The National Institute of Standards (NIST) Cybersecurity Framework (CSF) is a go-to guide for enterprises that want to evaluate their cybersecurity efficacy, define and/or implement a (new, enhanced) cybersecurity program strategy, and analyze how commercial products and services help the organization meet the guidance laid out in the CSF. Since its introduction in 2014, the NIST CSF has allowed enterprises to address the ever-growing cyber risks that threaten a company’s finances, reputation, and ability to innovate. While there is no one, perfect way to structure a security program, the CSF lays out a practical plan for:
- Identifying and prioritizing cybersecurity risk
- Creating an adaptive structure based on the company’s individual goals and needs
- Building repeatable processes
- Measuring the success of the cybersecurity program over time
Because the NIST CSF is a template of sorts against which companies can assess their progress, we at Edgewise are frequently asked how our product aligns with the CSF, or how Edgewise helps companies calibrate closer to the framework’s recommendations. In a series of five short posts, we’ll describe how Edgewise supports each of the Functions in the Framework Core, well known to most security professionals as: Identify, Protect, Detect, Respond, and Recover.
The first Core Function of the CSF, and arguably the most important, is “Identify.” Because you can’t protect what you don’t see, identifying and understanding what’s present and communicating on your network environment is a foundational element that must be achieved before security control can be applied.
Per the published guidance, elements of the core function “Identify” include:
“Asset management: The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.
Business environment: The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.
Governance: The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.
Risk assessment: The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
Risk management strategy: The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.
Supply chain risk management: The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.”
Within Identify, these categories can be mapped to Edgewise in the following ways:
Asset management: The first step after implementing Edgewise is asset discovery. All assets communicating in an enterprise’s on-premises, cloud, or container environment are automatically discovered as they request or receive communication. This includes applications, hosts, users, and devices. This process allows Edgewise to gather and map system communication instantaneously, and present the user with a real-time visualization of network application topology.
Business environment: This category in the CSF is focused on building and communicating requirements and priorities that support the continuous delivery of critical services. Though Edgewise cannot directly help organizations in this category, our technology provides insights into data center communications and their dependencies, which empowers informed decision making, an important aspect of any security framework.
Governance: Legal, regulatory, and operational requirements are all considerable factors in an enterprise’s cybersecurity plan. The ability to balance these requirements with data protection and usability is a challenge. Though Edgewise cannot dictate what data an organization collects, processes, or stores, or how it must treat that data pursuant to regulatory responsibilities, Edgewise gives companies the ability to quickly identify, segment, monitor, and audit specific categories of data (e.g., “PCI data”).
A subsequent blog post will detail how Edgewise protects organizations’ workloads through zero trust segmentation, but for the purposes of “governance” in the CSF, the visibility Edgewise provides through mapping and fingerprinting allows users to see and manage all assets in their networks—uniformly across networks—during any point in the information lifecycle.
Risk assessment: Based on asset discovery and communication path mapping, Edgewise gives network and security teams the ability to visualize and quantify risk that networked assets pose to the organization. Through our mapping and fingerprinting technology, administrators can always see a point-in-time risk assessment of their cloud, on-premises, and container environments.
First, Edgewise measures the total possible exposure of every communicating application against the actual necessary exposure which allows the application to operate properly. This ratio reveals a quantifiable measure of overexposure: how much more accessible is an application against what is necessary?
Second, Edgewise conducts ongoing attack path analyses that quantify (for any point in time):
- How many applications in a network are accessible via the internet
- If an application isn’t externally accessible, how many “hops” it would take an attacker to reach them
- Which applications and services are business-critical (based on dependencies
This visibility into what’s communicating on the network allows companies to continually assess risk and prioritize protection mechanisms and security strategy.
Risk management strategy: Based on the environmental risk information provided (per the points above), Edgewise helps businesses make quicker, more reliable decisions about the management of their networks.
Supply chain risk management: In today’s interconnected world, companies can’t only worry about the security of their own networks. Partner, supplier, contractor, and even customer networks may be connected to an enterprise’s systems, and all it takes is one vulnerability for an attacker to exploit an endpoint then move laterally within a company’s network and place malware on the system or breach a sensitive database.
Through Edgewise, applications and services connected to and/or accessed via the internet or third-party services are identified and mapped. This gives companies insight into the expanse of their digital footprint and provides concrete data on which to make supply chain/third-party risk decisions.
The wrap up
The first step in any cybersecurity strategy is knowing what you have and how those assets impact the organization. But identifying what’s in your network environment and quantifying risk is only “square one” of a holistic cybersecurity program. In our next post we will detail how Edgewise applies protection to companies’ networks and prevents attackers from moving laterally, exploiting applications, and causing company-damaging breaches.