As business continuity and information security move closer together, how can the NIST framework help?

Published: Friday, 23 April 2021 09:10

Steve Burden and David Davies look at the NIST framework and its role in cyber threat protection and incident response. They explain why it’s important that cyber response plans link to business continuity and ICT continuity plans.

The US National Institute of Standards & Technology’s (NIST) cybersecurity framework is seen by many as a global gold standard when it comes to keeping businesses safe from cyber threats. In many ways it’s the cyber security ‘bible’, so while it contains a huge amount of useful information, it’s all too easy to get lost in the detail.

To help you use the NIST framework more effectively, we are going to specifically look at the discovery of threats, how to prevent a breach, and how to respond to a cyber security incident.

No one wants to be breached, but speed is of the essence if you are…

The timely discovery of a cyber breach is critical to any organization. The ‘identify’ and ‘detect’ elements of the NIST framework advises organizations to develop and implement effective ways to detect the occurrence of a successful cyber security breach. This can take many forms, but some of the key tools in an organization’s arsenal include behaviour anomaly detection and the continual monitoring of systems.

However, scanning for breaches, anomalous behaviour, and constantly checking that data hasn’t been infected by a virus is time consuming work – especially if conducted manually by internal staff. Automating this process can go a long way towards helping to lighten the load on security teams.

Powered by the latest AI and machine learning capabilities, a Security Information & Event Management (SIEM) platform can help automate many of your cyber security processes. This frees up cyber security teams to investigate potentially more serious breaches that can’t be dealt with automatically. If you do fall victim to a cyber attack, knowing about it quickly is essential and can go a long way towards helping you minimise the damage.

Avoiding an attack in the first place

Not being breached in the first place should always be the aim. This is where the ‘protect’ element of the NIST framework comes in. At its core, protection is about developing and implementing appropriate safeguards to ensure critical business infrastructure is protected and services delivery ensured.

When it comes to prevention, three core areas are worth considering: network, cloud, and end point. The network perimeter is changing and becoming ever more virtual, but that doesn’t mean it’s not important to protect with firewall, SD-WAN, and DDoS protection technologies. Whether using public, private, or hybrid cloud security responsibility lines can be blurred making understanding and enforcement of policy critical to good cyber hygiene. And finally, the end point or user is the most common breach vector so ensuring users are safe whilst browsing the web, opening emails, and downloading files cannot be overlooked as a key step in preventing cyber breaches.

Whilst prevention primarily covers having the right technologies on your side to limit or contain a successful attack, processes and people are important too; according to a report created by the UK government, 48 percent of businesses have a basic cyber security skills gap. Consider outside help in the form of co-managed or fully managed services, or even virtual security manager/CISO roles such as a virtual security manager service to act as an extension to your IT team.

Great technical defences can also be strengthened with user education. The NIST framework outlines the need for comprehensive awareness and training of all team members. After all, it’s one thing to have systems in place to prevent a hacker accessing sensitive information but quite another if the hacker can’t get in because staff didn’t fall victim to phishing e-mails in the first place.

Where do we go from here? A robust response:

A data breach doesn’t define your cyber security team, but how they respond to it does. The respond and recover elements of the NIST framework include response planning, mitigation, and recovery activities to ensure that the cyber security program is in a state of continuous improvement. Organizations should start with an incident response plan. This means looking at what solutions you have in place and what legal or regulatory requirements need to be taken into account when reacting to a breach (for instance, ensuring you inform regulators in a timely manner). Much like a choreographed fire drill helps to keep everyone calm and move to the nearest exit in an orderly manner, a response plan will ensure you don’t leave systems open to further attack and you can reduce the damage caused by the attack.

Another aspect to keep in mind is whether you have a backup and a way to restore data if it is compromised. Ever-present ransomware attacks pose a huge danger to ‘business as usual’ as they can take systems down for days or even weeks and disrupt global operations. As such, being able to restore systems quickly can minimise the business impact. If the worst does happen, keeping your business running and your customers happy is essential.

Cyber security and organizational resilience

This is where your cyber security planning crosses over into other areas of organizational resilience – namely business continuity and ICT continuity (or IT disaster recovery). If a cyber attack has caused a significant IT outage (for example, by corrupting or encrypting data), it’s important that you have the option to recover effectively to the last ‘clean’ backup (your ICT continuity), and that your IT staff have documented, well-practiced procedures to recover the ICT services. It’s equally important that business continuity scenario exercises have been run to practice the senior management team in how they would manage a cyber breach.

It’s important that your cyber response plan links to the business continuity plan and ICT continuity plan to ensure that they will be triggered at the optimal time, and to ensure that the different owners of these plans understand how they fit together.

As part of your response plan, you should also think about what the organization needs to do after you’ve ensured business as usual operations can continue. The NIST framework outlines that organizations should ensure the swift communication of breaches to all relevant parties, and this is supported in GDPR legislation with significant fines. This doesn’t just mean regulators, but also potentially your suppliers and customers. Once this has been done, it’s also important to take time to look back at what you can learn from a breach in your response planning. By conducting a full investigation, you can learn how cybercriminals breached systems and what can be improved to mitigate future attacks (including updated response plans).

A framework to frame your priorities

The NIST framework can be intimidating to put into practice, but addressing all of the elements within the framework will significantly strengthen your security posture and help protect you against cyber crime – a threat that continues to grow and is leading to tighter regulations and best practice recommendations.

The authors

Steve Burden is Head of Security at Daisy Corporate Services. Having worked as a highly accredited security solutions architect for several years, Steve moved into a product management role and now sets the agenda for Daisy’s cyber security portfolio.

David Davies is an award-winning business resilience and IT resilience consultant at Daisy Corporate Services. He has worked in IT resilience and recovery for more than 20 years, starting in a technical role at IBM looking after data backups and testing disaster recovery on very large enterprise systems. David then transitioned through project management of disaster recovery testing, into business continuity consultancy for the last 15 years.