Implementing the NIST Framework for Improving Cyber security

Michael Patterson : Advanced NetFlow Traffic Analysis
Michael Patterson
Founder and Product manager for Plixer's Scrutinizer NetFlow and sFlow Analyzer as well as Flow Analytics.

Implementing the NIST Framework for Improving Cyber security

When reviewing or even building out an organizations cybersecurity infrastructure, the National Institute of Standards and Technology (NIST) offers a document that can be a great place to start. The document is called the Cybersecurity Framework and provides a high-level, strategic view on the lifecycle of an organization’s management of risk.  It does not make security appliance or specific solution recommendations to detect, defend against or investigate cyber events. Instead, it is intended to guide the teams responsible for cybersecurity through the process of making sure systems are in place.  Its goal is to help companies and agencies ensure that for any given threat, the team responsible has a risk-based approach to managing the process that will guide them through to resolution.


NIST Framework Components

  1. Core : a set of cybersecurity activities, desired outcomes, and applicable references that consists of five concurrent and continuous functions—Identify, Protect, Detect, Respond, Recover. Each has underlying key Categories and Subcategories.
  2. Tiers : provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. The tiers characterize an organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4).
  3. Profile : represents the outcomes based on business needs that an organization has selected from the Core Categories and Subcategories. It can be characterized as the alignment of standards, guidelines, and practices to the Core in a particular implementation scenario.

If an organization wants to use the Framework to help them with identifying, assessing, and managing cybersecurity risk, it does not have to replace existing processes. Current solutions can be over laid onto the Framework to determine gaps in the current cybersecurity program.  This helps assess the current risk and guides the reviewer to develop a roadmap toward improvement.


Many large organizations want to make sure that the vendors in their supply chain have taken a NIST or similar approach to their cybersecurity strategies. They want to make sure that their suppliers have identified their most important internal systems.  For example, investments in firewalls, NetFlow collectors and SIEMs should be put in place to detect villains trying exploit sensitive assets.  The people that maintain the systems put in place to protect the assets need training on how to use and maintain them.  When attacks are identified, trained professionals can use the systems put in place to respond to malicious activities appropriately.  Finally, once the contagion is removed, teams can start the recovery process and return systems to normal operations and make process improvements against future attacks. 


Tiers provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor and sophistication in cybersecurity risk management practices.  While organizations identified as Tier 1 (Partial) should try to move toward Tier 2 or greater, Tiers do not represent maturity levels. Progression to higher Tiers is encouraged when a change would reduce cybersecurity risk and be cost effective.  At the highest level, a Tier 4 organization will adapt its cybersecurity practices based on lessons learned and current cybersecurity best practices.  For example, an inexpensive UDP forwarder could be deployed which forwards flows and syslogs to multiple SIEMs and NetFlow collectors.  This is done in order to prevent malware from deleting it’s electronic foot prints.  Risk management is an important part of the measurement process at each Tier level. 


Profiles help establish a roadmap for reducing cybersecurity risk that is well aligned with organizational goals.  It considers legal/regulatory requirements and industry best practices.  It also reflects risk management priorities.  For example, if budget constraints are preventing investments in the systems needed to meet regulatory obligations such as back ups and archiving transactions and records, a well-documented profile can outline alternative strategies to meet those standards.


The NIST framework is best implemented when there is frequent communication organization-wide.  New risks should be compared to existing cybersecurity measures and current processes are ideally routinely realigned with business objectives.  Senior executives must constantly weigh financial risks against new cyber threats. 

By outlining clear objectives and aligning them with the business needs, NIST can guide security teams toward a cybersecurity solution that is uniquely tailored to their needs.

Feedback for Implementing the NIST Framework for Improving Cyber security

Leave a comment

Featured Events