How to Use NIST CSF 2.0 to Identify Security Gaps: Part 4

Welcome back to this five-part series on using a cybersecurity framework (NIST CSF 2.0) to build a proper cybersecurity program. If you missed the previous parts, you can find them here: 

• Part 1 on introducing NIST CSF 2.0
• Part 2 on building a cyber defense matrix to identify security gaps
• Part 3 on the “preparation” phase (Govern, Identify, Protect) 

In this blog, Part 4, we are moving forward across the attack chain phase to the Incident (Active Threat) phase. 

Incident (Active Threat) 

As outlined in part one, the incident phase comprised of the Detect and Respond functions of NIST CSF 2.0 is all about real-time threat detection and response. This phase focuses on how an organization handles constant 24/7 monitoring to detect incidents as they happen and their ability to respond to them in a timely manner to remediate the threat before it becomes a full-blown breach that damages or disrupts the organization.

As with all functions in NIST CSF 2.0, the Detect and Respond functions are comprised of a number of categories and subcategories underneath them that help guide how an organization should develop a cybersecurity program, and team, to focus on these responsibilities. You can read the full detail in the NIST CSF 2.0 documentation. 

Detect and Respond 

It’s important to link the detect and respond functions and address them together as one cannot realistically exist without the other. An organization focusing on detection without response will be able to identify threats but not be able to respond to them. This leaves the organization vulnerable to the threat. Similarly, focusing on response without having a trusted way to properly detect threats will cause organizations to miss threats and incidents. 

Instead, organizations should assess their internal needs, requirements, capabilities and budget to determine how they will address these functions. While most will focus on the detection and response portion, there are other areas of focus that are imperative to building out a successful cybersecurity program that is capable of properly identifying and responding to threats. Companies can choose to build this capability out internally with a full SOC team or outsource all or most of these responsibilities to a partner like Bitdefender through Managed Detection and Response (MDR). 

While the exact titles and roles might change, here are the four areas that make up a proper team dedicated to handling detection and response: 

1. Threat Intelligence and Research
2. Detection Engineering
3. SOC Analyst
4. Threat Responder 

Many organizations might overlap these roles, but for the purposes of this blog, it’s important to lay them out as distinct areas with unique responsibilities. 

Threat Intel and Research 

The Threat Intel and Research role, as its name would suggest, is all about performing the necessary research and intelligence gathering to make sure the team can detect threats. They study the cybersecurity landscape, investigating and researching new threats, tactics and procedures that adversaries use, and parse that information so that it can be leveraged by the rest of the team members in detecting and responding to threats. Organizations should look for individuals with diverse backgrounds in investigation and intelligence gathering to build a successful team. 

Detection Engineering 

Detection Engineers tend to go unnoticed or are often an afterthought when building a successful cybersecurity team. Their role responsibilities tend to get absorbed into other roles, but what they do is distinct and important. They often sit between Threat Intel and the SOC Analyst/Threat Responders taking the parsed and consolidated data from the threat intel team and turning it into useful tools and detections that the analysts and responders can use in their jobs. They help build detectors and analytics to identify suspicious activity and behavior.  

SOC Analyst 

SOC analysts make up the majority of the team. This is the role that is focused on monitoring your tools and events 24x7, looking for malicious and suspicious activity, and identifying threats. They oversee the security tools implemented, review the alerts and events, perform investigations, and make determinizations. They can spend considerable time eliminating false positives to uncover real threats.  

Threat Responder 

The Threat Responder role is the final piece of the puzzle. These are the people who are trained to remediate threats. They resolve the incident, responding with experience, knowledge and expertise to minimize the impact of the threat before it causes a full-blown breach. 

How to Prepare and Properly Address Active Threats 

Once you understand the composition of building out the team or program and the four general roles, your organization can formulate next steps, including the following. 

1. Analyze and understand the security needs of the organization and overall goals.
2. Assess what is currently available or being done by the organization. This includes:
   • What infrastructure is in place?
   • Which team members are in place and what are their existing roles and responsibilities?
   • What security expertise does the team have? 
3. Determine the timeline for this project.
4. Assess the likelihood of threats to the organization.
5. Determine the overall budget that will be allocated.
6. Determine the optional approaches and weigh the pros and cons of each (build internally or outsource). 

Build In-House or Outsource? 

After answering the questions and requirements laid out above, organizations should have a clearer idea for how to implement a proper Detection and Response team or program. However, for those who are still unsure, here are some quick pros and cons for why organizations would choose to build in house or why they would outsource or partner with an outside security vendor for that capability: 

Building In-House

 

In addition to the pros and cons lists, we’ve also built out some handy tools and resources to help you compare the options and cost. Check out our ROI calculator or download and read our recent MDR ROI eBook to help with the decision-making process. 

Moving Forward With a Plan 

While each of the six functions of NIST are important, the Detect and Respond functions are where the largest portion of threat protection occurs.

Think about protecting a house. Locking doors and windows and putting up gates around the property will deter most criminals from attempting to break in, but there are no guarantees. If the homeowners are gone and lack a way to detect an intruder and respond in real-time, criminals can spend time to bypass the protections in place and break in. Conversely, having security cameras and someone monitoring activity around the house with the ability to react in real-time can stop the criminals in their tracks. This is similar in cybersecurity.  

The preparation phase helps reduce risk and prevent many threats and adversaries, but those tools and security measures can be bypassed. Preparation helps mitigate the chances of being attacked but doesn’t fully eliminate it. Detect and Respond is focused on active, real-time threats and being able to identify the incident as it happens so your organization can respond immediately to stop the adversary in their tracks. 

Your organization should prioritize these functions and determine the approach that is right for your business. This includes understanding the requirements for building a successful team and providing them with the necessary budget, resources, and tools.

Research consistently shows that organizations with a proper detection and response team or program in place are less susceptible to breaches. And if there is a breach, the impact is significantly lessened due to the ability to respond and remediate quickly and effectively. 

We'll conclude this blog series next time in Part 5, where I’ll explore the final NIST function of Recovery.