This post is from my series of short essays on cybersecurity.

Last post Cybersecurity framework – start with identify and protect discussed the first two important activities from the NIST Cybersecurity Framework (NIST-CSF). Identifying the assets, assessing the risk and loss, and applying the correct protective measure are the foundation of building cybersecurity infrastructure for your organization. But cybersecurity is not a product, it is an ongoing process. Resiliency to handle the attack and recover from the issue with robust infrastructure are keys to maintain a secure system. This post will discuss the next three activities described in NIST-CSF – detect, respond, recover.

Once assets are identified and protections are in place, we need to make sure that safeguards are in place to “Detect” any anomaly, and adversaries security penetration attempts. A good detection system proactively identifies the problems before they cause any damage. Detection can be the internal sanity like a scanner detecting the rogue or unpatched application inside the environment or analyzing the network and application logs for unusual traffic or access patterns. In an unfortunate event, if an adversary is able to successfully penetrate, the detection system should be able to help assess the loss impact, perform the cleansing, and solidify the security controls to prevent future attacks. 

Preemptive response plan and immediate incident response is required to prevent the loss from an attack and minimize the loss in case of successful attack.

With the power of good security controls and a smart detection system, we can enable continuous security monitoring, where our automation actively looks for vulnerabilities in infrastructure and raises the alerts on any anomaly or intrusion attempts. Next step of resiliency is to make sure that we are prepared to “Respond” on an unfortunate day when an adversary is able to penetrate. A preemptive action plan is in place to stop the attacker at the door, when the detection system alerts us on adversary attempts to penetrate. A combination of preemptive response plan and immediate incident response is required to prevent the loss from an attack and minimize the loss in case of successful attack. Otherwise an unplanned firefight can multiply the losses and in worst cases can cause the complete collapse of the system. Some response action plan activities include communication strategy – how teams will communicate during the incident, who will be responsible to lead actions, how we will mitigate the risk and do the damage control. Regular Tabletop exercises with simulated emergency situations are required for readiness. After the immediate response, mitigation, and damage control, the final step is to bring back the normalcy. NIST-CSF covers this under the “Recover” activity. This is basically bringing the system back to its normal pre-incident operational level. Ofcourse, with recovery we should also perform root cause analysis and identify the improvements to protect from future incidents, eliminate the vulnerability that caused the incident.

The NIST-CSF is a powerful tool, but it is still only a blueprint. Actual implementation and keeping pace with the evolving world of cyber security is challenging. With this evolution of technology new threats will appear and require new safeguards – for example with the increased usage of public cloud and interconnected software supply chains brought benefit of improved productivity, reliability, and scale, but on the other hand requires new thinking on security models to handle global resiliency and protection against centralized software supply chains attack. That’s why, we should always remember that Cybersecurity is not a product, it is a continuous process.