Protect: The Preventative Solution of the NIST Framework

As we continue our journey with NIST, Here we show you what it means to “protect” while providing our readers with industry best practices towards your security program.

A cybersecurity program’s “Protect” function is often the most thought-about area that organizations consider when looking to enhance their security program. It’s also the second of five functions of the NIST security framework issued by the United States government to provide a set of guidelines for businesses to construct and develop their cybersecurity systems. 

The whole idea behind the Protect function is to prevent a cyber incident from ever happening and ensure that the critical systems remain up and running. It will involve implementing controls and processes that act as safeguards against an attack and typically occur after the Identify function of security where risks and vulnerabilities are “identified” internally or by a cybersecurity practitioner.  

How to “Protect”

Protecting your data, devices, applications, network, and end-users can entail a range of both hardware and software, as well as organizational practices. The NIST framework outlines many activities that can be done for an organization to protect itself and secure its supply chain partners to defend themselves (which in turn protects the primary organization as well).  

The NIST framework has six main areas of focus or categories as to how and where to protect your organization:  

• Identity and Access Control Management: Access (physical, computer, and remote) to devices, systems, and applications is restricted only to authorized users and devices. Systems are in place to monitor and control access to these systems.   
• Awareness and Training: Personnel of the organization are provided consistent training and education on cybersecurity awareness and understand their roles within the organization for cybersecurity procedures and processes. Note that personnel also includes third-party suppliers, contractors, and partners.  
• Data Security: Information controlled, managed, or stored under the organization is protected from unauthorized access, unauthorized modification, and is easily accessible to authorized parties. In other words, data security follows the CIA triad of information security. 
• Information Protection Processes and Procedures: Organizational policies on cybersecurity for protecting its assets are maintained, documented, and enforced by responsible parties.  
• Maintenance: Security safeguards, access control systems, and assets are consistently reviewed for repairs, patching, or updates. This category also includes the logging or documenting of when maintenance is done.  
• Protective Technology: Technology (hardware or software) is utilized and managed to secure systems, applications, and other assets.  

Within these categories and the subcategories that follow are tons of different activities in the form of technology and processes that can protect an organization. Below are just a few key examples:

• Using encryption software while data is at rest (stored) or in transit (emailed) is part of the data security category. 
• Prompting multi-factor authentication (MFA) at logins is an example of identity and access control management. 
• Periodically conducting application security testing is part of performing security maintenance. 
• Restricting access to certain websites online using web filtering software is part of implementing protective technology.  
• Requiring employees to partake in monthly security awareness training is part of the awareness and training category.  
• Implementing requirements for how employees must manage their passwords is part of both identity and access control management as well as information protection processes and procedures. 
• Purchasing more cloud data storage capacity to ensure that the availability of data fulfilled is part of data security.  
• Public key infrastructure (PKI) is utilized for managing digital certificates to confirm email messages are unaltered and are from their sender is included in data security. 
• Installing an endpoint protection platform (EPP) solution to all devices to prevent filed-based malware attacks is part of protective technology 
• Configuring network firewall rules for various types of Internet of Things (IoT) devices to ensure network integrity is kept is included in identity and access control management. 

Importance of Layered Protection 

It’s important to note that protecting your assets shouldn’t be a one-solution-per-system tactic but a layered approach. What that means is simply using several different controls within your security system so that in the event one of those fails, another can step in and protect your assets.

A great example of this is if an organization needs to protect itself against an email phishing attack. The first “layer” to protect against this would be blacklisting specific email addresses from getting an email to a recipient at your organization. If an email still goes through, the next layer would be security awareness training for your employees to be able to evaluate whether or not an email could have malicious intent. If that failed and the employee still clicked on the link, two main scenarios could occur, both of which should continue to have security layers:

1. The link is a downloadable file containing malware in which the endpoint protection software (anti-malware) would detect it as a threat.
2. The link navigates the user to a spoofed website to log in their credentials for the scammer to steal. If they were to put it in the credentials and the scammer were to try, and log in to that specific account, the access control management system would detect it, or it could require multi-factor authentication to be prompted. 

Due to the volume of attack attempts being done, especially to enterprise-level businesses, multi-layered approaches must be employed to ensure other security controls provide insurance to each of the safeguards and systems remain intact.  

The “Protect” Function and Zero Trust Architecture

Zero Trust Architecture is a set of principles businesses can use when constructing a cybersecurity program and is now one of the leading frameworks attempted to be adopted by organizations. This framework includes concepts such as “never trust, always verify,” micro-segmentation of a network, following the least privileged model of data access, and always monitoring your systems for threats.

Following the NIST protection guidelines offer comprehensive solutions to preventative security. Not only that, it just so happens that many of the recommendations of NIST for activities to “protect” an organization’s assets can be a segway into Zero Trust Architecture. 

Here are some examples of protection activities that can move an organization into Zero Trust security:

• Constantly requiring employees to re-login to their accounts for system or application access while also prompting MFA using another password, hardware, or biometric scan (fingerprint) is part of the “never trust, always verify” concept of Zero Trust. 
• Dividing the network into different systems that require separate access points and reauthentication at those points protects each network segment and is considered a form of micro-segmentation. 
• Separating databases so that only sales employees can access sales data, human resources (HR) employees can access HR data, and accounting employees can access financial information follows the principle of least privilege of Zero Trust. 

Time to Protect Your Business  

The “Protect” function of the NIST Cybersecurity Framework is necessary to provide proactive security solutions that can prevent an attack from ever happening and keep critical systems online. Ascension Global Technology can help you with a layered approach to protecting your assets and develop your comprehensive cybersecurity program into a Zero Trust model. Schedule a consultation with one of AGT’s security experts today to get started.

Written by contributing writer, Jack Pittas