Mapping Your Requirements to the NIST Cybersecurity Framework

Industry Perspective

 

Introduction

 

Today, agencies face a wildly changing threat landscape. Gone are the days when cybersecurity was just an information technology problem. Today, keeping data secure, preventing insider threats and detecting the potential for massive breaches before they happen is everybody’s responsibility.

But it is a complex issue, especially in federal government, where agencies face a unique set of challenges to maintaining their cybersecurity posture. Today, the threat landscape is vast and ever-moving. New sophisticated threats are creating additional risks. Attacks continue to increase in volume and complexity, meaning that the defenses and solutions agencies use must also evolve. And the sensitive data that agencies manage requires special handling, classification and heightened access monitoring for insider threats.

However, government agencies are up for the challenge. They are developing and adopting new guidelines, like the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), which is helping agencies implement standard cybersecurity best practices. Additionally, the recently released White House National Cyber Strategy also leverages the framework.

In order to truly adopt all the benefits the CSF provides, agencies must be working with a trusted vendor that can best implement and address each of the critical functions within the CSF.

To better understand how agencies can leverage the NIST Cybersecurity Framework to navigate the changing threat landscape, GovLoop partnered with Quest, a leader in helping build and manage modern, secure and more resilient IT architecture, for this report. In the following pages, we will explore current cybersecurity challenges; how agencies can overcome them by maximizing the framework and how Quest helps agencies navigate the five functions. We’ll also gain insights from Quest experts, including Dan Conrad, Federal Chief Technology Officer; Bryan Patton, Principal Strategic Systems Consultant; and Chris Roberts, Enterprise Architect.

 

 

 

Challenge: Addressing a Changing Threat Landscape

 

As government agencies work to keep safe the large volumes of sensitive data they own, they must be continuously improving and adapting their security postures and programs to keep up with the changing threat landscape and regulatory environment. Government IT systems must be secured from outside intruders as well as from insiders, both well-meaning and malicious. At the same time, agencies still have to ensure that the right people have access to the data they need to do their jobs.

Security solutions are also changing. Today’s shifting environment makes it imperative that agencies and the vendors they partner with keep each and every security tool aligned with both agency needs and regulatory requirements.

But achieving all of this is incredibly difficult. In particular, government faces a variety of challenges that, when unaddressed, can seriously complicate their cybersecurity posture.

The unknown: In this changing threat landscape, it’s difficult for agencies to know what they are truly facing. “One common thing agencies are facing is that the threat landscape changes on a daily basis,” said Bryan Patton, Quest Principal Strategic Systems Consultant. “We never know what vulnerabilities an attacker is going to try to take advantage of. So truly, the biggest challenge agencies have is the unknown. You don’t know who’s trying to attack your environment on a daily basis.”

 

Budget issues: Obtaining funding for cybersecurity initiatives is also a significant challenge for government, even today. In particular, it can be difficult to know how much of your agency’s budget should go toward cybersecurity because there is not a one-size-fits-all solution for cybersecurity budgets. “We understand that government has a limited budget,” said Patton, “so they must be strategic with what they spend money on and how they communicate that investment to others.”

Talent in the workforce: The Global Information Security Workforce Study projects a 1.8 million-person shortage in the cybersecurity workforce by 2020. Government has long been trying to address the shortage of personnel and skillsets in the cyber workforce, but it continues to be a challenge. “There is a serious shortage of cybersecurity talent to begin with,” said Patton. “Government needs to figure that out, whether through better hiring or more automation.”

Silos: “Whether it is departmental, political or technical segmentation, silos remain a huge challenge,” said Chris Roberts, Quest Enterprise Architect. “Anything that puts a barrier between the flow of information needed to manage IT assets effectively is a hindrance to any potential long-term success toward improved security.” In short, communication across all levels and functions within both technical and end users is a must before any tool or process will be successful.

 

 

The Solution: Using the NIST Cybersecurity Framework and a Trusted Partner to Secure Your Posture

 

The National Institute of Standards and Technology works to promote U.S. innovation and competitiveness by advancing science, standards and related technology through research and development in ways that enhance economic security and improve quality of life. To help the nation address its greatest information security challenges, NIST’s cybersecurity programs seek to enable greater development and application of innovative security technologies. More specifically, NIST provides guidelines for federal, state and local agencies to help them address the nation’s greatest challenges, like cyberthreats.

That’s why, in 2014, the institute developed the NIST Cybersecurity Framework, which was created through collaboration between industry and government. The CSF consists of standards, guidelines and practices to promote the protection of critical infrastructure and improve government security.

“The NIST Cybersecurity Framework is allowing agencies to prioritize the likelihood of different risks happening in an environment,” said Patton. “You can also see progress by using it over different periods of time. Then your agency can actually see if you’re improving with your security posture, versus some areas maybe where you might need to improve.”

The framework offers five core functions that act as a backbone. According to NIST, “These five Functions were selected because they represent the five primary pillars for a successful and holistic cybersecurity program. They aid organizations in easily expressing their management of cybersecurity risk at a high level and enabling risk management decisions.”

But the CSF, and its five functions, are only as good as the security and technology solutions an agency has in place to address each of them.

That’s where Quest comes in.

“Quest has the solutions and services to help your organization identify, protect, detect, respond and recover, better managing cybersecurity risk,” said Dan Conrad, Quest Federal Chief Technology Officer.

Quest provides leading, tested and proven options for identity management, Microsoft platform management, database and information management, systems management (client, server and cloud), data protection and migration tools for anything, anywhere. Agencies are able to protect critical data and Active Directory configurations with Quest solutions that help assess permissions continuously to identify threats; detect and alert suspicious activity; remediate and mitigate unauthorized actions; and investigate and recover from security breaches.

 

 

Cattura5

 

 

 

To better understand how agencies can use Quest to adhere to and maximize the five functions of the NIST Cybersecurity Framework, let’s take a closer look at each.

 

NIST Cybersecurity Framework

 

 

Identify

The identify function helps agencies develop an understanding of managing cybersecurity risk to systems, people, assets, data and capabilities. Using it, agencies may be able to identify asset vulnerabilities, threats to internal and external organizational resources, and risk response activities as a basis for a risk assessment.

How Quest helps: Quest works to help agencies do security object discovery for base services such as Active Directory. It also helps inventory all soft and hard assets, enabling efficient patching/maintenance and reduction in attack surfaces. Its KACE systems management appliance enables you to take control of your IT environment and manage cybersecurity risk to systems, assets, data and capabilities with an easy-to-deploy appliance.

 

Protect

The protect function outlines appropriate safeguards to ensure delivery of critical infrastructure services and supports the ability to limit or contain the impact of a potential cybersecurity event.

How Quest helps: “We can help secure root or administrator credentials by restricting their use and access by only those authorized,” said Roberts. The right vendor can help an agency truly manage its data access and restrict users to the most critical and important.

 

Detect

The detect function enables timely discovery of cybersecurity events, ensuring anomalies and events are detected, and their potential impact is understood.

How Quest helps: “To really detect threats, you must know who is accessing infrastructure resources at the directory or file system level of systems supporting critical application infrastructure,” said Roberts. By deploying One Identity Active Roles, agencies can better take advantage of identity and access management solutions for privileged account management, access control and identity governance.

 

Respond

The respond function includes appropriate activities to take action regarding a detected cybersecurity incident. Using it, agencies can ensure a response planning process is executed during and after an incident.

How Quest helps: Unauthorized access to privileged accounts is often at the heart of security breaches. “Quest offers the ability to restore services such as Active Directory, which are the root requirement for most critical applications,” Roberts said. “We help push remediation patches, scripts or complete images to local, remote or cloud clients/servers to correct where necessary.”

 

Recover

The recover function identifies appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.

How Quest helps: “Quest offers multiple robust options for system, application and service restoration from direct, near-line or cloud-based images,” Roberts said. Partnered with the right vendor, agencies can reduce the impact from a cybersecurity event with backup, recovery and application-specific data protection solutions.

 

 

 

 

And Quest is making a real-world difference for its government clients. It recently won a large defenserelated project to monitor, manage, migrate and protect identity information across critical networks supporting mission-related application infrastructure.

Additionally, it helped one government client help with the directive to reduce privileged accounts. “Our client had literally over a thousand people in their environment from both an Active Directory perspective and from administrative tasks throughout the entire enterprise,” said Conrad. “We gave them a solution that reduced their number of users from over a thousand to about 50.” That client’s administrators are now accountable for what they do and how they use their own accounts, reducing the threat landscape and any insider threat potential.

“Quest is the single largest complete IT solutions company providing software products touching a majority of deployed vendor solutions within the data center,” said Roberts. “We focus on research and development specific to customer feedback, and since we are software-only, there are no platform, API or hardware proprietary dependencies for customers to be concerned about. We support open standards and are agnostic regarding the industry solutions our government customers have deployed.”

“Quest is the de facto standard for things like Active Directory auditing and management and Active Directory migrations,” Conrad said. “We are building a great data protection industry right now, and changing the landscape around data protection – not just redoing it the same way everyone else does it.”