The NIST Cybersecurity Framework

Announcer:
                        Welcome to Your Cyber Path, the podcast that helps you get your dream cybersecurity job by sharing the secrets of experienced hiring managers and top cybersecurity professionals with you. Now, onto the show.

Kip Boyle:

                        Hey, welcome to Your Cyber Path. This is the podcast where we help you get your cybersecurity job. I’m Kip Boyle and I’m here with Jason Dion. Hi Jason.

Jason Dion:

                        Hey Kip. How are you doing?

Kip Boyle: 

                        Doing great today. Thanks a lot. In fact, gosh, my head is still spinning because I was just visiting with you in Puerto Rico. It was a fantastic time. And today we’re going to be talking about the NIST Cyber Security Framework and you and I just actually made this fantastic course all about the NIST Cyber Security Framework. And boy, I can’t wait to see when it’s ready to go. How was it for you, making the course?

Jason Dion:

                        Oh, it was great. It was awesome being able to have you fly down here and spend some time with us down here in our studios. We were able to go through and record the whole course in the week. We spent a good three or four hours worth of video content exploring the whole NIST Cyber Security Framework, each of the different pieces and parts and how to implement that in your own businesses. And so today we figured it’d be a great time to sit back and kind of reflect on that a little bit and talk about the NIST Cyber Security Framework and provide high level overview for our audience, because a lot of people don’t necessarily know what this NIST Cyber Security Framework is, or they haven’t used it before themselves. So that’s what we decided we would do today.

Kip Boyle:
Yeah, that’s right. And this is again a skimming, right? We only have 20, 30 minutes here for this particular episode. There’s no way we could cram every detail of the course into what we’re going to do right now. But let’s just consider this to be a basic introduction to the NIST Cyber Security Framework. Now I’m going to begin by just telling you, why, answering the question, why are we even talking about this, why does anybody need a multi-hour course on it, let alone a 20 or 30 minute summary in a podcast? Well, if you haven’t encountered it yet, you’re going to. And if you haven’t used it yet, you probably will eventually. So the NIST Cyber Security Framework is one of the most modern frameworks or approaches to organizing a cybersecurity or an information security program that you could take right now.

It provides a ton of benefits and I want to give you four benefits, in fact, for using the NIST Cyber Security Framework. The first benefit is it’s going to help you manage cyber as a business risk. This is super important because gone, I think, are the days when we could just consider cyber as a technology kind of thing where it was annoying if somebody defaced your website or whatever. And these days, it’s so much worse than that, of course, we’re seeing massive headlines on ransomware attacks and colonial pipeline and it’s actually impacting people in their everyday lives when cyber goes wrong. It’s causing real world problems and it can put companies out of business. And so we think it’s a business risk. And if you’re going to tackle a business risk, you’re going to need to bring all of your resources to the table, your people, your processes, your policy, and your technology. We covered this in quite a bit in the course, didn’t we?

Jason Dion:
Yeah, most definitely. One of the things I see when I use the NIST Cyber Security Framework when talking about it as a business risk is the fact that we can put on our MBA hats, right? We start thinking about what does this thing cost us, what are the risks going to be costing us, and what’s the benefit we’re going to get from them. And being explain that to upper management and leadership and executives is really important because most of the time, if you’re the IT director, like I was in my past organization, I don’t get to decide on how much budget I need. I get to request it and the CFO or the CEO gets to tell me how much I’m actually allowed to spend. And so I really focus on the technology side of what are all those controls that I can afford.

But being able to explain to them in terms of business, why these things are important really helps me get the money I need to be able to go and implement these across the business and reduce that expense. Because most organizations, the CEO or the CFO, they’re looking at cyber as a cost of doing business. And they don’t realize the fact that you need this stuff to prevent you from losing more money. And so every million dollars you spend in cyber should save you at least a million dollars in potential losses. And if you can make that business case and using the NIST Cyber Security Framework helps with that, it does allow those pocket books to open up and give you the money you need to run your organization.

Kip Boyle:
Yeah, I think that’s true. I also think it’s true that these days, if you’re just trying to manage one of the biggest risks in cyber, which is phishing, if you’re just trying to manage that with technology, well, that’s what most people are doing and it isn’t working. So if you really want to make progress on a risk like phishing and really tamp it down, then you’ve got to do something more than just technology. You’ve got to get the people in the process and the policy in there because the target for phishing isn’t really technology at all, it’s people, it’s a big people problem. And that could be a whole other episode, but I just wanted to make sure people understand that the nature of cyber is changing. And even though we’re living in our individual silos, it doesn’t mean that one silo alone is going to be able to really get the job done.

So that’s one big benefit, right? Helps you manage cyber as a business risk. Now another big benefit, and for those of us who are deep inside the tech organizations, this isn’t necessarily something that is going to be your responsibility. But again, if you want to talk in business terms, you should also mention the second item, which is this is, that the Federal Trade Commission requires anybody who’s doing business in the United States, whether it’s business to consumer or business to business, it doesn’t matter. If you’re doing business in the United, you have to practice reasonable cybersecurity. And the FTC actually defines reasonable cybersecurity in part by referencing constantly to the cybersecurity framework. So what we’ve been able to figure out is that if you’re following the framework, you’re very likely going to be practicing reasonable cybersecurity as defined by the FTC. But Jason, I don’t think this has really come up for you in your work. Has it?

Jason Dion:
Yeah, I haven’t really had to deal with this much on my side of the organization, dealing with a lot of the military and defense contractors. We have different rules and regulations that we have to follow. And in fact, most of us follow RMF, the risk management framework instead of the NIST Cyber Security Framework, because that one is dictated to us for governmental use.

Kip Boyle:
Right. And that’s a great observation. If you’re working in the private industry, then it’s really FTC, but if you’re working in DOD or the defense industry, then it’s RMF. And that’s one of the reasons why I love doing this podcast with Jason and the courses that we do is because we both bring different perspectives about what it’s like to work in private industry versus DOD.

But anyway, so there’s the second potential benefit for using the framework. Now, the third potential benefit is that if you’ve ever heard this term called assume breach, that term, what it’s saying is that in the past, we could always sort of assume that our network perimeters were intact and that we could assume that the internal network was trustworthy and that the only people on the internal network were people who were supposed to be there. Well these days, of course, that’s really not a safe assumption anymore. And so for the last 10 plus years, we’ve been encouraged by different experts to operate by an assume breach mentality, which is, hey, the internal network isn’t this walled garden of complete safety anymore. And the NIST Cyber Security Framework explicitly recognizes this and it was built with this in mind. But Jason, I would imagine in DOD, in the military, assume breach is a big topic of conversation, right?

Jason Dion:
Oh, yeah, because you always have to worry about that insider threat. What if somebody is working for you, that’s actually a spy for another country, for example, right? They have approved credentials and they can go in the network and start grabbing things from you. And so you always have to assume that somebody is in, either breaking in through the firewall, breaking through the perimeter, or they’re already inside because they’re an insider threat. And so you’re always looking for somebody or something that looks malicious or suspicious, so you can investigate that and try to get it out of your network. And with the NIST Cyber Security Framework, we have all those different controls that we can look through and all those different lenses to look at our networks through, to see if we can identify that assumed breach.

Kip Boyle:
Exactly. And the insider threat, I’m glad you mentioned that as a term of art because insider threat, some people think of it as like you were saying just a moment ago, like, “Oh, well these are spies, saboteurs, people who are just out for themselves trying to figure out how can they sell our sensitive information for their own personal gain.” Clearly, that’s something that’s in play. But there’s a different kind of internal threat too, which we see all the time and it goes back to phishing. So anytime somebody is on the inside and they have valid credentials and they’re allowed to be on your network is always the possibility that they’re going to get emotionally manipulated by somebody on the outside, through a phishing attack or some kind of a business email compromise or something like that.

And so, even though these are people who are otherwise loyal to your organization and would never deliberately harm you, they can be manipulated and it happens all the time. And so assume breach also covers those cases as well. So that’s the third potential benefit for using the framework. And then the fourth one is actually kind of an extension of assume breach, which is zero trust. So zero trust networking. And Jason, I’m pretty sure zero trust networkworking comes up for our friends in DOD, doesn’t it?

Jason Dion:
Oh yeah. We’ve spent the last several, five to 10 years working on a zero trust mentality. And the whole idea of zero trust is that just because somebody is authorized to be on the network, it doesn’t mean you can trust them. The idea is that you’re no longer relying on that perimeter or that walled garden, like you talked about earlier, under assumed breach. And instead, because of the de-perimeterization of our networks, and nowhere is this more true than in your side of the world with the civilian companies, because everyone’s on their smartphone, their tablets, their iPhones, whatever it is, they’re not necessarily on a desktop computer sitting in the office anymore. And so every place you go, you have to have this idea of micro segmentation, where you have every single place you’re checking and rechecking that person as they’re trying to connect to different services or servers inside your network. And that’s really the basis of the zero trust mentality.

Kip Boyle:
Yeah. Yeah. Now just a hint for those of you who are working on a zero trust initiative or that you think you might be soon, because I know a lot of organizations are setting up proof of concepts and that sort of thing. If you pay attention to your vendors, they may be suggesting to you that you can implement zero trust by buying a product and then configuring it in a certain way. But I want you to realize that, yes, we’re going to need products for sure. But zero trust really isn’t a product zero trust is really just a way of thinking about how do you grant trust. And so I just want to share this one thing. It doesn’t really have anything to do with NIST Cyber Security Framework, but I think this is going to be helpful.

But zero trust really takes this phrase, trust but verify, and flips the script, right? So you don’t trust and then verify, you verify and then you trust. So this is really an identity heavy approach to granting access. And it also does dynamic policy. And the way that works is if you detect somebody is logging in over the local LAN, well, you might ask them for their user ID and password and 2FA. But if you see that they’re coming in over a VPN and they’re coming from somewhere in Eastern Europe and you know that’s what we call impossible travel. In other words, hey, this person just logged in on the LAN an hour ago, how can they be in Eastern Europe? Well, then you can provide either extra forms of authentication or you can deny it completely because with a zero trust setup, you’re like, “There’s no way I can validate that. It’s impossible. So I’m not even going to grant the access.”

So just a little primer on zero trust. All right, so this is why we’re talking about the NIST Cyber Security Framework is because it really is going to help us get into the future. Let’s just take a moment and talk about what it is, how it’s organized and then how you’re supposed to use it. And then I think we’ll have done a good job today. So Jason, why don’t you tell us, who published the cybersecurity framework? Where did it come from?

Jason Dion:
Yeah. So as we said, it’s the NIST Cyber Security Framework, which means it was published by NIST. Now, NIST is the National Institute of Standards and Technology. And that is a part of the United States Department of Commerce. Now NIST didn’t write this themselves though. Instead, they brought in a whole bunch of experts from private industry and they held multiple different conferences where they took all these experts from across America and they decided what are the things that should be included in this framework? Now, when they started making the NIST Cyber Security Framework, it was actually made going against a single purpose, and that was the protection of critical infrastructure inside the United States. Now, after that, we’ve now moved on and used it in lots of different industries. Kip uses it all the time with lots of different companies that aren’t considered critical infrastructure.

And that’s totally fine because it worked so well in the critical infrastructure realm that everyone else started adopting it as well. But it was originally developed for critical infrastructure, which is things like oil pipelines, energy resources, logistics, healthcare, things like that. And so they took this thing and they got all the experts together and they created this framework. And the whole framework is only about 50 to 60 pages long, but it is really, really valuable as you start looking at it and how you can look at the organization of it and then use it in your business. So let’s talk a little bit about how it’s organized. Kip, what’s the first? We’ve basically broken them into three main parts, right? What are those parts?

Kip Boyle:
Yeah, so there’s three parts. So there’s the core, called the framework core. And that’s really where all the meat of the framework is, that’s one. Then there’s implementation tiers and there’s four of those and that’s like a maturity model. So it’s kind of a bigger picture perspective on the framework. And then the last major part is what’s called a profile. And that’s where you can actually tailor the framework to your organization. So those are the three major parts. And so Jason, why don’t you start unpacking the core, if you will. What’s in the framework core?

Jason Dion:
Sure. When we look at the framework core, it’s really organized around five key functions that we do concurrently and continuously. These are identify, protect, detect, respond, and recover. And these make a lot of sense to us, right? Because if we’re starting to think about some bad person trying to break into our network, we need to have a way to identify what is our network so we know what we want to protect. Then once we’ve identified everything, we have to figure out what protections we’re going to put in place. What are the controls? What are the firewalls? What are the segmentation? All of those type of things.

Then we need to have censoring so that we can detect when a bad guy tries to break in through that firewall or other systems. Now, once we detect it, we then need to go into response. And this is where most of our instant response is taken care of. This is where we’re going to go and find where the bad guy is, clean them out, make sure the system has restored the ability. And then we fully recover, which is our final one. And so as you look at all of the different pieces of the framework core, you’re going to see, identify, protect, detect, respond and recover. And these are how we break down all of the functions and all the controls we’re going to apply to those particular functions. Now Kip, the second area we talked about was implementation tiers. Now, what are those?

Kip Boyle:
Right. So there’s actually four implementation tiers. And I don’t want to deeply describe each one of them, but let me just generally describe that the first tier is an area that’s considered to be unacceptable. And so it’s tier one. And that’s when organizations have ineffective cyber risk management methods, right? It’s all haphazard or things aren’t even being done at all. Maybe the organization doesn’t even realize that it should be doing any kind of risk management methods. So that’s tier one, nobody should be at tier one. But then there’s a tier two, a three and a four. And the higher you go in these implementation tiers, the more maturity, the more capability that you’re actually demonstrating and practicing all the time.

Now the framework, you might say, well, that sounds like a maturity model, and I could see why you would say that. That’s what I thought when I first read it. But the framework says, do not call this a maturity model. And when you dig in a little bit, because that seems weird. It’s like, why would you build a maturity model and then tell me not to think about it as a maturity model? But what they say in the framework is look, we don’t want anybody to be tier one. But really, if everybody would just get to at least tier two, that’s good enough.

Now, tier two isn’t perfection. It’s not world class security or anything like that. But the people who put together the framework said that you should only go to tier three or tier four if your business can justify it because of the nature of your business. Right? So if you’re a cryptocurrency exchange handling billions of dollars of cryptocurrency through blockchain, then you probably should be a tier three or a tier four. Or if you’re a bank or some other kind of monetary handling institution, then maybe a three or four would make sense for you.

But Jason, like you said, I work with companies that are not part of critical infrastructure all the time. So for example, I’ve got a customer that is in the entertainment industry. They’re actually a professional sports team. They’re not critical infrastructure as much as we might think that professional sports should never miss a game and so forth. And I get that, but they’re not critical infrastructure. But they follow the NIST Cyber Security Framework and they’re trying to essentially be in a tier two place for themselves. So that’s kind of what’s going on with these implementation tiers. The truth of the matter is I don’t really talk about them very much in my work, my customers. It helps get them oriented to what they should be doing. But we really don’t spend a lot of time on them.

Jason Dion:
Yeah. I think the important thing we’re talking about this is it does, when I looked at it originally, I thought, “Hey, this looks like CMMI. It looked like the maturity models that I’m used to.” And even with those maturity models, the goal is never to get to the top tier. It’s to figure out what tier you need to aim for and then get your organization to and meet that tier. So in my company, tier two might be perfectly fine. If I was working for Bank of America, I might need tier three or tier four. But knowing that helps me decide how big of a budget, what type of controls I need, what type of a profile I’m going to build. And all of those things really do link back to this implementation tier to at least have a ground level of where do I want to be on this one to four scale, and being four isn’t the best. If you’re spending all this money to reach four and you have no business need for it, that’s just a waste of money. So you don’t want to do that.

Kip Boyle:
You’re probably going to lose your job because your senior decision makers are going to be like, “Look, we make consumer beverage cups that are sold in Starbucks. We are not a bank, you’re spending us into oblivion by trying to secure us as a bank. So that’s just not going to work.” But speaking of profile, let me tell you a little bit about what that means in terms of the framework. So when you make a profile this is actually part of how you use the framework. So you go through the framework. Now, Jason already told you it’s got five functions. But beneath those five functions are 23 activities or categories, the framework uses both as a synonym. I like activities because as somebody who works in management, I like the idea of getting things done. I have a bias towards action.

So there’s 23 activities and then 108 subcategories or another term that the framework uses is outcomes, and I like that term better. So when you profile the framework, you’re going to look at all the functions, activities, and outcomes, and you’re going to say, “How do I want to measure my organization?” And I recommend doing a gap analysis, by the way, when you first are working with the framework, because there’s so much territory that you need to cover. And let me give you a couple of examples of how you might profile. So if you’re not critical infrastructure, for example, there are some outcomes of some of the 108 that are very, very focused on critical infrastructure. And you can take those out. You might also want to make some adjustments in terms of what the outcomes are actually asking you to do.

So for example, there’s an activity around supply chain. Well, maybe you’re not ready to tackle cyber risk in your supply chain yet. Although I would argue, you really need to get on that if you haven’t already. But you could take entire activities out, you could take outcomes out. You might even say to yourself, “Look, there’s these five main functions, identify, protect, detect, respond, and recover. We’re so awful at detect and I’m going to profile the framework so that all we’re going to do for the next year or two is focus on getting our ability to detect incidents up to an acceptable level, right up to that tier two or tier three,” or whatever implementation tier it is that you need to be at. But Jason, have you ever implemented the cybersecurity framework in your job?

Jason Dion:
Yeah. So when we did it, we basically looked at what it was we wanted to accomplish and we chose the different outcomes, or if you want to think about them as controls that we wanted to use to be able to meet. And I like the way you had mentioned, you did it on a year to year basis. This year, we’re going to focus on these things. It’s almost like your goals for the year. When we did it, we actually looked at a five year plan and then we broke that down into what are we going to do in the next year, and then year two, year three, year four, year five, because in the government side, we look at things very long term because our budgeting cycles are so darn long. And a lot of things we want to do, if it’s going to require a big spend up front, I can’t do that until year three, because it takes me three years to get the money that I request.

So for us, that’s why we did a five year plan. But we went through each of these 108 outcomes underneath the 23 categories and we decided which ones were applicable to us and which ones we wanted to focus on. And we built our profile based on where we wanted to be, where we currently were and how we were going to get there. And that’s really the idea of doing this gap analysis is where am I, where do I want to be, and then what’s the delta or the change in between that’s going to need to happen. And I think you do that a lot with your customers as well.

Kip Boyle:
Yeah, that’s exactly how we do it. Now, we also use some risk assessment and risk management techniques inside of that work. So for example, if I detect a gap, a very, very large gap, then the implication is okay, well there’s a lot of risk there, right? Because I’m not doing really well on this outcome and we need to be at tier two or tier three. So there’s a lot of territory here that we’ve got to cover. But just because you’ve got that giant gap, I don’t think that automatically, in every case, means you have a ton of risk. So you could actually use some risk assessment methodologies in there to actually say, okay, well it’s looking pretty bad, but let’s actually get in there and see what’s going on. Are there really valuable assets at risk in this particular case, or is this really, maybe not as intense of a situation?

So yeah, I would start with a gap analysis, but don’t be hesitant to bring in risk assessment methods and risk management methods in order to really understand that gap and then figure out what it is that you need to do to close it. Now, I also want to talk for a moment about a frustration that I sometimes see people have with the framework. They’re used to things like HIPAA or they’re used to things like PCI DSS, the Payment Card Industry Data Security Standard. And they want a checklist, because they really don’t want to think about this. They just want to be told, “Hey, what do I need to do? Please just tell me what it is you want me to do.”

And so they’re hungering for a checklist, and I understand that. Checklists are great, they help make it clear, what am I supposed to do? But the framework is not a checklist. And so it’s going to take more homework on your part to figure out how to use the framework. Again, the framework calls them outcomes and some people say that the outcomes are controls. And that’s okay at a high level.

But the thing about the framework is it tells you what to do, but it never really tells you how to do these things. Now, I actually think that’s a virtue. I think that’s a wonderful thing because even though it means that I’ve got to do a little bit more work, it gives me the freedom to implement those outcomes in the ways that makes the most sense for my business. So instead of having to be locked into using TLS version 1.3, which that may be on a checklist for PCI DSS, well okay, I don’t take credit cards, so I don’t have to struggle with that so much. Maybe I’m okay with TLS 1.1 or 1.2 or something like that. So just a simple little example there. So if you encounter this, just realize it’s not a checklist and that’s actually a good thing.

Jason Dion:
Yeah. And I think when it comes to implementation, depending on what level you are in your organization, you either need more of this framework or you need more of the checklist of controls. And so, if I’m the IT director or I’m in charge of the cybersecurity program for this organization, I’m probably going to use the framework and then I’m going to link it to different controls, whether they’re from RMF, whether they’re from ISO, whether they’re from ISACA, whatever it is. And now I’m going to take those and say, “Hey team, these are the controls and these are the things I need you to do every single day in your job or every single month. And then we’re going to assess that as we go through.” Now, every year, I’m going to go and look at my framework again and say, “What has changed? What hasn’t? What do I need to add? What do I need to take away based on the outcomes I’m trying to achieve?”

But by doing that translation from these more generic outcomes into controls, that does make it easier for more entry level or junior folks on the team to be able to do their job. Because as Kip said, if I go and say, “You must have a secure credit card processing system,” that is a very generic statement. There’s a million different ways to do that. And that person on the front line, that entry level technician, isn’t going to know how to do that. So if I then say, “That means you must have these five things like TLS 1.3, you must do a quarterly assessment, you must do X, Y, and Z,” and I give them that checklist, it’s easier for them to validate. So there is a place for both and using NIST doesn’t mean you can’t use RMF or ISO 27001 or ISACA. All those things work with it. In fact, as you go through and look at the NIST framework, it actually has in those different outcomes, it has a reference column that actually tells you which controls are associated with those outcomes if you want to use those as a reference.

Kip Boyle:
Yeah. That’s absolutely the case. The only thing, the only issue that I find these days using version 1.1 of the Cyber Security Framework is that some of those informative references that you find and they’re actually outdated. And so just be aware of that if you decide to use those. But it’s very powerful, right? So if you are in the healthcare industry, well, that’s actually part of critical infrastructure.

And you probably have HIPAA that you’ve got to deal with and maybe you take credit cards. Well here’s the thing, instead of wrestling with HIPAA and PCI DSS as two separate things that you’ve got to deal with, by using the framework, you can actually pull all those together and you can actually implement controls that will simultaneously show that you’re practicing reasonable cybersecurity from an FTC perspective, and that you’re compliant with your PCI DSS, and that you’re compliant with your HIPAA all through one single control, or maybe just a small handful of controls. And it can really simplify your environment, save you money, and really decrease the chance that you’re going to have a nasty incident. So there’s NIST Cyber Security Framework at a summary level. I think we did a good job. Jason, did you have any other final thoughts?

Jason Dion:
Yeah. I think we did a good job giving a good overview. Again, as we said at the beginning of the episode, we just finished spending an entire week together, filming everything we know about the NIST Cyber Security Framework and packing it into a course that’s about three to four hours long. If you’re interested in going and joining today, diving a little bit deeper into this stuff, we’ll have a link in the notes here to that course, which is hosted on Udemy. And you’re going to be able to join us for that course. It’s very low cost. If you’re in Udemy for business, it’s already included in that catalog for free. And I think you’ll learn a lot by going through this course and learning how to use this framework, because in that course, Kip actually breaks down how he applies this with his individual process, with his clients that he does his consulting with. And I think that’s truly valuable as you start learning how to do this.

Kip Boyle:
Yeah, that’s right. In fact, it was kind of bizarre for me to do it in a way, because I felt like I was given away too much of my secret sauce, if you will. The things that people actually pay my company to do, like I packed almost all of it into the course. So if you want to implement the NIST Cyber Security Framework for yourself and you watch the course that Jason and I put together, you’ll actually have so much useful information that you may be able to do it all by yourself. So I think the course is going to deliver a ton of value. At least that’s what our goal is, is to give you a ton of value. So you should check it out. And then if you think that we haven’t done a good job or we’ve overlooked something, tell us so we can make the course even better.

Jason Dion:
Yeah. And so with that, I want to thank you for joining us for another episode of Your Cyber Path. Until next time, see you then.

Kip Boyle:
See you later.

Announcer:
Thank you for listening to this week’s episode of Your Cyber Path. Don’t miss an episode, press the subscribe button now. If you would like to learn more about how to get your dream cybersecurity job, then be sure to visit YourCyberPath.com, where you can access the show notes, search the archive of our top tips and tricks, and discover some fantastic bonus content.