Published April, 2 2018

Abstract

No enterprise is totally immune from the escalating cyberattacks, threats and breaches. While there is no magic bullet to fully protect an enterprise, we describe a path to help organizations proactively and systematically address vulnerabilities, breaches and to provide a viable defense against the next cyberattack.

Defending against attacks starts with understanding the anatomy of a breach by considering what is described in military parlance as a “kill chain”. This is a model to describe the stages of an attack, which also helps inform ways to prevent such attacks.   These stages are often referred to as: Find, Fix, Track, Target, Engage, and Assess.  The idea is that if an attack can be stopped closer to the beginning of the chain, then the better the outcome.

We use the NIST Cyber Security Framework (CSF) as a foundation for modeling security controls and to help formulate a well-structured approach to addressing these threats. The Framework Core is a set of cybersecurity activities and applicable references established through five concurrent and continuous functions—Identify, Protect, Detect, Respond and Recover—that provide a strategic view of the lifecycle of an organization’s management of cybersecurity risk.

TechVision adds a pragmatic, actionable perspective to this framework and provide a series of steps to better prepare an organization to prevent breaches, and if a breach does occur, to help limit the damages. We also list key vendors with products supporting each functional area.

Authors

Nick Nikols                                         Gary Rowe

Principal Consulting Analyst            Principal Consulting Analyst

[email protected]         [email protected]

Executive Summary

Data breaches continue to escalate in volume, severity and breadth. The impact of these breaches can severely damage an organization and all stakeholders. TechVision Research describes a model for understanding, categorizing and systematically addressing major vulnerabilities that can lead to breaches and cybersecurity attacks.

We start by considering the anatomy of a breach by considering what is described in military parlance as a “kill chain”. This is a model to describe the stages of an attack, which also helps inform ways to prevent such attacks. These stages are often referred to as: Find, Fix, Track, Target, Engage, and Assess.  The idea is that if an attack can be stopped closer to the beginning of the chain, then the better the outcome. We then dissect two high profile breaches to further understand the nature of various breaches and how to prevent them. While there is no “magic bullet” for preventing cyberattacks, we frame our advice around a well known and well thought out security model called the NIST Cybersecurity framework (CSF)

NIST’s CSF is likely to become the basis for what’s considered a commercially reasonable program in regard to securing an organization’s infrastructure. For this reason alone companies should pay close attention to it and, even if they don’t follow it completely, should at least understand where they are deficient and why.

The CSF is a valuable indicator of what a standard of care should be. The framework provides a standard measurement that organizations can agree on in terms of assessing risk. The CSF will give higher levels of management, such as boards of directors, CISOs, audit committees, and senior executives an understanding of what their current security posture is, where it should be and a clear roadmap of how to get there.

The CSF breaks core capabilities into five areas that we examine in detail and break down into specific supporting services. These principles can be thought of as the Framework’s fundamental “cornerstone” for how an organization should be viewing its cybersecurity practices. The five core functions are:

1. Identifying the most critical intellectual property and assets
2. Developing and implementing procedures to protect these critical assets
3. Having resources in place to detect a cybersecurity breach in a timely manner
4. Having procedures in place to respond to a breach
5. Being able to recover from a breach

Each area is further broken down in terms of needed capabilities, the value proposition and specific vendors addressing required functions for each subcategory. We conclude with a set of practical steps enterprise security leaders should be addressing proactively to get in front of the escalating threat landscape.

Introduction

The risk of data breach for organizations that have critical information assets such as customer data, intellectual property, trade secrets, and proprietary corporate data is now higher than ever before. This isn’t just optics. In fact, more electronic data records were stolen in the first half of 2017 (1.9 Billion) than in all of 2016 (1.37 Billion).

This growth in data breaches should come as no surprise. In a world where data is everywhere, it has become harder than ever for organizations to protect their confidential information. Complex, heterogeneous IT environments make data protection and threat response very difficult. The adoption of cloud computing and mobility has opened up new opportunities. However, these opportunities have also exposed a much larger threat surface.

Over 50% of business applications are now SaaS based, and 87% of businesses have adopted or are planning to adopt mobility.  Yet today’s businesses depend on their security teams to ensure that collaboration and sharing by an increasingly mobile workforce remains safe and secure.   Add to this the growth in the Internet of Things (IoT), and we find that security is of paramount concern.

Figure 1-Barriers to IoT Growth – Internet of Things Institute

The result is escalating risk and escalating cost.  In 2017, the average amount paid for each lost or stolen record containing sensitive or confidential information was USD $141.  The total cost of a data breach increased by 29% from 2013 to 2016.

Short-term costs, related to the activities involved in the discovery and immediate response to the data breach, may include:

• Conducting investigations and forensics to determine cause
• Incident response and recovery
• Making system updates and security fixes
• Conducting communication and public relations outreach
• Preparing documents and disclosures to victims and regulators
• Implementing call center procedures and specialized training
• Lost revenue for impacted services
• Lost productivity for using additional resources from other departments
• Overtime costs for employees
• Third-party vendor escalation support

Long-term costs, usually incurred in the aftermath of the breach, may include:

• Lost customer trust
• Impacted stock price
• Free or discounted services offered to victims of the breach
• Identity protection services
• Lost customer business based on calculating customer churn or turnover
• Customer acquisition and loyalty program costs

It is also important to understand who is perpetrating these attacks.  While, by far, the majority of breaches are perpetrated by people from outside the organization, still one quarter of the breaches involved internal actors.  The following figure from the 2017 Verizon Data Breach Investigations Report illustrates this point as well as highlights that both organized crime and state affiliated actors comprise a significant portion of those that are perpetrating these attacks.

Figure 2: Who Are the Perpetrators of Breaches? –  Verizon 2017 Data Breach Report

The triple threat of hacking, malware and social attacks continues to characterize the majority of confirmed breaches and has been trending upward for the last few years.  This trend does not appear to be going away any time soon.

Also of note is that, within the hacking-related breaches, 81% leveraged stolen or weak passwords.  In fact, in 2016, the number of stolen credentials grew significantly to over 1.06 Billion. This means that if your organization provides external authentication for customers, you may need to pay special attention to strengthening the security of this authentication process. Lack of attention to external customer authentication leaves organizations susceptible to external forces aiming to capitalize by stealing those data.

Even if you are not breached, there are armies of botnets with millions (or billions) of credentials attempting to reuse them against other sites. In other words, even though the attackers didn’t actually steal authentication credentials from your organization, it doesn’t necessarily mean the credentials were not compromised. Enterprises need to understand that by relying on simple username/email address and password, you are rolling the dice as far as password re-usage from other breaches or malware on your customers’ devices are concerned.

The following figure illustrates the common tactics used and highlights how prevalent hacking, malware, and social attacks have become.

Figure 3: Most Common Breach Tactics – Verizon 2017 Data Breach  Report

While the continuing onslaught of data breaches is well documented, what is far less understood is why data breaches happen and what can be done to prevent them. This is the area of focus in this report.

The Anatomy of a Breach

In order to prepare for and possibly protect an enterprise from a data breach, it is essential to understand how they occur and learn from a detailed assessment of how other breaches have transpired.

The Cyber Kill Chain

In military parlance, a “kill chain” is a phase-based model to describe the stages of an attack, which also helps inform ways to prevent such attacks.   These stages are often referred to as: Find, Fix, Track, Target, Engage, and Assess.  The idea is that if an attack can be stopped closer to the beginning of the chain, then the better the outcome.

A “Cyber Kill Chain” is a similar concept originated by Lockheed Martin where each phase of a cyberattack is described, with the premise that if these phases are well understood, an organization can be better prepared to protect their environment.  The cyber kill chain is comprised of the following phases:

• Reconnaissance – where the attacker probes for weaknesses. This might include harvesting login credentials or collecting information that would be useful in a phishing attack.
• Weaponization – where the attacker builds a deliverable payload using an exploit and a backdoor.
• Delivery – where the attacker sends the weaponized bundle to the victim. An example would be a malicious link in a legitimate looking email.
• Exploit – where the attacker executes code in the victim’s environment.
• Installation – where the attacker installs malware on the target system.
• Command and Control – where the attacker creates a channel by which the system can be controlled remotely.
• Actions – where the attacker remotely carries out the intended goal, usually the exfiltration of the information that they were after.

Using the cyber kill chain to keep attackers from stealthily entering your network requires quite a bit of intelligence and visibility into what’s happening in your network. You need to know when something is there that shouldn’t be, so you can set the alarms to thwart the attack.

Also remember that the closer to the beginning of the chain you can stop an attack, the less costly and time-consuming the cleanup will be.  If you don’t stop the attack until it’s already in your network, you’ll have to fix those machines and do a whole lot of forensics work to find out what information they’ve made off with.

Examples of Breaches

While unfortunately there are an ever increasing list of breach examples to choose from, each providing its own set of lessons that can be learned, we will examine a couple that are well known and representative as to how these breaches transpire and what the potential impact can be.

Anthem

At the close of 2016, insurance commissioners from seven states released a report on their combined investigation into the massive cyberattack against health insurer Anthem Inc. in February 2015, offering a detailed account of what happened in the incident.  They concluded that a nation-state was behind the attack, which affected over 78.8 million individuals.  But they stopped short of naming the nation involved.

The commissioners reached a regulatory settlement agreement that did not impose any fines but called on Anthem to spend more than $260 million on security enhancements and other security-related measures.  The settlement document also noted that Anthem had already incurred significant costs related to the data breach – including $2.5 million to engage expert consultants; $115 million for the implementation of security improvements; $31 million to provide initial notification to the public and affected individuals; and $112 million to provide credit protection to breach-impacted consumers.

The insurance commissioners employed both CrowdStrike and Alvarez & Marsal Insurance and Risk Advisory Services to help conduct the investigation. The investigation focused on Anthem’s pre-breach response preparedness, the company’s response adequacy at the time of the breach, and its post-breach response and corrective actions.  Anthem conducted their own separate internal investigation, led by the security firm Mandiant.

Both investigations determined that the data breach began on Feb. 18, 2014, when a user within one of Anthem’s subsidiaries opened a phishing email containing malicious content.

Opening the email launched the download of malicious files to the user’s computer and allowed hackers to gain remote access to that computer and dozens of other systems within the Anthem environment.  From that initial foothold, the attacker was able to move laterally across Anthem systems and escalate privileges, gaining increasingly greater ability to access information and make changes in Anthem’s environment.

The attacker utilized at least 50 accounts and compromised at least 90 systems within the Anthem environment including, eventually, the company’s enterprise data warehouse – a system that stores a large amount of consumer personally identifiable information (PII) – ultimately resulting in the exfiltration of approximately 78.8 million unique user records. The breach wasn’t discovered until January 27, 2015, almost a year after the breach had started.  It was finally detected when a database administrator discovered that his credentials were being used to run a questionable query – a query he didn’t initiate.

The investigation team found that Anthem had taken reasonable measures before the data breach to protect its data, although it is not clear if Anthem had implemented any multi-factor authentication methods or any additional privileged access management controls prior to the breach.

However, the report does note that Anthem has, as part of their corrective measures, implemented two-factor authentication on all remote access tools, deployed a privileged account management solution and added enhanced logging resources to its security event and incident management solutions.  In addition, Anthem conducted a complete reset of passwords for all privileged users, suspended all remote access pending implementation of two-factor authentication and created new Network Admin IDs to replace existing IDs, as well as acquired additional technology to improve its monitoring capabilities in critical databases.

Equifax

There is still a lot of finger pointing going on with regard to the Equifax data breach, which exposed the sensitive personal information of nearly 146 million Americans.  When their former CEO, Richard F. Smith (who resigned as part of the blowback following the breach) testified to Congress, he tried to place blame on a mistake made by a single employee.  However, as more details have come to light, it has become more a lesson on what can happen when security is not taken seriously and best practices are not followed.

Equifax reported that it discovered its now infamous data breach on July 29, 2017. The breach was suspected when someone observed additional suspicious activity on one of their web applications and waited till the following day to take the affected application offline.

Once they realized that there was more to the suspicious activity, on August 2 Equifax contacted Mandiant to help the company assess what data had been compromised.

With help from Mandiant, Equifax was able to determine a series of breaches had occurred from May 13 through July 30.

Equifax confirmed that attackers entered its system in mid-May through a web-application vulnerability that had a patch available in March. On March 6, 2017, The Apache Software Foundation published a security advisory about a new vulnerability affecting the Apache Struts 2 framework. By manipulating certain HTTP headers, an attacker could easily execute system commands on affected systems.

As often happens with this kind of vulnerability, it did not take long for attackers to take advantage of the flaw and use bots to crawl the web for vulnerable hosts. Organizations that take security seriously are usually remain unaffected, because they immediately follow the recommended steps to fix it.  However, many do not.

Penetration testers and other security researchers have pointed out that it would have been simple for an attacker to exploit the flaw and get into the system. After exploiting the vulnerability to gain a foothold, the attackers may have found scores of unprotected data immediately or may have worked over time—between mid-May and the end of July—to gain more and more access to Equifax’s systems.

Generally following the successful use of an exploit like this, attackers will strive to compromise a privileged system user that owns the web server process. It is a security best practice to ensure that this type of user account have as little privilege as possible on the server itself, since security vulnerabilities in web applications and web servers are so commonly exploited. In practice, though, it could also have been possible that hackers may have found credentials or other information in plaintext right away if Equifax didn’t have proper protections in place.

As the security community processes the news and scrutinizes Equifax’s cybersecurity posture, numerous doubts have surfaced about the organization’s competence as a data steward. The company took six weeks to notify the public after finding out about the breach. Even then, the site that Equifax set up in response to address questions and offer free credit monitoring was itself riddled with vulnerabilities.

It has also been reported that a web portal for handling credit-report disputes from customers in Argentina used the embarrassingly inadequate credentials – essentially having an administrative account with the username “admin” whose password was also set to “admin.”

Now that we have touched on the anatomy of a security breach and examined a couple of well know examples, we can see that patterns that emerge can help guide best practices for preparing for the eventual breach and even potentially preventing them from having too great an impact on your organization.  The following section illustrates one of the best frameworks for improving an organization’s cybersecurity posture.

The NIST Cybersecurity Framework

Despite the fact that companies are continuing to increase spending on cybersecurity initiatives, data breaches continue to occur. Despite the boost in security spending, vulnerabilities, threats against these vulnerabilities, data breaches and destruction persist.

To combat these issues, Barack Obama, President of the United States on February 12, 2013 issued Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity.” The EO directed NIST, in cooperation with the private sector, to develop and issue a voluntary, risk-based Cybersecurity Framework that would provide U.S. critical infrastructure organizations with a set of industry standards and best practices to help manage cybersecurity risks.

In February 2014, through a series of workshops held throughout the country and with industry input, NIST released the initial version of the “Framework for Improving Critical Infrastructure Cybersecurity” (often referred to as the NIST Cybersecurity Framework or CSF).

For the first time, the CSF provided industries with a risk-based approach for developing and improving cybersecurity programs. It also provides a common language regarding cyber security issues to allow for important discussions to take place between an organization’s “IT” people, and an organization’s “business” people, some of whom may cringe when hearing complicated terms like “APT” (Advanced Persistent Threat). Its common sense, “English language” approach allows an organization and its directors to both identify and improve upon its current cybersecurity procedures. Though the CSF was developed for the 16 critical infrastructure sectors, it is applicable to all companies—albeit at least today—on a voluntary basis.

NIST’s Cybersecurity Framework (CSF) is likely to become the basis for what’s considered commercially reasonable in regards to securing an organization’s infrastructure. For this reason alone companies should pay close attention to it and, even if they don’t follow it completely, should at least understand where they are deficient and why.

The CSF is a valuable indicator of what a standard of care should be. The framework provides a standard measurement that organizations can agree on in terms of assessing risk assessment. The CSF will give higher levels of management, such as boards of directors, CISOs, audit committees, and senior executives an understanding of their current security posture, where it should be and a clear roadmap of how to get there. Hopefully this will free up some much-needed resources inside organizations to address these issues too.

Another reason for paying attention is that, while the framework may be voluntary, it will, in TechVision’s opinion, most likely become the de-facto standard that organizations will be judged against if a breach occurs. Finally, the standard isn’t just for government agencies, but will apply to private businesses that are operating in critical infrastructure areas such as transportation, food processing and water treatment. There are actually 16 different infrastructure areas that cover just about every private business.

The CSF is not a checklist like other standards such as the Payment Card Industry Data Security Standard (PCI). There is no list of requirements that if you meet you can check the box and when all checks are completed you are done. It is more like a set of industry best practices to apply a risk-based approach to improve your organization’s security. It offers a core set of activities to anticipate and mitigate against attacks on systems. It draws heavily from over three thousand corporations and individuals and is intended to adapt and change over time along with new technologies.

Five Core Functions

The Framework Core is a set of cybersecurity activities and applicable references established through five concurrent and continuous functions—Identify, Protect, Detect, Respond and Recover—that provide a strategic view of the lifecycle of an organization’s management of cybersecurity risk. These principles can be thought of as the Framework’s fundamental “cornerstone” for how an organization should be viewing its cybersecurity practices. The five core functions are:

1. Identifying the most critical intellectual property and assets
2. Developing and implementing procedures to protect these critical assets
3. Having resources in place to detect a cybersecurity breach in a timely manner
4. Having procedures in place to respond to a breach
5. Being able to recover from a breach

The following figure describes aspects of each of these core cybersecurity functions which we will subsequently explain in greater detail.

Figure 4: The Five Core Functions of the NIST Cybersecurity Framework

Identify

The goal of the Identify Function is for organizations to develop an organizational understanding in managing cybersecurity risk with regard to systems, assets, data, and capabilities.  Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcomecategories within this Function include:

• Asset Management – which consists of the data, personnel, devices, systems, and facilities that enable the organization to achieve its business objectives are identified and managed consistent with their relative importance to these goals and the organization’s risk strategy.
• Business Environment – where the organization’s mission, objectives, stakeholders, and activities are understood and prioritized. This information is then used to inform cybersecurity roles, responsibilities, and risk management decisions.
• Governance – where the policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and also inform the management of potential cybersecurity risk.
• Risk Assessment – where the organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
• Risk Management Strategy – where the organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.

By taking the time and gaining an understanding of the organization’s current state and level of risk, it allows for better advanced planning and prioritization.  This can greatly help address many steps in the kill chain – for example, having a better focus on how an attacker’s reconnaissance efforts could be thwarted and identifying and prioritizing where the organization’s security investment will be most effective.

Protect

The goal of the Protect Function is to develop and implement appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome categories within this Function include:

• Identity Management and Access Control – which consists of the means by which the lifecycle of accounts is managed and the access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions.
• Awareness and Training – where the organization’s personnel and partners are provided cybersecurity awareness education, and are adequately trained and incented to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements.
• Data Security – where information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.
• Information Protection Processes and Procedures – where security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.
• Maintenance – where the maintenance and repairs of industrial controls and information system components is performed consistent with policies and procedures.
• Protective Technology – where technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

This is where an organization can bring the most technology to bear to help the automation and enforcement of access policies, effectively manage the elevation of privilege, harden configurations, and consistently implement the necessary patching of the environment.

Many of the products in the network security, endpoint security, and identity and access management markets focus on facilitating the prevention of security breaches.

Detect

The goal of the Detect Function is to develop and implement appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome categories within this Function include:

• Anomalies and Events – where anomalous activity is detected in a timely manner and the potential impact of events is understood.
• Security Continuous Monitoring – where the information systems and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.
• Detection Processes – where detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.

This is the other area where technology can make a significant difference. Through effective monitoring, audit, and inspection of the environment, anomalous activities can be quickly detected and analyzed, aiding in quicker response and potentially reducing the potential damage.  Remember most of the breaches that involved the compromise of large amounts of data were not “smash and grab” assaults, but long-term data exfiltration efforts that sometimes lasted months to years.

Respond

The goal of the Respond Function is to develop and implement appropriate activities to take action regarding a detected cybersecurity incident. The Respond Function supports the ability to contain the impact of a potential cybersecurity incident. Examples of outcome categories within this Function include:

• Response Planning – where response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events.
• Communications – where response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies.
• Analysis – where analysis is conducted to ensure adequate response and support recovery activities.
• Mitigation – where activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident.
• Improvements – where organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.

How well an organization responds to a breach is just as important to how well an organization prepares for a breach. Being able to quickly assess the situation, leverage forensics, and effectively react to the circumstances is critical to minimizing the impact of the breach.

Recover

The goal of the Recover Function is to develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity incident. Examples of outcome categories within this Function include:

• Recovery Planning – where recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events.
• Improvements – where recovery planning and processes are improved by incorporating lessons learned into future activities.
• Communications – where restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors.

Lastly, it is also important to learn from the experience and apply that knowledge and understanding to resolve what went wrong and improve the preparations for the next time the organization is attacked.

The following figure provides an overall perspective on the NIST Security Framework and its overall approach in terms of leveraging best of breed existing standards.

Figure 5: NIST Cybersecurity Framework Draws from Other Notable Frameworks and Standards

The NIST Cybersecurity Framework does not really create anything new, it draws from other existing standards that can be applied to facilitate behavioral changes within an organization. The objective of the framework is to elevate cyber risk to have greater visibility at the corporate level, similar to the level of financial or liability risk. To do this, the CSF has drawn from other works such as the Control Objectives for Information and Related Technology (COBIT), Council on Cybersecurity (CCS) Top 20 Critical Security Controls, as well as ANSI/ISA and ISO/IEC standards and NIST 800-53 Security Controls.

Where to Start

A major challenge in adopting the NIST Cybersecurity Framework is simply getting started. Organizations typically have limited resources and familiarity with the Framework to help them leverage their existing cybersecurity, compliance and audit programs, policies and processes.

At a minimum, CxOs and their management should become familiar with the Framework and its benefits at a high level. Additionally, the executive leadership team (or other decision making bodies) should have a deep discussion with the rest of management about the organization’s implementation plan, with particular focus on considerations of current risk management practices, the threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints.

Educating managers and staff on the Framework ensures all organizations are on the same page and is also an important step toward the successful implementation of a robust cybersecurity program.  There are many resources online that are available that can provide additional information about existing Framework implementations – which may help organizations with fleshing out their own approaches. Additionally, organizations can seek out cybersecurity service providers skilled in helping organizations with the education, awareness and planning required to implement the Framework across an entire enterprise. TechVision Research provides a variety of independent workshops, tutorials and education programs in these areas.

Though established as a set of guidelines and not considered a regulatory requirement in and of itself, it is important to understand that the NIST Cybersecurity Framework has been developed with input from industry experts, collaborators and businesses with years of cyber experience.  As stated back in 2011 by Congressman Mike Rogers, who was Chairman of the House of Intelligence Committee at the time, “There are two kinds of companies. Those that have been hacked and those that have been hacked but don’t know it yet.”  Given that it is almost inevitable that an organization will be hacked, there will be a time and a place where it may need to demonstrate to customers, investors, regulators, and plaintiff’s attorneys that it gave thought to, and implemented, cybersecurity measures in order to defend its most critical intellectual property assets, or its most critical business and customer information. Implementing the Framework will not only allow organizations to improve cybersecurity measures, but also to effectively demonstrate that they took reasonable steps to protect their environments.

How Vendor Offerings Align with The NIST Cybersecurity Framework

In this section, we will examine how different vendor offerings align with the core functions in the NIST Cybersecurity Framework, paying particular attention to the most prominent vendors. We will characterize those vendors by CSF category; Identify, Protect, Detect, Respond and Recover. These categories are further broken down by key functions and vendors supporting those functions are being called out.

The offerings listed represent a starting point based on our hands-consulting with large organizations, our research/analysis, industry knowledge and experience with a broad base of vendors. We believe every enterprise should go through a rigorous review and assessment process, but we are providing a starting point similar to what we might give a consulting client as they are trying to determine the vendors to consider in an RFP.

Identify

Identify is all about establishing and evaluating your security posture.  While there aren’t as many technologies that help with this phase of the Framework as compared with the Protect and Detect phases, preparation and planning can benefit from scanning one’s environment, performing discovery, and establishing a prioritized inventory of key hardware and software assets.

Asset Management and Discovery

Provides a global view of all IT assets and discovers the inputs and outputs to be factored into this global view. The goal is to facilitate informed decisions based on up-to-date and accurate information. Vendors to consider that provide Asset Management and Discovery solutions are:

• BMC Remedy
• IBM Asset Management
• Micro Focus Asset Manager
• ServiceNow
• SolarWinds

Vulnerability Scanning

Provides solutions that are able to scan for vulnerabilities across all sorts of application and infrastructure environments such as clients, servers, routers and switches.

Vendors to consider that provide Vulnerability Scanning solutions are:

• Alert Logic
• Fortinet
• Micro Focus Fortify
• Rapid 7

Protect

As noted earlier, there are a lot of products to choose from in the network security, endpoint security and identity and access management markets that can help provide effective controls to protect one’s environment.  Some are offered as point solutions, but many are offered as part of a more comprehensive suite of solutions. The following highlights some of the product categories to consider:

Authentication

This sub-category provides greater identity assurance and proofing through strong authentication.

Vendors to consider that provide Authentication solutions are:

• CA Technologies
• Centrify
• ForgeRock
• IBM
• Microsoft
• Micro Focus
• Okta
• OneIdentity
• OneLogin
• Oracle
• Ping Identity
• Dell/EMC/RSA

Authorization

This area focuses on the enforcement of authorization policies ensuring appropriate access to critical resources.

Vendors to consider that provide Authorization solutions are:

• CA Technologies
• Centrify
• ForgeRock
• IBM
• Microsoft
• Micro Focus
• Okta
• OneIdentity
• OneLogin
• Oracle
• Ping Identity
• RSA (Dell/EMC)

Privileged Access Management (PAM)

PAM controls administrator access and system accounts plus deep forensic monitoring.

Vendors to consider that provide Privileged Access Management solutions are:

• BeyondTrust
• CA Technologies
• Centrify
• CyberArk
• OneIdentity

Access Governance

Enables the lines of business to make decisions about appropriate access.

Vendors to consider that provide Access Governance solutions are:

• CA Technologies
• IBM
• Micro Focus
• OneIdentity
• Oracle
• RSA (Dell/EMC)
• SailPoint
• Saviynt

Identity Lifecycle Management

Facilitates the onboarding of accounts, granting and revoking of entitlements, and enforcing the decisions made about what constitutes appropriate access.

Vendors to consider that provide Identity Lifecycle Management solutions are:

• CA Technologies
• IBM
• Micro Focus
• OneIdentity
• Oracle
• RSA (Dell/EMC)
• SailPoint

Secure Web Gateways

Provides solutions to protect web-surfing PCs from infection and enforce company and regulatory policy compliance. These gateways must, at a minimum, include URL filtering, malicious-code detection and filtering, and application controls for popular web-based applications, such as instant messaging (IM) and Skype.

Vendors to consider that provide Secure Web Gateways solutions would be:

• Cisco
• Forcepoint
• Intel Security (McAfee)
• Symantec (Blue Coat)

Configuration Management

Solutions that track changes to applications and their infrastructure to ensure that configurations are in a known and trusted state, and configuration details don’t rely on tribal knowledge of the development team.

Vendors to consider that provide Configuration Management solutions are:

• Ansible
• Apache Maven
• Puppet
• Chef

Detect

This is also an area where there are a lot of different categories to choose from.  The following highlights some of the product categories to consider:

Network Firewall

Build application awareness by drilling into network traffic to help identify the applications traversing the network.

Vendors to consider that provide Advanced Firewall solutions are:

• Check Point Software
• Cisco Systems
• Juniper Networks
• Palo Alto Networks

Intrusion Detection / Anti-Malware

This sub-category generally involves a multi-layered approach that incorporates signature detection, white listing, heuristics, behavior-based detection.

Vendors to consider that provide these solutions are:

• Cisco
• Intel Security
• Avast
• Carbon Black
• Cylance
• Malwarebytes
• Sophos

User Behavioral Analytics

User behavioral analytics leverages recognition of behavioral patterns to provide insight into normal operations and brings attention to anomalous activity. This area is being supporting by artificial intelligence (AI) and machine learning (ML) advancements.

Vendors to consider that provide User Behavioral Analytics solutions are:

• Exabeam
• Fortscale
• Haystax Technology
• IBM QRadar
• Micro Focus Niara
• Microsoft Advanced Threat Analytics
• Splunk

Log Management

Log management involves collecting and aggregating log information from multiple sources to facilitate better inspection and forensics.

Vendors to consider that provide Log Management solutions are:

• Alert Logic
• IBM QRadar
• LogRhythm
• Micro Focus ArcSight
• Splunk

Security Information and Event Management (SIEM)

SIEM provides real time event collection and correlation as well as automated triggering of remediation to inform and react to advanced persistent threats.

Vendors to consider that provide SIEM solutions are:

• AlienVault
• IBM QRadar
• LogRhythm
• Micro Focus ArcSight
• Splunk

Respond and Recover

Both Respond and Recover functions are less about the technology that you can employ, but more about how you use them.  The tools and products described above in the prior three functions certainly will help with the response and the recovery, but primarily these stages are a time for the organization to analyze and understand what transpired, perform a post mortem to clearly document what went wrong, formulate a plan on how to mitigate the damage and reinforce the defenses, and prepare for the next attack.

As an additional aside, Amazon Web Services (AWS) is an example of a vendor that has significant number of features and capabilities within their suite of cloud offerings that span all five NIST CSF core functions.  Rather than enumerate all of these here in this document, AWS has produced this report that maps their various offerings and features to the framework.

Next Steps

To protect information and defend from both internal and external threats across every tier of the IT infrastructure, organizations should select solutions based on an operational security model that is risk-based, content- aware, responsive to threats in real time, and workflow-driven to facilitate the automation data security processes. Here are six steps that any organization can take to significantly reduce the risk of a data breach using proven solutions:

Step 1 – Stop incursion by targeted attacks

To prevent incursions, it is necessary to shut down potential avenues that facilitate the misuse of the organization’s information assets. Controls assessment automation, effective access controls, network and endpoint controls, as well as application and messaging security solutions should be combined to stop targeted attacks. In addition, to the extent possible, endpoints should be managed centrally to ensure consistent deployment of security policies, patches, encryption capabilities, and information access. Specific recommended actions include:

• Implement web, messaging and endpoint security to monitor and block the inbound flow of targeted malware.
• Apply host-based intrusion detection and intrusion prevention systems on servers to safeguard host integrity in the event of SQL injection attack.
• Leverage privileged access management solutions to ensure that accounts with elevated privileges are closely monitored and their credentials are not static.
• Automatically scan technical controls-including password settings, firewall and server configurations- across networked servers and report on all policy violations.
• Centrally deploy policy and manage endpoints to automate patch management and ensure the latest encryption, network access control and security settings are applied.

Step 2 – Identify threats by correlating real-time alerts with global security intelligence

To help identify and respond to the threat of a targeted attack, security information and event management systems can flag suspicious network activity for investigation. The value of such real-time alerts is much greater when the information they provide can be correlated with knowledge of actual known threats. Being able to tap into current research and analysis of the worldwide threat environment in real time gives security teams a tremendous advantage in combating external threats. Specific recommended actions include:

• Leverage security intelligence services that daily monitor millions of email messages and systems worldwide to analyze internal event data and stay current on the evolving threat landscape.
• Combine security information and event management systems to track network activity, collect incident data from all security systems, and match incident logs against a data feed from security intelligence services to identify known trouble sites and other external threats in real-time.

Step 3 – Proactively protect information

In today’s connected world, it is no longer enough to defend the perimeter. Now you must accurately identify and proactively protect your most sensitive information wherever it is stored, sent, or used. By enforcing unified data protection policies across servers, networks, and endpoints throughout the enterprise can you progressively reduce the risk of a data breach. Data loss prevention solutions can make this unified approach a reality.

Implement content-aware define once, enforce everywhere policy management with incident remediation workflow, reporting, system management, and security. Specific recommended actions include:

• Find sensitive information located on file servers, databases, email repositories, websites, laptops, and desktops, and protect it with automatic quarantine capabilities as well as support for policy-based encryption.
• Inspect all outbound network communications, such as email, IM, Web, FTP, P2P, and generic TCP, and enforce policies to prevent confidential information from leaving.
• Proactively block confidential data from leaving the organization from endpoints via print, fax or removable media.

Step 4 – Automate security through IT compliance controls

To prevent a breach, organizations must start by developing and enforcing IT policies across their network and data protection systems. By assessing the effectiveness of the procedural and technical controls in place and automating regular checks on technical controls such as password settings, server and firewall configurations, and patch management, organizations can reduce the risk of a data breach. To sustain and improve their compliance posture organizations need to continuously assess how their infrastructure is set up to support IT compliance policies. Leveraging IT policy creation, policy deployment, IT compliance controls assessments, incident management and correlation tools will enable organizations to proactively identify and remediate deficiencies before breaches happen, and in the event of an attack identify and prioritize risks across the enterprise. Consider the following actions to better automate security though IT compliance controls.

• Leverage the NIST Cybersecurity Framework in getting organized and prepared for each phase
• Define IT policies based on data security best practices and industry standards such as ISO 17799, COBIT, NIST 800-53, Sarbanes-Oxley, PCI DSS, HIPAA, GLBA, GDPR and others.
• Align IT policies to key security and operations controls, both procedural and technical.
• Automate the assessment of infrastructure and systems against existing IT compliance controls.
• Measure and report on how well the organization is meeting IT compliance controls.
• Prioritize remediation efforts based on measurement and reporting results, identify deficiencies and proactively
• update the infrastructure and security systems to demonstrate compliance and ensure maximum security.

Step 5 – Prevent data exfiltration

In the event that a hacker incursion is successful, it is still possible to prevent a data breach by using network software to detect and block the exfiltration of confidential data. Insider breaches can likewise be identified and stopped. Data loss prevention and security event management solutions can combine to prevent data breaches during the outbound transmission phase.

• Monitor and prevent data breaches via network transmission, whether by malware, well-meaning or malicious insiders.
• Identify transmissions to known hacker sites and alert security teams to prevent the exfiltration of confidential data.

Step 6 – Integrate prevention and response strategies into security operations

In order to prevent data breaches, it is essential to integrate a breach prevention and response plan into the day-to-day operations of the security team. Using technology to monitor and protect information, the security team should be able to continuously improve the plan and progressively reduce risk based on a constantly expanding knowledge of threats and vulnerabilities. Specific recommended actions include:

• Integrate solutions for data loss prevention, system protection, compliance, and security management to create an operational model for security that is risk-based, content-aware, responsive to threats in real time, and workflow-driven to automate day-to-day processes and close gaps between people, policies, and technologies.
• Leverage security services—including consulting, education, critical support, and global intelligence services—that provide organizations with deep security knowledge and broad security product expertise.

Summary and Recommendations

First, as any security professional knows, there are no easy answers to building policies and controls to thwart potential breaches and cyberattacks. That said, starting with the steps outlined in the previous section provides a solid foundation. The NIST framework provides a nice structure for categorizing key capabilities and approaches to mitigating risk.

But the framework is only the first step. The specific problem with any security model is that the proof of security relies on assumptions. Specifically, the assumptions are that the implementation of any secure network, system, or application is consistent with that model, and that the system is installed, operated, maintained, and decommissioned consistently with that model. If it is not, the underlying assumptions are wrong. The proof may be correct, but it is irrelevant. To make the efforts to be NIST framework “compliant” successful, the organization needs to regularly challenge and verify those assumptions are valid.

While best practices and technology can certainly help, ultimately IT security specialists and engineers with sophisticated skills are needed to prove those assumptions, and prevent and defend against sophisticated cyberattacks. But tech talent with these skills are hard to find. Ultimately to be prepared for the inevitable breach, in addition to the guidance provided already in this report, organizations can take steps to better hire for and invest in their IT departments.

Invest in education and communication

Part of the problem stems from a disconnect in how IT firms hire talent and how scarce top security experts are.  Many employers value experience over education, and young, promising professionals are ignored for positions that require advanced skills.

Building stronger partnerships between employers and colleges and universities can help to better train the next generation of security experts. These relationships can foster expanded internship programs and training opportunities to groom young professionals and connect them with the employers who need them.

Investing in additional training, professional development, and workshops for existing staff can also help to boost security. To stay ahead of hackers, specialists need to be up-to-date on the latest technology and software.

There is also significant value in developing and executing on a consistent, broad-based communication and training program. It isn’t just the security/risk organization that needs to be educated; it is the entire organization. Establishing security policies is, of course critical, but effectively and regularly communicating these programs throughout the organization is critical in maintaining a security-aware organization.

Think globally

Hiring tech talent outside of the U.S. can also help to solve the security talent crisis as it can be very challenging to find and retain top-level security personnel  Thinking globally widens the talent pool and could lower the price of top talent. The recruiting process will take more time and effort and securing a visa might be difficult, but the end result could be worth it. TechVision is developing a report that dives deeper into addressing the challenges in staffing a security organization.

Keep your friends close, your enemies closer

Hackers will always be out there, adapting to the newest, most complex technology and software. To prevent data breaches, we need to start at the root of the problem. Invest in security and your IT team and emphasize the importance of education and consistent communication. We’re going to need as many talented professionals as we can get.

Unfortunately, you only know what you know regardless of how much talent you have. Another avenue to explore is ethical hacking, hiring outside firms such as “whitehat” hackers to see what you don’t. Or you can open it up even more by participating in “Bug Bounty” programs that reward people who discover security issues as an independent resource.

In conclusion, leveraging the NIST CSF or your favorite framework, implementing the concepts described in this report and simply being proactive in getting ahead of the threats will serve your enterprise well.

About TechVision

World-class research requires world-class consulting analysts and our team is just that. Gaining value from research also means having access to research. All TechVision Research licenses are enterprise licenses; this means everyone that needs access to content can have it. We know major technology initiatives involve many different skill sets across an organization and limiting content to a few can compromise the effectiveness of the team and the success of the initiative. Our research leverages our team’s in-depth knowledge as well as their real-world consulting experience. We combine great analyst skills with real world client experiences to provide a deep and balanced perspective.

TechVision Consulting builds off our research with specific projects to help organizations better understand, architect, select, build, and deploy infrastructure technologies. Our well-rounded experience and strong analytical skills help us separate the hype from the reality. This provides organizations with a deeper understanding of the full scope of vendor capabilities, product life cycles, and a basis for making more informed decisions. We also support vendors when they carry out a product and strategy review and assessment, a requirement analysis, a target market assessment, a technology trend analysis, a go-to-market plan assessment, or a gap analysis.

TechVision Updates will provide regular updates on the latest developments with respect to the issues addressed in this report.

About the Authors

Nick Nikols has more than 25 years of experience in the software industry, architecting solutions and developing innovative products for identity, security and compliance management, as well as directory services and directory/application integration.

Before working with TechVision Research, Nick was Senior Vice President of Product Management and CTO of Cybersecurity at CA Technologies, where he was responsible for CA’s Cybersecurity Product Strategy and Roadmap.  At CA, he was particularly focused on modernizing CA’s Identity-centric Security portfolio and successfully promoted CA’s Identity Manager and Access Governance solution into a leadership position within Gartner’s Magic Quadrant for Identity Governance and Administration.

Gary Rowe is a seasoned technology analyst, consultant, advisor, executive and entrepreneur. Mr. Rowe helped architect, build and sell two companies and has been on the forefront the standardization and business application of core infrastructure technologies over the past 35 years. He was President of Burton Group from 1999 to 2010, the leading technology infrastructure research and consulting firm through the sale of Burton to Gartner.

Mr. Rowe has personally led over 100 consulting engagements, 50+ educational seminars, published over 50 research reports/articles and led three significant technology industry initiatives. His combination of business skills and his deep understanding of technology provide a balanced perspective for clients. Core areas of focus include identity and access management, directory integration, cloud computing, security/risk management, digital transformation, IT business model changes, privacy and blockchain/distributed ledger.”