The NIST Cybersecurity Framework is a repeatable framework organizations may follow to bolster their security posture. Within it, there are 5 foundational actions that may be flexibly deployed, regardless of industry or setting. In this, the second of a two-part post, we focus on the second action, Protect whereby NIST outlines 4 practical steps to protect data. My previous post explained access control and user awareness. This post takes a closer look at data security and protective technologies.
NIST CSF states: “Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.”
This goes back to the first pillar we explored, how to align resources with our risk strategy. Here, we see the principle extend to data and once again, we have the NIST CSF supplying measures you can enact. Just as the section has two words in its title - data and security - the methods focus on each. Let’s begin by examining what kinds of data need our protection.
What are the practices we can undertake to secure data at-rest and data in-transit? First, assets need to be managed throughout the lifecycle. Back to my laptop example. To adopt NIST CSF means to have eyes on my device throughout its lifecycle. It begins by activating tracking technology before the machine goes into boxes and placed into trucks or ships. Once I receive the device, activate its security, and test it before putting it into production, I must establish its base-level hygiene.
Cyber hygiene is the most important control function we can pursue. Because hygiene itself is a manifestation of our security intent; all the defining attributes of the machine are put into the recipe and tracked for conformity throughout the lifecycle. Requiring continuous vigilance of the device to ensure its cyber hygiene is always maintained.
Each organization will have its own definition of endpoint hygiene, but these attributes can be measured and woven into a unique score across the population: The Endpoint Hygiene Coefficient. At a single point-in-time, you can look at your device population and see how it conforms to your hygiene benchmark on a scale from 0 to 1. When the endpoint population is reckoned at “0” this indicates that no single device has any controls or configurations aligning with my policy or security intent. This is very rare. So rare, that we can rule it out. A hygiene coefficient of “1” signals that every device has every control, configuration, and policy-granting behavior in place. Don’t think that an endpoint hygiene coefficient of 1 is any less of a unicorn. In all my years, I’ve never seen any organization with an endpoint hygiene coefficient of 1.
When scanning devices, you might notice an endpoint hygiene coefficient of .81. This means that some devices are pulling the population away from a perfect correlation with your security intent. Each may be doing this for different reasons, but each is contributing to the hygiene drift. By expanding the view, you can see that 23% of the devices are unencrypted, 12% are encrypted but have sensitive data in cloud storage apps, and 8% have outdated antivirus apps, and a whopping 78% have unauthorized software. The possibilities are virtually limitless and need constant monitoring.
Monitoring is another important component of the data security section. But simply keeping eyes-on-glass is not enough to satisfy the demand for strong data security. We must go deeper, by looking at failures and verifying software, firmware, and information integrity. This is where we use the methods of falsification, never settling for absence of evidence in place of evidence of absence. Let’s assume the absence we’re looking for endpoint hygiene violations. Considering we took a risk-based approach to policies, we can have confidence that our endpoint hygiene standard is solid.
Now, is there evidence that no device is violating its hygiene standard? To answer such a question, you’d need to probe every device, eliminate the possibility of unauthorized sensitive data, validate there is no unauthorized software, attest to every patch being completed, and verify security apps, agents, configurations, and updates are deployed within software, firmware, and the information packets themselves. To demonstrate we have evidence of absence—evidence that no machine is violating hygiene standards—we would have to do much more than keep an eye on SCCM or the SIEM to know if anything is amiss. The falsification principle demands we go into our devices and inspect every aspect of hygiene to verify that all is well. If not, we cannot say truthfully we’ve adopted the NIST CSF demands for data security.
The point of the data security portion of the NIST CSF Protect pillar is to challenge our assumptions; specifically, the assumption that information is a substance that needs a little encryption sprinkled on it.
[bctt tweet="The point of the #datasecurity portion of the @NISTcyber Protect pillar is to challenge our assumption that information is a substance that needs a little encryption sprinkled on it." username="absolutecorp"]
If information does not remain confidential, consumer privacy, trade and state secrets, intellectual property, and even our business relationships with suppliers and partners can be reduced to dust. If information does not persist in its integrity, medical diagnoses and treatments fail, lives are lost, and financial assets can be brought nil.
Imagine what would happen if a chemical formula was slightly altered or if someone tampered with a bank account balance. When information is misaligned with the real-world, disastrous consequences follow. The examples of chemistry and finance are historical realities. Healthcare providers have killed patients because dosages and drug allergies came from information with corrupted integrity. Banks have issued interest payments, transactions, and sell orders based on false information when its integrity was compromised. Finally, if information is not available, we grind productivity to a halt, shipping lanes stop, factories quit producing, and commerce ceases to function. We’ve all been there.
So, what is technology’s role in adopting the Protect pillar? After all, if its technology we’re trying to guard, shouldn’t technology give us a helping hand?
NIST CSF states: “Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.”
Finally, we come to technical armaments to help us protect devices, data, apps, and users. When implementing the NIST CSF, you’ll find that people and processes are insufficient to fill your capability gap. This leads to pursuing technology that will contain required capabilities needed for the ultimate goal. Those capabilities must be propped up by features that make the capabilities possible. If you follow this cascade when assessing technologies, you’ll find that your budget has new elasticity you never noticed before. You’ll collect less dust on ‘must-have’ tools, and you’ll more effectively secure the environment without all the unnecessary paraphernalia.
NIST CSF suggests four critical areas where technology can help keep data protected.
The Protect pillar of the NIST CSF is where too many organizations cut tail and run. It may seem daunting to figure out the best mechanisms for implementing stronger data protection and to have the standards in place that adapt to changing norms and shifting risk strategies. But the NIST CSF is effective because it draws from the best-of-breed security pros and places their wisdom into a thematic framework for anyone to use. Control access, fortify data, prevent data misuse, and ensure data persists in its confidentiality, integrity, and availability.
This is nothing new for you. You’ve done this for decades. Now you can turn our entire organization into a juggernaut for cyber resilience with you leading the way.
Identify and eliminate endpoint vulnerabilities, increase visibility & control and minimize your risk: get started with the Absolute Dark Endpoint Assessment today.