NIST Cybersecurity Framework: A CyberWire Special Edition

Dave Bittner: [00:00:03:16] Having a set of standards to measure your security organization by, being able to compare your security posture to other organizations, and being able to justify your choices to investors and insurance firms, well that all sounds good, right? It's beneficial to have widely agreed upon standards of care and measurement in cybersecurity, to help know where you stand, where there's room for improvement and what's important to you. That's where frameworks come in, and the NIST Cybersecurity Framework is one of the most popular in the cybersecurity industry. In this CyberWire special edition we'll examine frameworks in general, and the NIST Cybersecurity Framework specifically, to see if adopting them is worth the time, energy and expense it takes., Managing Director of the Solution and Program Insight Group at OptivSecurity, and Matt Barrett, program manager for the Cybersecurity Framework at NIST. Stay with us.

Dave Bittner: [00:00:46:03] Joining us are Rick Tracy, Chief Security Officer for Telos Corporation, Rafal Los, Managing Director of the Solution and Program Insight Group at Optiv Security, and Matt Barrett, program manager for the Cybersecurity Framework at NIST. Stay with us.

Dave Bittner: [00:01:09:19] Time to take a moment to thank our sponsor, Cylance. Are you looking for something beyond legacy security approaches? Of course you are. So you're probably interested in something that protects you at machine speed and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily and it protects your network with minimal updates, less burden on your system resources, and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence, but it's real protection. Visit Cylance.com to learn more about the next generation of anti-malware. Cylance, artificial intelligence, real threat prevention. And we thank Cylance for sponsoring our show.

Rick Tracy: [00:02:06:15] I come from the world of certification accreditation in the late 1980s.

Dave Bittner: [00:02:11:15] That's Rick Tracy from Telos.

Rick Tracy: [00:02:13:17] Where every federal government organization did dares with what we call now cyber risk and compliance management. Every organization did it their own way. And that creates problems, because for you to tell me that your system is secure, I mean I really don't know what benchmarks or baselines, what process, what workflow, I really don't understand how you came about determining that you indeed are secure.

Rafal Los: [00:02:40:22] Having a framework in place means that you're not off doing something again for the first time, every time. It takes previous knowledge and due effect.

Dave Bittner: [00:02:50:13] That's Rafal Los from Optiv.

Rafal Los: [00:02:52:19] Somebody has spent some time to look at a problem, create its abstract, understand the pieces and then provide prescriptive at that right level, guidance in a way that is repeatable, measurable and provides actual problem solving value.

Matt Barrett: [00:03:10:16] I look at a framework as a structure in which to make a decision.

Dave Bittner: [00:03:15:13] That's Matt Barrett, he's from NIST.

Matt Barrett: [00:03:17:19] NIST is the National Institute of Standards and Technology. We're a part of the United States Department of Commerce. The big milestone was executive order 13636.

Dave Bittner: [00:03:28:08] That executive order happened in March 2013, from the Obama administration.

Matt Barrett: [00:03:33:00] Which was executive order for improving critical infrastructure and cybersecurity, and specifically in section seven, the Department of Commerce was tasked with coming up with a framework that would reduce risk for critical infrastructure, private sector owners and operators. Since then we've actually progressed to the spirit of executive order 13636 as written into the Cybersecurity Enhancement Act of 2014 and that's really the charter by which we continue.

Rick Tracy: [00:04:01:00] It was originally intended for critical infrastructure and unlike the risk management framework, which is mandatory in federal agencies, the Cybersecurity Framework was designed to be a voluntary framework. They did a really nice job working with industry to develop something that was helpful, yet not too onerous. It's something that the business community, critical infrastructure sectors, of which there are 16, could get behind and so the fact that it was developed in a collaborative way has really made it of interest to industries in these 16 sectors.

Rafal Los: [00:04:34:16] The challenges of creating a framework is getting 10,000 of your closest friends to agree on a pizza topping. Every company is just a little bit different, every team is just a little bit different, everybody approaches the problem and understands it just a little bit differently. The trick with frameworks and why it's not something everybody can just sit down and do in ten minutes, is how do you create a framework that is applicable to everyone, implementable by everyone, but not so prescriptive that it excludes any particular use case. So it's a very delicate balancing act, and I think that's kind of why it's so hard. So many framers get this wrong, you either become under prescriptive or over prescriptive.

Rick Tracy: [00:05:17:03] One of the many things that it does for you is it enables consistent cyber risk communication across an organization and what I mean by that is there are five easy to understand functions. Identify, protect, detect, respond, recover. Those are the five and those functions relate to categories of cyber risk objectives, which are then fed by a more granular set of roughly 100 sub categories which then make reference to detailed controls. NIST has done a good job of pointing to controls 853 or ISO or various others so that you can as an organization understand that "This is what they really mean by this particular sub-category." This construct of function, categories, sub-categories and then pointing to references or controls, allows an organization to discuss risks at different levels of detail based on who the audience is. So I like to say that you have the ability to communicate cyber risk objectives and outcomes from the server room to the board room, because there's different levels of detail that are described within the cyber security framework core.

Dave Bittner: [00:06:41:22] OK, so you got that? Don't worry, there's not going to be a quiz, but basically the NIST Cybersecurity Framework starts with broad high level categories and drills down from there. There are multiple layers, so you can choose to dial in how deep you want to dive.

Matt Barrett: [00:06:56:12] And oftentimes when people think of the framework, they're thinking of the core because on high it's just five words, identify, protect, detect, respond and recover. Now there's customizing the core for a given organization or sector or sub-sector. And when you customize a big feature of that is prioritization because when we hold all things important, nothing is important, how do we decide what cybersecurity things are most important to us? That artifact is called a profile, that's a customization of a core for you. And thirdly, there's something called implementation tier. Implementation tier is a high level measurement of organizational behavior. One through four is the measurement scale there and it has a bit of a maturity model feel to it, but one key feature, key difference in logic between this and a typical maturity model is the inherent trade off analysis. Now it costs money to be a four on this measurement scale and so in order to afford to be a four in one dimension of your business you might need to be a three or even a two in order to offset those expenses.

Rafal Los: [00:08:06:19] I mean if you look at the NIST CSF you've got the core, you've got your domains, your identity, that's a big thing. We should be looking at identity, protect, detect, respond, recover. I think these are core fundamentals of how we function in security. It's a structured way of thinking about the problem that we're trying to solve, because how many times have your listeners asked from an advisory stance, "Am I doing enough?" What is enough? You could look at it and say "Well, are you checking all these boxes?" That's the one thing I always get from folks that are detractors that don't like this approach, and say "Well, all you're doing is giving me a bunch of check boxes that I can just simply do and get away with." Yes, that's essentially a starting position. But it gives you all the things that others have thought about, have experienced, have been successful with. And it allows you to have a structured approach, so the collective knowledge of thousands if not millions of hours of other people's experience delivered to you in a nice document or spreadsheet or something you can scroll through and say, applies to me, applies to me, applies to me, doesn't apply to me. I'm guessing that everything in the CSF, it's going to be hard to find stuff that doesn't apply to you.

Rick Tracy: [00:09:28:23] You don't necessarily default to the most granular aspect of the framework. Maybe you don't focus right out of the gate on security controls and understanding at that detail level. Maybe what you do is begin to help people acclimate to these five functions, identify, protect, detect, respond, recover, and you relate your business security objectives to those five functions and move as you're comfortable to the right. You would then relate your cybersecurity business activities to the categories, of which there are 22, so it's a little bit more accessible when you think about it because the categories are a little bit broader. You can begin to become comfortable understanding the lexicon and how what you do and what your risks are relate to these fairly high level descriptions of life cycle activities as it relates to cyber risk management. Then figuratively move to the right, so from functions to categories to more detailed sub-categories, and then, if you desire, really focus on your achievement of detailed security controls within your organization. Once you've done that, all of your results then flow through this construct of sub-categories, categories and functions so that you have the ability to have this cyber risk conversation throughout an organization.

Rafal Los: [00:10:58:11] We've had many instances where somebody will say "I'm already an expert at this, there's nothing you can possibly teach me." So my reply has always been "Great, take a look at what I have. I'd love to learn from you." They go "Yes done it, yes done it, yes done it, yes, oh. Ooh, haven't thought of that." And there's always at least that moment, because as smart and intelligent and experienced as any one person is, you're not as smart and experienced and intelligent as the collective.

Matt Barrett: [00:11:28:04] There's an efficience and a precision that you gain in cybersecurity dialogs when you're using the same language, and the framework is the basis for that language. Framework can be used for a number of important business functions, for instance assessing your business objectives. How those business objectives rely on technology and cybersecurity, in other words, something called a dependency analysis. That's something that can be performed with the structure of Cybersecurity Framework. Also the structure of Cybersecurity Framework, because it's really a catalog of cybersecurity outcomes, that same structure lends itself well to aligning and deconflicting all the cybersecurity requirements you're beholden to, such that you can develop a cybersecurity program or evaluate your pre-existing cybersecurity program and make sure that it is truly working to fulfill all of the cybersecurity requirements that you need to fulfill.

Rick Tracy: [00:12:24:24] Start at the left and move to the right as it makes sense for you. So you don't have to do it all on day one. You can grow into it.

Matt Barrett: [00:12:33:03] One thing on everybody's wish list is to actually measure the extent to which it reduces risk. You know, I would love to embark on that sort of effort as well. There's a foundational thing that's not really available in our cybersecurity eco system that prevents us from getting from point A to point B and that is there's a lot of work to be done just in the generic cybersecurity measurement space. Free flow of information for the sake of measuring risk reduction, for instance. So once we have that space better developed, I think we'll be better able to answer questions like "Is this Cybersecurity Framework truly reducing risk in a quantifiable sort of way?" In the meantime, what NIST uses is anecdotal information, which over time becomes more and more empirical. The more parties that we ask, "Is it working for you? How is it working for you? What is the feature that's working best for you? How do you use it?" The more parties that we ask that series of questions to, and get reasonable answers back, the more that anecdotal sort of approach becomes empirical. And so we are indeed trying to approach the risk reduction question from a different angle.

Rafal Los: [00:13:47:15] Look at it, open up that spreadsheet and look at it by functioning category, and then go down the sub-categories in there and do your best to ask yourself, "How does this apply to me?" Try to look at it rather than the way we look at PCI where, "How can I limit my scope and how can I minimize how much of this I have to do?" assume that the scope is everything you do. This is one of those things where, be inclusive of your entire organization, understand and try to accept this framework or whatever framework you're using, whether it's ours, or NISTs or whatever, look at it and go "Does this fit my organization? Can I get value out of it in a timely manner? Can I measure positive impact? Does this give me goals? What are they? Where do I have deficiencies?" If the answer's "Everywhere," pick a couple of the most important and work your way down. I'd probably say unless you've done it before, don't try and go it alone. It's a tremendous project, no matter what framework you're picking to try to go at it alone, because it's tough without the experience of having done it before. But again, these things are essential, because it's the collective knowledge and experiences of others who, while you may be a special snowflake, you're still a snowflake. And everybody is just a little bit different, but in that same way.

Rick Tracy: [00:15:19:10] DHS, I know has been working with the insurance industry to have them understand the value of this consistent way of looking at cyber risk. So our suggestion is that the insurance industry could use the framework as a way to gage cyber risks, to better underwrite cyber liability policies. And over time what happens is, as there's loss experience, the insurance industry could then determine which controls or set of controls or sequence of controls were effective, where there are gaps in controls, which controls over time don't really offer much in the way of insight. So basically the suggestion is, perhaps the Cybersecurity Framework could be used to determine risk for the purpose of underwriting cyber liability insurance policies, but also develop actuarial data over time because you'll see which controls are effective, which ones aren't, where there's gaps and so forth. In many ways, cyber liability insurance policies, there's not a lot of confidence in being underwritten in terms of liability and risk.

Rafal Los: [00:16:28:17] If I'm an insurer and you're trying to get a policy from me, how am I going to know that you are working at some kind of structured approach to security? Am I going to create my own? That's unlikely. So what am I going to use? I'm going to use the same yardstick that I can measure 1,000 of my applicants for cyber insurance, and say "OK, how do I create some way of understanding and comparing and contrasting these organizations? How do I know what they're all supposed to be doing? What works?" That's the purpose of these things. I fully expect to see the framework model being approached more often and you're not going to be asked, I don't think it's going to be like "Go use COBIT, or go use ISO or go use NIST or else." What you're probably going to start seeing is "What framework are you using, and can you defend your use of it?" And the idea is going to be "Does it cover the basics? Is it justifiable? Does it provide value to you?"

Rick Tracy: [00:17:33:02] It's really important for the purposes of M&A to demonstrate that you're doing the right things and your company or your business is a sound investment, because you've invested in cyber risk management. But from a governance standpoint, you can imagine how valuable it would be if you ever encounter a breach, and you have to defend yourself in a court, to be able to point to something that is as visible and well respected as the Cybersecurity Framework and say "This is the process that we use to manage our cyber risk management." Absence of something like that, whether it's a Cybersecurity Framework or something like that, that's recognized as a standard, you run the risk of being found negligent, and so I think a lot of organizations are beginning to understand that they have to have something to hang their hat on.

Rafal Los: [00:18:27:02] I think if you're a board member and somebody comes to you and says "I want to pick a framework to align to," you should probably do jumping jacks and be excited, because to me, that's a clear sign that they get it. That they're trying to get away from the "We're different than every single other company ever, because we're doing something completely and utterly different. We're going to go at this alone." If you're sitting on a board somewhere, you should absolutely be asking, "Are you using frameworks? What are they? What framework are you using, why are you using it, can you defend it? Does it make sense for this company? And if it does, fantastic. How close are you to your goals? Not to 100 percent. What are the goals you've set? How close are you? What are the milestones?" And those are the things that we should be asking in engaged conversation, what business value does this framework provide? That's a pretty big question.

Dave Bittner: [00:19:24:15] Of course cybersecurity is a rapidly changing field, and NIST is already working on updates to the framework.

Matt Barrett: [00:19:31:03] We had always said that the Cybersecurity Framework would need to evolve. That it should be a living document as an objective, so that it can evolve with technology, so it can evolve to counter threat, so it can take best practices for a given industry and bring those into a knowledge base to make the standard practices, and so that framework could evolve at a pace, that candidly, legislation and regulation just can't. So for all those reasons, evolution of framework has always been a part of the picture, even since the original incarnation. And so we are working on a version 1.1 of framework right now, where our stakeholders asked us to help them better understand how to do the cyber dimensions of supply chain risk management. And they asked us for some clarification on the relationship between some of the components of framework profiles and implementation tiers. We're also hearing more and more chatter about cybersecurity measurement and the importance of that to the future of cybersecurity and so we've added a section specifically on cybersecurity measurement and how one might use that for self assessment to the Cybersecurity Framework. And then we've also beefed up the authentication and other dimensions of identity management within the framework just to make the framework that much stronger of a construct.

Rick Tracy: [00:20:57:00] I'm personally just really happy to see that some degree of standardization is really beginning to take hold, because it's something that we've advocated for the better part of 20 years. Instead of everybody doing things their own way and every organization having a different lexicon or way of describing why they're secure, or how they're secure, their degree of being secure, or their degree of risk, so frameworks like the Cybersecurity Framework really allow organizations to be on the same page as they relate to each other, peer organizations. They can compare their status in a way that's meaningful.

Matt Barrett: [00:21:35:22] There's a whole bunch of ways to understand whether or not you'd like to use Cybersecurity Framework and I'll highlight some resources at NIST.gov/cyberframework. First of all there is a page dedicated solely to resources that have been produced, a great many of which outside of NIST, and that's called the Industry Resources page, and there's about 60 resources produced by parties outside of the National Institute of Standards and Technology. So there's awesome diversity across sectors and the various communities there, and so an organization that's considering using Framework might simply go look at those. There's a number of webinars that are available for playback and in fact, in most of our Cybersecurity Framework workshops we record a lot of the main stage presentations and panels. So those are great videos to be able to use and learn more about Framework and also to learn more about how others are using Framework.

Rafal Los: [00:22:37:13] As the security executive or the security lead for whatever company you're at, ask yourself what makes you better? Why are you here? The answer isn't to check the box and just go through another day. It's to make the organization better. It's to increase safety. It's to do whatever it is that you do, empower and enable. So what is it that you're doing to help? If that framework is going to provide that value to your organization, take it seriously. Have that conversation with the board, your executives, that you should be held to account to that.

Rick Tracy: [00:23:12:22] NIST holds these workshops in Gaithersburg in the springtime, and I go there to these workshops and what I've seen is somewhere between 600 and 1000 people register from all across different industries, and not just in the US. There are actually I think 11 different countries represented at the most recent workshop at NIST. I think it was in May of this year. So you might argue that a mandate would drive greater adoption, but from what I've seen, there is already lots of interest in the framework, despite the fact that it's voluntary. I think it's just because the way it's constructed, it just makes great sense and people recognize that and for that reason, organizations are very willing to take a close look at the Cybersecurity Framework and apply it to their organizations for the purpose of managing cyber risk, demonstrating a standard of due care. It's really impressive to see the level of adoption that there is already.

Dave Bittner: [00:24:26:12] Can you describe to us, in 2017 you published the BaldrigeCybersecurity Excellence Builder, which builds upon the 2014 framework. What's involved with that?

Matt Barrett: [00:24:39:00] The BaldrigeCybersecurity Excellence Builder is really a combination of this performance excellence program that pre-existed the Baldrige Performance Excellence Program, which existed since the 1980s and really focuses on quality control and quality assurance and how organizations institutionalize those things, with some of the concepts of the Cybersecurity Framework. So what we've produced is a 50 question self assessment criteria in the form of this Baldrige Cybersecurity Excellence Builder. There's an envisioned phase two where maybe even one day, like the original Baldrige Program, the might even be a recognition that goes along with this, where organizations could be praised if you will, highlighted for doing great cybersecurity things, according to these criteria. But whether or not industry favors that sort of approach, that's a bit of a TBD. So for now, we have the self assessment criteria that any organization can pick up off the shelf and figure out the extent to which they are doing good cybersecurity things within the organization.

Dave Bittner: [00:25:49:06] That's Matt Barrett from NIST. Our thanks to him and to Richard Tracy and Rafal Los for sharing their knowledge and expertise. Rafal Los is also host of the Down the Security Rabbit Hole podcast, you want to check that out. Thanks to Cylance for sponsoring this special edition. You can find out more about how Cylance protects what's valuable to you using artificial intelligence at cylance.com. The CyberWire podcast is produced by Pratt Street Media, our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.