The NIST Cybersecurity Framework - The Detect Function

We are in our third part in a six-part series talking about the NIST Cybersecurity Framework and the core, or functions, of the framework. In the last 2 posts, we talked about the Identify and Protect functions of the framework and used the analogy of building a house. When you build a house, you must start with a foundation for your house to be built on (Identify). Next, you need to frame out your house, give it some walls and a roof to keep you safe from the weather and other elements (Protect). Once you have your house built, you need to put some items in your house to alert you to any pending danger or threats. These could be things like smoke detectors, carbon monoxide detectors and home alarm systems. Using that same analogy of building a house, this would be the Detect function of the core.

Think about your house and if you didn’t have smoke detectors? How would you know if there was a fire that could possibly threaten the safety of you and your family? The Detect function works in a similar way, and as the name implies, it is helping you “detect” cybersecurity events and problems that might be occurring on your network that you should investigate further.

According to NIST, the true definition of the Detect function is to “develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.” Seems straightforward to me and in all honesty, it is straightforward. The main goal of this function, as you probably already guessed based on the name and the definition provided by NIST is to discover cybersecurity events timely. Why is there such a focus on the timeliness of discovering cybersecurity events? According to Microsoft, the average hacker remains in a network for 146 days before being detected. More time equals more problems and could me more data that is lost.

In the Detect function, there are only three categories that are focused on but they are incredibly important categories:

• Anomalies and Events (DE.AE) – “Anomalous activity is detected in a timely manner and the potential impact of events is understood.” There are two really, important points in this brief definition of the category: Detect and Understand. Obviously the first key is to detect the event in a timely manner. What is a timely manner? That is up to you and your business to decide but I am guessing that 146 days is not timely. Is it a day? Is it instantaneous? Maybe. The second part of that definition is just as important. Understand the potential impact of the events. What does this mean for your business? What does this mean for your customers? With a Ransomware attack, the impact is immediate in that you most likely cannot conduct your business. But what about the theft of credit card data? What impact does that have on your business and customers? What do you as an organization need to do to comply with Federal, State and Industry Regulations? Detect and understand!
  
  
• Security Continuous Monitoring (DE.CM) – “The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.” Notice that this says, “Continuous Monitoring” and not “one-time monitoring?” Threats change every single day and the methods that hackers use to get into your systems change every single day. When you combine that with the fact that hackers aren’t going away anytime soon, monitoring your systems and assets is critical for you to be successful and not a victim of an attack. When you think about this category, think about both physical and logical information and what you need to do to continuously monitor those activities.
  
  
• Detection Processes (DE.DP) – “Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.” There are those words again: processes and procedures. Having a process or processes and procedures is great. But, how do you know it will work? For all you football fans out there, think about it this way. Does your favorite NFL team just show up on Sunday, play the game, and win? Nope. They practice and practice and practice and then when the real test comes, they show up and compete. If you have processes and procedures in place but don’t test and practice them, you aren’t competing, you are giving the other team (HACKERS) an easy win.

I know that I keep saying in each of these posts that this specific Function of the NIST Cybersecurity Framework is important and that is true, they are all very important. But to me, this one is critical. If we go back to our house analogy, why build a house if you aren’t going to use items to detect any threats to your house? You wouldn’t build or buy a house and not put smoke detectors in to alert you to a possible fire so why not invest in detecting these cybersecurity events as quickly as possible, because guess what? The threats continue to come. The only question that remains is will you be prepared?

To help you prepare for the game, take a moment and download our Critical Security Controls eBook. If you are struggling with trying to figure out where to start, this is a great place. If you want to strengthen your Information Security Program, these are a great baseline to evaluate your program against. Click here to download your copy today! Till next week when we cover the Respond Function, stay safe and don’t let hackers win!