NIST Overvew: Detect

This blog post is about Detect, one of five "pillars" of the NIST CSF. This blog post is one of a series of posts, one per pillar.

Here links to the other posts in this series: Identify Protect (Detect) Respond Recover.

What is the NIST CSF and why does Pythia Cyber use it? The NIST CSF is the cybersecurity Framework (CSF) put out by the National Institute of Standards & Technology (NIST) when designing and implementing a custom Cybersecurity Program (CSP). Pythia Cyber is guided by the NIST CSF for programs that are the modest first steps of new or small organizations, for programs that are formal, rigorous programs for mature, mid-sized organizations, and for programs anywhere in between.

The NIST CSF mantra is simple: Identify, Protect, Detect, Respond, Recover. But this overview is also very abstract. So this blog post is one of a series to make these concepts a bit more concrete.

As we covered in the first post in this series (follow the "Identify" link above), the Identify pillar gives us a list of assets (what we are protecting) and for each asset, a risk (what we are trying to avoid). In the second post in this series we saw that the Protect pillar assigns a control to each risk and defines evidence that validates each control.

The Detect pillar is where daily Cybersecurity operations come into play. Someone has to do the monitoring, and not simply watch the events go by, but confirm that the activity being monitored is either expected or appropriate. Most importantly, the Detect step is about separating the worrisome from the normal, and then taking appropriate action to either confirm that there is an issue or to discover that there is a good explanation. If there is a problem, then we have “an incident” so we go to the Respond pillar (and Incident Response Plan (IRP)).

As part of Detect, you gather evidence. Sometimes the evidence shows you that all is well. Sometimes the evidence shows you that something odd is happening. Sometimes the evidence shows you that something bad is happening. But it is all evidence and it is all worth gathering and reporting. You may choose to archive only the evidence of incidents, but you always gather the evidence and report it up the chain. The evidence assures people with front-line cybersecurity responsibility that they know what is going on. Reporting the evidence up the chain assures the supervisors that the monitoring is happening, and that the monitoring is working.

Gathering useful evidence, creating a culture of commitment over mere compliance, and helping leaders provide useful oversight are all tasks you can do, but Pythia Cyber can help you do them effectively and cost-effectively. Specifically, we can help mediate the negotiation between hard core technical evidence and comprehensible executive decision support.