 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
It is estimated that the cost of cybercrime could exceed $20 trillion by 2026, increasing the pressure on organizations to ensure that they have effective safety net mechanisms in place.
Thankfully, several security frameworks have been established to tackle these ever-rising cybersecurity threats. This article will explore two popular cybersecurity frameworks: NIST CSF and MITRE ATT&CK. It will provide a high-level overview of their features, investigate their differences and explain how to use the cloud with these frameworks.
The National Institute of Standards and Technology (NIST) is a U.S. government agency whose sole purpose is to promote American innovation and industrial competitiveness. A big portion of its budget is dedicated to improving the cybersecurity posture of the United States.
The NIST Cybersecurity Framework (CSF) is a publicly-available security framework designed to help organizations minimize the risk of cyberthreats. Although the framework guidelines are tailored to government organizations, NIST CSF can be adapted to any kind of enterprise because of its tried-and-true security practices.
NIST CSF consists of three components: the core, implementation tiers and profiles.
The core component is responsible for establishing a common language and providing the basic set of desired cybersecurity activities and outcomes. This includes the main body of functions, which contain individual categories and sub-categories. Each row contains informative references such as existing standards, guidelines and best practices.
The tiers component provides organizations with a mechanism for assessing their cybersecurity risk management. In addition, it enables organizations to evaluate and adjust their level of rigor based on their organizational goals. In other words, it gives you a tiered outline of cybersecurity risk management options and allows organizations to adapt based on their needs and level of maturity.
Finally, the profiles component shows organizations how to find, identify and prioritize opportunities for improving their security posture. These profiles allow organizations to assess various factors, like the costs and risks involved, when optimizing the cybersecurity framework to best serve their needs.
NIST CSF’s core is divided into five main functions that are used for the development of security controls. These are basic cybersecurity activities that serve a particular security domain. The five functions are:
The bulk of the core material consists of tables with unique identifiers that point to specific publications:
Realistically, using a NIST CSF framework consists of comparing checklists of your organization’s activities with those outlined in the framework’s core.
The framework itself guides the implementer through a series of published material that adheres to the specific security profiles. There is no one standard case, however, since implementers must conduct their own reviews and assess the applicability of those guidelines.
For example, in the core function reference for identity, you’ll see:
Identity-> Risk Assessment -> ID.RA-4: Potential business impacts and likelihoods are identified.
This row mentions the use of CIS Critical Security Control 12, which is a set of security mechanisms that prevent attackers from exploiting vulnerable network services and access points. This ensures that network communications are safe since a compromise will affect people’s lives.
Your organization’s end goals will help you determine which areas to improve based on your budget and risk mitigation goals.
Another popular cybersecurity tool is the MITRE ATT&CK framework. It is a public catalog of adversary tactics and techniques based on real-world observations, and is used as both a reference for past incidents and as a way to understand how the attack vectors work.
The ATT&CK Matrix consists of a reference table of tactics. Each column represents individual steps in a linear fashion, starting with reconnaissance tactics and ending with impact. Each column also contains entries with different kinds of scenarios and information about how they are used by adversaries to perform malicious attacks.
The framework offers three main ATT&CK Matrix variations:
It’s important to note that the Enterprise Matrix consists of several sub-matrices and also contains the Cloud Matrix, which is specific to cloud environments.
The overall aim of MITRE ATT&CK is to provide a foundational knowledge base of real-world attack scenarios and a way for the organization to understand the current cloud threat landscape.
To use either of these frameworks, it is important to first understand their key strengths and weaknesses. One way to grasp the differences is to focus on a particular piece of a security framework that you care about and try to look for attack patterns or mitigations that apply to your organization.
Let’s look at the main differences between these two security frameworks next.
MITRE ATT&CK is more focused on specific tactics and techniques. It sources its data from real-world tactics and techniques from past incidents or mock events. For example, it lists malware, several backdoors and tools that attackers use to achieve broader goals and satisfy current objectives.
If you want to learn more about actual attack scenarios, like a certain tool that an adversary used to penetrate the network or a technique leveraged to establish persistence using a particular methodology, then MITRE ATT&CK is the more suitable application for your organization.
One of the particular characteristics of this approach is that it gives insightful pointers on how attackers can circumvent security mechanisms. Effective use of the MITRE ATT&CK framework requires improving existing systems to detect and thwart similar attack patterns.
NIST CSF is more focused on general best practices and guidelines. It is more like a body of knowledge pertaining to specific organizational needs. As an alternative to MITRE, it’s more foundational and considers how security best practices can be effectively integrated into a complex organizational system over time.
Therefore, NIST CSF could be as effective in practice as MITRE ATT&CK, as long as the people responsible for implementing it can directly map the practices into security controls and policies.
Both the MITRE and NIST CSF frameworks can be integrated into automated security services and mapped to direct audit trails. This alone is a compelling reason to evaluate their use in cloud technologies as part of a cybersecurity strategy.
Orca Security offers an extensive guide on using MITRE with the Orca Cloud Security Platform, which takes care of the legwork of mapping the attack patterns that affect real infrastructure misconfigurations.
The platform can report the percentage of alignment with NIST CSF, thus providing a clear metric that enables organizations to see the current level versus the ideal. With this knowledge, organizations can respond accordingly to correct the course of their day-to-day processes.
