Secure your company with frameworks, functions, and tiers

The United States (U.S.) and other governments offer cybersecurity guidance that can be adapted for use by any type and size of organization. One of the best resources you could employ in your own security strategy is the cybersecurity framework developed by the National Institute of Standards and Technology (NIST). NIST is an agency within the U.S. Department of Commerce, and its mission is to "promote U.S. innovation and industrial competitiveness." You can get more details on the purpose and operations of NIST here.

Some of the most important work developed by NIST are the frameworks that guide organizations in various aspects of cybersecurity and risk management. Risk management, privacy, artificial intelligence (AI), and secure software are all addressed in various frameworks. In this post we'll be looking at the NIST Cybersecurity Framework and how it can help you defend your company.

NIST Cybersecurity Framework (CSF) and functions

The NIST CSF 1.0 was released in 2014 and updated to CSF 1.1 in 2018. Four years later, NIST began the journey to CSF 2.0.

There are several steps to framework development, including the request for public comments. These updates to the CSF recognize that cybersecurity and the threat landscape are always evolving, and the standards must keep up.

The NIST CSF outlines best practices to help companies decide where to focus their time and money on cybersecurity. According to NIST, the framework helps companies "better understand, manage, and reduce their cybersecurity risk and protect their networks and data." NIST frameworks are intended to provide a comprehensive approach to managing and reducing the risk associated with the subject area. The CSF does this by defining six functions, or pillars, within the framework. The terms 'pillar' and 'function' are used interchangeably, so don't be surprised if you find them used inconsistently across various sources. NIST uses the term 'function,' which is what we are using here.

1. Govern: This function was added in CSF 2.0 and focuses on cybersecurity governance and aligning with business objectives. This includes things like organizational context, cybersecurity supply chain risk management, oversight, and more. CSF 2.0 keeps the previous five pillars and cybersecurity objectives but broadens the scope of the framework. It also adds guidance on integration with other frameworks, like privacy and risk management.
2. Identify: This function lays the groundwork for a comprehensive security strategy because it recognizes that you cannot protect what you don't know about. The cybersecurity landscape and risks must be understood before they can be managed. This piece of the framework is associated with asset management, business environment analysis, governance, risk assessment, and risk management strategy.
3. Protect: This piece of the framework helps companies understand how to deploy the defenses to prevent incidents and ensure the delivery of critical services. This function involves access control, awareness and training, data security, information protection processes and procedures, maintenance, and protective technology. Risk mitigation is based on the baselines established in the previous function.
4. Detect: This function ensures that cybersecurity events are discovered and identified in a timely manner. These events may be data breaches, malicious attacks, system failures, and employee mistakes that become insider threats. The work here involves continuous security monitoring, event detection processes, and the rapid identification of anomalies and cybersecurity events.
5. Respond: This function helps companies build action plans for response, mitigation, and business continuity. Rapid containment and resolution are the focus here. This function involves response planning, communications, analysis, and mitigation. These action plans are evaluated regularly and should improve over time as experience and new information are brought into the plan.
6. Recover: This is both a reactive and proactive function. The spotlight here is usually on restoring normal operations, ensuring business continuity, and patching, updating, or otherwise 'fixing things.' The proactive piece involves reviewing the incident and incorporating the lessons learned into the overall security strategy where appropriate. This after-action piece is not as urgent as the recovery, but it is just as important. This information will help the company close security gaps and strengthen its resilience against future attacks.

CSF function tiers

Each of these functions has four implementation tiers that define the levels that an organization can achieve across the six functions of the CSF. These tiers help companies assess their cybersecurity practices and set goals for improvement. The tiers also address one of NIST's primary goals, which is to enable different industries and organizations to speak with a common language when it comes to standards and measurements. In this case, the tiers within each function of the CSF can be used to more accurately communicate the security posture of a company to stakeholders and other parties as needed.

Here's a brief look at the four tiers within each of the six functions:

• Tier 1: Partial, ad-hoc approaches that provide basic understanding and management of cybersecurity risk. There are limited controls and governance practices in place, but there is initial awareness of the company's security risk.
• Tier 2: Risk-informed, but inconsistent practices and controls. The company has greater risk awareness and prioritization at this level. Internal collaboration is inconsistent, but risk management practices are approved by management.
• Tier 3: Repeatable and defined processes are in place, and standardized controls are deployed and managed. The company has formal policies around cybersecurity that are regularly evaluated and updated based on changes in the threat landscape. There is consistent communication around cybersecurity and risk management.
• Tier 4: Adaptive and highly-integrated security practices are deployed throughout the company and are continuously improved through feedback loops. This level describes a company with a culture of security awareness that supports a proactive and collaborative approach to risk management.

Let's illustrate the differences in these tiers by looking at the email security technologies you might find at each level:

• Tier 1:  Basic spam filtering that protects users from messages that are obvious spam.
• Tier 2:  Anti-phishing solutions that detect more sophisticated email threats.
• Tier 3:  A secure email gateway (SEG) that provides comprehensive email protection.
• Tier 4:  Advanced solutions with artificial intelligence (AI) that defend against advanced and emerging threats.

That's a basic example that shows how the security solutions and services progress through the tiers. The Tier 4 organization is the most proactive, adaptive, and leadership-oriented in its approach to cybersecurity.

CSF Tier 4 and Barracuda Managed XDR

Barracuda Managed XDR is a scalable, cost-effective solution that can help you progress to Tier 4 across all six CSF 2.0 functions. This is an extended detection and response solution that offers multiple coverage and visibility options, combined with a 24/7 security operations center (SOC) staffed by security experts. The following table shows how Barracuda Managed XDR aligns with the Tier 4 (Adaptive) level of the NIST CSF 2.0:

Sources: NIST CSF 2.0 and Barracuda Managed XDR

If you'd like to know more about Barracuda Managed XDR, you can visit the Barracuda website to download our new e-book or schedule a demonstration. You can also view these free, on-demand webinars:

• How to Effectively Combat AI-Powered Threats with XDR
• Behind the scenes in a mature SOC
• EDR, MDR, XDR: What they are, how they work, and how to choose