trying to approach the risk reduction question from a different angle here. and try to look at it rather than the way we look at PCI,
where how can I limit my scope
and how can I minimize how much of this I have to do?
Assume that the scope is everything you do, right?
And this is one of those things
where be inclusive of your entire organization,
understand and try to accept this framework
or whatever framework you're using,
whether it's ours or NIST or whatever.
Look at it and go, does this fit my organization?
Can I get value out of it in a timely manner?
Can I measure positive impact, right?
Does this give me goals?
What are they, right?
Where do I have deficiencies?
If the answer is everywhere, pick a couple of the most important and work your way down.
And I'd probably say don't try to go – unless you've done it before, don't try to go it alone.
It's a tremendous project no matter what framework you're picking to try to go at it alone because it's tough without the experience of having done it before.
it's tough without the experience of having done it before. But again, these things are essential because it's the collective knowledge and experiences of others who, while you may be a
special snowflake, you're still a snowflake, right? And everybody is just a little bit different,
but in that same way. DHS, I know, has been working with the insurance industry to have
them understand the value of this consistent way of looking at cyber
risks.
So our suggestion is that the insurance industry could use the framework as a way to gauge
cyber risk to better underwrite cyber liability policies, right?
And over time, what happens is as there's loss experience, the insurance industry could be used to determine risk for
the purpose of underwriting cyber liability insurance policies, but also develop actuarial
data over time, because you'll see which controls are effective, which ones aren't, where there's
gaps and so forth. In many ways, cyber liability insurance policies, there's not a lot of confidence
in being underwritten in terms of the liability
and the risk. If I'm an insurer and you're trying to get a policy from me, how am I going to know
that you are working at some kind of structured approach to security? Am I going to create my own?
That's unlikely. So what am I going to use? I'm going to use the same yardstick that I can measure a thousand of my applicants for cyber insurance and say, okay, how do I create some way of understanding and comparing
and contrasting these organizations? How do I know what they're all supposed to be doing? What works?
And that's kind of the purpose of these things. I fully expect to see the framework model being approached more often.
And you're not going to be asked, I don't think it's going to be like, go use COVID or go use ISO or go use NIST or else.
What you're probably going to start seeing is what framework are you using and can you defend your use of it?
And the idea is going to be, does it cover the basics?
Is it justifiable? Does it provide value to you?
It's really important for the purposes of M&A to demonstrate that you're doing the right things
and your company or your business is a sound investment because you've invested in cyber risk management.
But from a governance standpoint,
you can imagine how valuable it would be
if there is ever a breach, right?
You ever encounter a breach
and you have to defend yourself in a court
to be able to point to something
that is as visible and well-respected
as the cybersecurity framework
and say, this is the process that we use to manage our cyber risk
management. It's absent something like that, whether it's a cybersecurity framework or something
like that, that's recognized as a standard, you run the risk of being found negligent. And so I
think a lot of organizations are beginning to understand that they have to have something to
hang their hat on. I think if you're a board member, if somebody comes to you and says, I want to pick a framework
to align to, you should probably do jumping jacks and be excited because to me, that's a clear sign
that they get it, that they're trying to not be, they're getting away from the, we're different
than every single other company ever,
because, you know, we're doing something completely and utterly different. We're going to go at this
alone. If you're sitting on a board somewhere, you should absolutely be asking, are you using
frameworks? What are they? What framework are you using? Why are you using it? Can you defend it?
Does it make sense for this company? And if it does, fantastic. How close are you to your goals? Not to 100%.
What are the goals you've set? How close are you? What are the milestones?
And those are the things that we should be asking.
It's that engaged conversation. What business value does this framework provide?
That's a pretty big question.
Of course, cybersecurity is a rapidly changing field,
and NIST is already working on updates to the framework.
We had always said that the cybersecurity framework would need to evolve,
that should be a living document as an objective,
so that it can evolve with technology, so it can evolve to counter threat,
so it can take best practices for a given industry
and bring those into a knowledge base to make those standard practices.
And so that framework could evolve at a pace that, candidly, legislation and regulation just can't.
So for all of those reasons, evolution of framework has always been a part of the picture,
even since the original incarnation.
to framework has always been a part of the picture, even since the original incarnation.
And so we are working on a version 1.1 of framework right now, where our stakeholders asked us to help them better understand how to do the cyber dimensions of supply chain
risk management.
And they asked for some clarification on the relationship between some of the components
of framework profiles and implementation tiers being those. We're also hearing more and more chatter about cybersecurity measurement and the importance
of that to the future of cybersecurity. And so we've added a section specifically on
cybersecurity measurement and how one might use that for self-assessment to the cybersecurity framework. And then we've also
beefed up the authentication and other dimensions of identity management within framework just to
make the framework that much stronger of a construct. I'm personally just really happy
to see that some degree of standardization is really beginning to take hold because it's
something that we've advocated for
for the better part of 20 years. Instead of everybody doing things their own way and everyone
having a, every organization have a different lexicon or way of describing why they're secure
or how they're secure, their degree of being secure or their degree of risk or so. Frameworks
like the cybersecurity framework really allow organizations
to be on the same pages as they relate to each other, peer organizations. They can compare
their status in a way that's meaningful. There's a whole bunch of ways to understand whether or not
you'd like to use cybersecurity framework. And I'll highlight some resources at nist.gov
slash cyber framework. First of all, there is a page dedicated solely to
resources that have been produced, a great many of which outside of NIST, and that's called the
industry resources page. There's about 60 resources produced by parties outside of the National
Institute of Standards and Technology. So there's an awesome diversity across sectors and various communities
there. And so an organization that's considering using framework might simply go look at those.
There's a number of webinars that are available for playback. And in fact, in most of our
cybersecurity framework workshops, we record a lot of the main stage sort of presentations
and panels.
So those are great videos to go view to learn more about Framework and also to learn more about how others are using Framework.
As the security executive or the security lead for whatever company you're at, ask yourself what makes us better.
Why are you here?
And the answer isn't to check the box and just go through another day. It's to make the organization better. It's to increase safety. It's to do whatever it is that you do, empower and enable.
going to provide that value to your organization, take it seriously. Have that conversation with a board, your executives. You should be held account to that. I mean, if you decide that...
NIST holds these workshops in Gaithersburg in the springtime. And I go there to these workshops,
and what I've seen is somewhere between 600 and 1,000 people registered from all across different industries,
and not just in the U.S., but there are actually, I think, 11 different countries represented
at the most recent workshop at NIST.
I think it was in May of this year.
in May of this year. So you might argue that a mandate would drive greater adoption, but from what I've seen, there is already lots of interest in the framework, despite the fact that it's
voluntary. I think it's just because the way it's constructed, it just makes great sense.
And people recognize that. And for that reason, organizations are very willing
to take a close look at the cybersecurity framework and apply it to their organizations
for the purpose of managing cyber risk, demonstrating a standard of due care.
It's really impressive to see the level of adoption that there is already. Can you describe to us, in 2017, you published the Baldrige Cybersecurity Excellence Builder,
which builds upon the 2014 framework.
What's involved with that?
The Baldrige Cybersecurity Excellence Builder is really a combination of this performance
excellence program that pre-existed, the Baldrige Performance Excellence Program, which existed since the 1980s and really focuses on quality control and quality assurance and how organizations institutionalize those things.
And so what we produced is a 50-question self-assessment criteria in the form of this Baldrige Cybersecurity Excellence Builder.
There's an envisioned phase two where maybe even one day, like the original Baldrige program,
there might even be a recognition that goes along with this where organizations could be praised, if you will, highlighted for doing great cybersecurity things according to these criteria, but whether or not industry
favors that sort of approach, that's a bit of a TBD. So for now, we have this self-assessment
criteria that any organization can pick up off the shelf and figure out the extent to which
they are doing good cybersecurity things within their organization.
That's Matt Barrett from NIST.
Our thanks to him and to Richard Tracy and Rafael Los for sharing their knowledge and
expertise.
Rafael Los is also host of the Down the Security Rabbit Hole podcast.
You want to check that out.
The Cyber Wire podcast is produced by Pratt Street Media.
Our editor is John Petrick.
Social media editor is Jennifer Ivan. Technical editor is Street Media. Our editor is John Petrick. Social media editor is Jennifer Ivan.
Technical editor is Chris Russell.
Executive editor is Peter Kilby.
And I'm Dave Bittner.
Thanks for listening.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.