NIST CSF Overview: Protect

In order to foster trust in our work Pythia Cyber uses the Cyber Security Framework (CSF) put out by the National Institute of Standards & Technology (NIST) when designing and implementing Cyber Security Programs. We are guided by the NIST CSF if those programs are the modest first steps of new or small organizations, or if those programs are formal, rigorous programs for mature, mid-sized organizations, or anywhere in between.

The NIST CSF mantra is simple: Identify, Protect, Detect, Respond, Recover. But this overview is also very abstract. So this blog post is one of a series to make these concepts a bit more concrete. There will be one blog post for each "pillar" as NIST calls them. This blog post is about Protect.

Protect is the step everyone seems to have at least a vague idea about, which means that lots of people nod when we mention it but have never really thought about it. The rest of our audience lives and breathes Protect and they are your Cyber Defenders. This blog post is not for the Cyber Defenders, this is for the vaguely aware who work with the Cyber Defenders, or who manage them, or who manage their managers.

As mentioned in the Identify blog post, your organization has a Must Protect Now list of cyber assets, whether or not this list is explicit. There are cyber assets your organization has which going to be protected, as best you can, as soon as possible (or is being protected already).

A note on the different between an explicit list and an implicit list. The big advantage to an explicit Must Protect Now list is widespread agreement that the organization has committed the time and money and personnel to this goal, which means that there should be no administrative hurdles to providing this protection. All that remains is execution (the Protect step) and monitoring of that protection (the Detect step) and, should any issue be detected, the Respond step (the short-term response to the issue) and Recover step (the long-term response to the issue). However, if your list is implicit, you may have to keep running back to your managers or the executives to get those resources, which wastes time and energy and focus.

There are two aspects of the Protect step that many Cyber Defenders wish you knew: the nature of the beast and your part in the fight.

The nature of providing protection to cyber assets is an arms race: they keep changing their attacks, so we have to keep changing our defenses. This looks tranquil and static from the outside: cows evolve to eat grass, grass evolves a strong root system, cows evolve stronger tongues to pull up that stronger root system, grass evolves a fibrous protective coating, cows evolve extra stomachs to digest that coating, and so on. From the outside, this looks like a rather constant, placid process: cows eating grass, grass being eaten by cows. But this is not the true nature of this dynamic, high-stakes and never-ending conflict.

Your part in the fight is bigger than you think. Human behavior is often more vulnerable than the technology, in part because human behavior does not change nearly as quickly. As long as we do everything we can to protect our systems from other systems, our adversaries will be forced to try going through users instead. You are a big part of the systems we try to protect, so please be receptive when we ask for your help.

This is post describes pillar 2 of 5. Here links to the other posts: [1 2 3 4 5]