NIST Framework Standards – the Detect Function: Part 1

In a series of blogs I have written for the Chartered Insurance Institute this year I have explained how cyber-risk management is the ongoing process of identifying, assessing, and responding to risk. As the National Institute of Security and Technology outlines, to manage cyber-risk, organizations should understand the likelihood that an event will occur and the resulting impact. With this information, organizations can determine the acceptable level of risk for delivery of services and can express this as their risk tolerance.

The NIST Framework core describes key cyber security outcomes identified by industry as helpful in managing cyber-security. The Detect core of the framework invites cyber-security professionals to develop and implement the appropriate activities to identify the occurrence of a cyber-security event. The Detect Function enables timely discovery of cyber-security events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes.

Cyber Processes – Detecting Unusual Activity

Detect has a number of angles, including having the processes and procedures in place to adequately recognise when something is going wrong and how in the next phase to respond to an event. If you have been able to detect that something has been going on that is out of the ordinary that means it can be as simple as knowing what to look for.

If IT systems start running slow at 3pm is that normal for your systems in the afternoon or unusual? Are people getting a lot of spam email or email that is reportedly from a well-known type of phishing scam? Helping people identify and detect goes back to making sure your staff have an adequate awareness of the risk so that they can protect themselves as well as have other tools, processes and procedures in place.

Ensure that your environment is well enough protected to prevent either deliberate cyber-attack or accidental cyber-attack. An example of an accidental cyber-attack might be, for example, plugging in a USB drive that has a virus on it. The intent is there from the cyber criminal to actually cause disruption to your organisation but the person who kicks off the attack by inserting the USB key into their machine and contracting the virus on their machine can be an unwitting pawn in that event.

Circumventing Firewalls

Insurers need to have the processes and procedures to protect them against those kinds of attacks. Having antivirus software offers a measure of protection, which takes us on to the areas of software and hardware protection. Some of the most obvious areas of protection that everyone knows about are firewalls. Many organisations have long thought that their firewalls were going to save them. You only need to watch a few episodes of US TV to see how well entrenched this perception is in the public psyche.

Firewalls are useful tools but they can also be circumvented. I have often said that the taller you build your firewall the more likely it is that someone is going to try and find a way around it. Punching through the firewall may actually be a very tough option as opposed to breaking the window to get in so that is likely to be an option that a resourceful hacker will use.

The detect phase is about tools and monitoring, about being able to protect the business through early detection. Some of the tools you might want an organisations to implement include mechanisms such as full logging. In other words when a system is accessed it is logging what is going on, what is being undertaken on that machine, what tasks is it being asked to perform, who is logged on, who is authorising these tasks to take place?

That means you have an evidence trail. It does not mean that a hacker can’t undo those tasks, delete those logs but it does mean there is more work for the hacker to do to cover their tracks assuming that the logs can be accessed. There are tools to help businesses analyse all of those logs, to rule out the 99 per cent of normal activity and bring to the front the 1 per cent of useful information or details about possible attack. Importantly they do this in real time so that they’re able to alert you and your team to take the appropriate action.