NIST Cybersecurity Framework: Second, Build a Moat - Part 2

By: Josh Mayfield | 7/11/2018

The NIST Cybersecurity Framework is a repeatable framework organizations may follow to bolster their security posture. Within it, there are 5 foundational actions that may be flexibly deployed, regardless of industry or setting. In this, the second of a two-part post, we focus on the second action, Protect whereby NIST outlines 4 practical steps to protect data. My previous post explained access control and user awareness. This post takes a closer look at data security and protective technologies.

Data Security

NIST CSF states: “Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.”

This goes back to the first pillar we explored, how to align resources with our risk strategy. Here, we see the principle extend to data and once again, we have the NIST CSF supplying measures you can enact. Just as the section has two words in its title - data and security - the methods focus on each. Let’s begin by examining what kinds of data need our protection.

  • Data at-rest. Whatever place data calls home, we must fortify it with protections in three specific considerations: physical protection, policy enforcement, and technical safeguards. Let’s take a laptop as an example. Physical protection puts a geofence around the device, prevents users from removing hardware, and pinpoints its location anywhere. These physical considerations help protect data at-rest on any device. Policy is the bedrock of all security programs, because at its core is says, “This is allowed. That is not allowed”. Policy enforcement is strong passwords and 2FA, encryption keys, and device security configurations to maintain confidentiality, integrity, and availability of those data at-rest. Finally, are the technical safeguards, which include VPN access controls, blocking cloud storage apps, endpoint hygiene persistence, and regenerating security apps like BitLocker or antimalware. Without these technical safeguards, a laptop could be physically compliant and conforming to policies, while exposing data at-rest.
  • Data in-transit. Like data at-rest, when securing data in-transit, organizations have to consider physical protection, policy enforcement, and technical safeguards. Physical protections consist of tangible implements like secure buildings, server racks and cages, and preventing unauthorized people from entering those spaces. Policy enforces which data can make a trip, how they make a trip, who can send them, and who can receive them. These policies can lower the probability that data in motion suffers a compromise. Lastly, technical safeguards are deployed with infrastructure and network packet switching so that information can go from one system to another without violating the ethics of confidentiality, integrity, or availability.

What are the practices we can undertake to secure data at-rest and data in-transit? First, assets need to be managed throughout the lifecycle. Back to my laptop example. To adopt NIST CSF means to have eyes on my device throughout its lifecycle. It begins by activating tracking technology before the machine goes into boxes and placed into trucks or ships. Once I receive the device, activate its security, and test it before putting it into production, I must establish its base-level hygiene.

Cyber hygiene is the most important control function we can pursue. Because hygiene itself is a manifestation of our security intent; all the defining attributes of the machine are put into the recipe and tracked for conformity throughout the lifecycle. Requiring continuous vigilance of the device to ensure its cyber hygiene is always maintained.

Each organization will have its own definition of endpoint hygiene, but these attributes can be measured and woven into a unique score across the population: The Endpoint Hygiene Coefficient. At a single point-in-time, you can look at your device population and see how it conforms to your hygiene benchmark on a scale from 0 to 1. When the endpoint population is reckoned at “0” this indicates that no single device has any controls or configurations aligning with my policy or security intent. This is very rare. So rare, that we can rule it out. A hygiene coefficient of “1” signals that every device has every control, configuration, and policy-granting behavior in place. Don’t think that an endpoint hygiene coefficient of 1 is any less of a unicorn. In all my years, I’ve never seen any organization with an endpoint hygiene coefficient of 1.

When scanning devices, you might notice an endpoint hygiene coefficient of .81. This means that some devices are pulling the population away from a perfect correlation with your security intent. Each may be doing this for different reasons, but each is contributing to the hygiene drift. By expanding the view, you can see that 23% of the devices are unencrypted, 12% are encrypted but have sensitive data in cloud storage apps, and 8% have outdated antivirus apps, and a whopping 78% have unauthorized software. The possibilities are virtually limitless and need constant monitoring.

Monitoring is another important component of the data security section. But simply keeping eyes-on-glass is not enough to satisfy the demand for strong data security. We must go deeper, by looking at failures and verifying software, firmware, and information integrity. This is where we use the methods of falsification, never settling for absence of evidence in place of evidence of absence. Let’s assume the absence we’re looking for endpoint hygiene violations. Considering we took a risk-based approach to policies, we can have confidence that our endpoint hygiene standard is solid.

Now, is there evidence that no device is violating its hygiene standard? To answer such a question, you’d need to probe every device, eliminate the possibility of unauthorized sensitive data, validate there is no unauthorized software, attest to every patch being completed, and verify security apps, agents, configurations, and updates are deployed within software, firmware, and the information packets themselves. To demonstrate we have evidence of absence—evidence that no machine is violating hygiene standards—we would have to do much more than keep an eye on SCCM or the SIEM to know if anything is amiss. The falsification principle demands we go into our devices and inspect every aspect of hygiene to verify that all is well. If not, we cannot say truthfully we’ve adopted the NIST CSF demands for data security.

The point of the data security portion of the NIST CSF Protect pillar is to challenge our assumptions; specifically, the assumption that information is a substance that needs a little encryption sprinkled on it.

[bctt tweet="The point of the #datasecurity portion of the @NISTcyber Protect pillar is to challenge our assumption that information is a substance that needs a little encryption sprinkled on it." username="absolutecorp"]

If information does not remain confidential, consumer privacy, trade and state secrets, intellectual property, and even our business relationships with suppliers and partners can be reduced to dust. If information does not persist in its integrity, medical diagnoses and treatments fail, lives are lost, and financial assets can be brought nil.

Imagine what would happen if a chemical formula was slightly altered or if someone tampered with a bank account balance. When information is misaligned with the real-world, disastrous consequences follow. The examples of chemistry and finance are historical realities. Healthcare providers have killed patients because dosages and drug allergies came from information with corrupted integrity. Banks have issued interest payments, transactions, and sell orders based on false information when its integrity was compromised. Finally, if information is not available, we grind productivity to a halt, shipping lanes stop, factories quit producing, and commerce ceases to function. We’ve all been there.

So, what is technology’s role in adopting the Protect pillar? After all, if its technology we’re trying to guard, shouldn’t technology give us a helping hand?

Protective Technology

NIST CSF states: “Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.”

Finally, we come to technical armaments to help us protect devices, data, apps, and users. When implementing the NIST CSF, you’ll find that people and processes are insufficient to fill your capability gap. This leads to pursuing technology that will contain required capabilities needed for the ultimate goal. Those capabilities must be propped up by features that make the capabilities possible. If you follow this cascade when assessing technologies, you’ll find that your budget has new elasticity you never noticed before. You’ll collect less dust on ‘must-have’ tools, and you’ll more effectively secure the environment without all the unnecessary paraphernalia.


NIST CSF suggests four critical areas where technology can help keep data protected.

  1. Audit and Logging. If we don’t gather the necessary information about what’s happening with our IT resources, we will be paralyzed on what to do next. Audits serve as a forcing mechanism to push us toward greater compliance with security intent and policy. Logs serve up the required threads in the tapestry to get a clear picture of the current security posture and its alignment with the NIST CSF, our own security standards, and risk strategies I’ve mentioned.
  1. Removable Media Security. Recall that information wants to be shared. Information is the most portable element in the cosmos and will naturally become profligate if we do not take deliberate steps to protect it. By ensuring that removable data vehicles are protected and that their use complies with security policy, you can check the box for this mandate from the NIST CSF. Unfortunately, this is easier said than done. Earlier we saw how endpoint hygiene can drift when controls, configurations, and security apps or agents are disabled. Well, there is another aspect of hygiene: user and machine behavior. When deploying monitoring techniques, usage must play a significant role. Is a removable drive connected? Asset intelligence will show you. Is that removable media protected? Hygiene monitoring will say confirm or disconfirm. How is it used once removed? Good luck. We cannot be certain what happens with our information once it is cloned to removable media. What we can do is protect against its removable in unsecure circumstances or with unauthorized identities. These kinds of technical controls are possible with visibility and control, but we must maintain constant vigilance and automate our actions to ensure confidentiality, integrity, and availability.
  1. Least Privilege. We mentioned earlier the need for access to be limited to the least privilege possible. This policy can be brought into effect with access controls such as role provisions, permissions, exfil restrictions, two-factor authentication, geofencing, and sensitive data discovery to ensure no one is accessing information that exceeds the least privilege required. In the context of the business and this risk strategy, these controls will vary from user-to-user and context-to-context. But by deploying technology to be your gatekeeper and policy enforcement, you can have greater confidence that the principle of least privilege presides in your domain.
  1. Gestalt Security. Finally, the technical implements to secure data arrive at the forest, instead of individual trees. By fortifying the network and communications channels, you can enable data security within the NIST CSF. Using resources like WireShark, DPI, UCC, NGFW, and the backbone of zero trust gives you the communication and network security required to expand the rigor of individual controls on distinct machines to the computing environment at-large. I call this, “Gestalt Security” to finish up where we started with easy-to-remember phrases for some of the abstract ideas in the NIST CSF.


The Protect pillar of the NIST CSF is where too many organizations cut tail and run. It may seem daunting to figure out the best mechanisms for implementing stronger data protection and to have the standards in place that adapt to changing norms and shifting risk strategies. But the NIST CSF is effective because it draws from the best-of-breed security pros and places their wisdom into a thematic framework for anyone to use. Control access, fortify data, prevent data misuse, and ensure data persists in its confidentiality, integrity, and availability.

This is nothing new for you. You’ve done this for decades. Now you can turn our entire organization into a juggernaut for cyber resilience with you leading the way.

Identify and eliminate endpoint vulnerabilities, increase visibility & control and minimize your risk: get started with the Absolute Dark Endpoint Assessment today.



Financial Services