The NIST Cybersecurity Framework Functions - Detect

The third function that will be discussed is Detect. After we have identified the assets within our organization and have implemented ways on how to protect those assets, we need to implement measure on how to Detect cybersecurity incidents that may occur. This can be achieved with using multiple monitoring systems like Intrusion Detection & Prevention Systems (IDS/IPS), File Integrity Monitoring (FIM) or even good old log reviews.

The NIST Cybersecurity framework defines the Protect category as; "Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event." The Detect function is further broken down into three categories (outlined below) which identify specific areas that organizations should consider in their risk management analysis. Of the 98 subcategories within the NIST Cybersecurity framework, 18 are addressed within the Detect function.

• Anomalies and Events (DE.AE): Anomalous activity is detected in a timely manner and the potential impact of events is understood.
• Security Continuous Monitoring (DE.CM): The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.
• Detection Processes (DE.DP): Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.

Within the 18 subcategories, establishing a baseline for the environment needs to be determined, alerting thresholds must be determined, and vulnerability scans need to be performed, are just a few of the requirements that need to be addressed within this function. Along with setting up and implementing these monitoring mechanisms it is important to remember that testing should occur on a regular basis to verify that the controls that have been implemented are working as desired and enhanced as needed. Organizations can spend thousands of dollars on detection mechanisms but if thresholds are set to low or to high, what good is the mechanism really doing?

If this blog peaked your interest and you can’t wait until the next installment, feel free to download a copy of the framework at the official website https://www.nist.gov/framework. Also, in April NIST made some updates to the Cybersecurity Framework based on feedback they received and the changes in the threat landscape. Feel free to contact us with any questions you might have!