How to Align with the NIST Cybersecurity Framework

Transcription

1 How to Align with the NIST Cybersecurity Framework 1

2 Title Table of Contents Identify (ID) 4 Protect (PR) 5 Detect (DE) 6 Respond (RS) 7 Recover (RC) 8 visibility detection control 2

3 SilentDefense Facilitates Adoption of the NIST Cybersecurity Framework Many organizations are embracing the NIST Cybersecurity Framework to manage their cybersecurity risks. According to an adoption survey from Dimensional Research, 84% of respondents used some type of security framework in 2016, with the NIST framework a leader among them. NIST focuses on using business drivers to advance cybersecurity activities and to consider cybersecurity risks as part of an organization s risk management processes. Adopting the NIST framework provides organizations with a structure to outline their current state of cybersecurity and strengthen their security posture. The NIST Cybersecurity Framework is composed of three parts- The Core, Implementation Tiers and a Framework Profile. Here we will explore how SecurityMatters SilentDefense can facilitate adoption of the NIST Cybersecurity Framework. IDENTIFY PROTECT RECOVER DETECT RESPOND visibility detection control 3

4 Identify (ID) Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities Asset Management (ID.AM) SilentDefense automatically generates an accurate map of network assets and communications, enabling an instant inventory of network devices and determination of data flows. This inventory is generated passively, without impacting the industrial network or process. Risk Assessment (ID.RA) SilentDefense is used by service providers to speed-up the risk assessment process. It features dedicated libraries to identify system vulnerabilities and detect ICS-specific threats and flaws, and enables accurate analysis and reporting of all the active devices and services in a network. visibility detection control 4

5 Protect (PR) Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services Access control (PR.AC) SilentDefense provides visibility and situational awareness over network devices and communications. It tracks and logs all successful and failed authentication attempts to network resources. Access to the information gathered by SilentDefense can be restricted to authorized users. The built-in RBAC mechanism allows fine-grained authorization and access to sensitive information about the network, its devices and current security status. Information protection processes and procedures (PR.IP) SilentDefense automatically generates the network behavioral blueprint, an accurate and detailed view into ICS network communications, which can be used to maintain a baseline of running network design and configuration. It also reports any change in the network configuration resulting in new communications and/or network operations, keeping the baseline configuration up to date. Maintenance (PR.MA) & Protective Technology (PR.PT) SilentDefense enables fine-grained access monitoring and validation, reporting any unauthorized access and operation performed to/from network assets. Data security (PR.DS) SilentDefense reports any undesired network communication and activity, ensuring that network integrity and segregation is preserved. It also employs state-of-the-art encryption mechanisms to ensure that information about the network, its devices and current security status is protected both when at-rest and in-transit. visibility detection control 5

6 Detect (DE) Security Continuous Monitoring (DE.CM) Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. SilentDefense performs in-depth monitoring and analysis of network communications, down to the values exchanged by network devices. This enables detection of a wide range of cybersecurity events, including: Anomalies and Events (DE.AE) SilentDefense s unique Industrial Threat Library features more than 250 out-of-the-box controls for threats specific to ICS networks. SilentDefense also automatically generates the network behavioral blueprint, which can be used to whitelist legitimate network operations and alert for undesired ones. If a threat is detected, SilentDefense provides all intelligence required to analyze and understand the causes and extent of a cybersecurity event, including assets involved and copies of the suspicious network packets. unauthorized connections unauthorized commands/operations unauthorized values sent/received malware spread All suspicious or unauthorized events are logged along with detailed intelligence. In addition to cybersecurity threats, SilentDefense detects a wide range of networking and operational problems that affect industrial networks. As a result, SilentDefense represents a comprehensive security and operational support platform. Detection processes (DE.DP) SilentDefense integrates with most security information and event management systems, ensuring that the right information is forwarded to the appropriate recipient (e.g. user activity logs, cybersecurity events, etc.). visibility detection control 6

7 Respond (RS) Analysis (RS.AN) Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. Communications (RS.CO) SilentDefense alerts the operator in real-time in the event of an imminent problem or threat to the network, or because of activity that was not approved by network/security operators. The operator can choose to automatically forward alerts to different recipients based on the alert category and the area of expertise best suited to analyze it. This capability favors a prompt and accurate incident response as well as effective communication among teams. SilentDefense alerts provide rich contextual information about the source, nature and target of the threat, along with key input for its analysis (including packet capture related to the threat). Together with the ability to visually locate the threat and its spread on the interactive network map, the information contained in alerts is fundamental to initiate an effective incident response process. Dedicated visual network analytics allow incident responders to perform forensic analysis on real-time and historical network activity. Furthermore, responders can benefit from dedicated tools and API to perform threat hunting and quickly search the network for advanced threat indicators. visibility detection control 7

8 Recover (RC) Recovery Planning (RC.RP) Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. In order to effectively recover from an incident or cybersecurity event, responders need to have the right information at hand. The results of the analysis activity performed using the various SilentDefense engines can provide the user with a prioritized list of action points, which can be used to undertake recovery activity. Communications (RC.CO) SilentDefense can provide evidence of a cybersecurity event or produce evidence of its successful resolution and recovery, to be used for internal and external communications. View the latest version of the NIST Cybersecurity Framework here. Copyright 2017 SecurityMatters and respective copyright owners. All rights reserved. visibility detection control 8