I have recently developed a newfound appreciation for reading cybersecurity standards and guidelines. Their lack of practical examples and real-world scenarios, however, is a bit of a disappointment. There is very little out there on how to map controls and requirements from standards into the set of technologies that would implement them, or support/facilitate their implementation. I understand standards and regulations should not be prescriptive in what technology needs to be used. However, I believe implementation examples would go a long way in clearly illustrating what needs to be met and making it easier to understand. That’s why I like the NIST 1800 series!
In general, the starting point would be a control baseline that helps establish a relevant set of controls (a minimal set) based on the requirements and risk profiles of an organization. In fact, there are two fundamental aspects to consider here, which will likely affect the technology choice:
- A baseline would probably not address all of your security and privacy concerns. It is not a one-size-fits-all solution for every environment. Certain controls within a baseline might also be unnecessary. It is, therefore, essential to understand the requirements and characteristics of your organization’s systems to select the appropriate controls, i.e., scoping.
- These controls need further tailoring to produce a customized solution for your environment. NIST lists some of the factors that can be taken into account in tailoring: “Control baselines are tailored based on a variety of factors, including threat information, mission or business requirements, types of systems, sector-specific requirements, specific technologies, operating environments, organizational assumptions and constraints, individuals’ privacy interests, laws, executive orders, regulations, policies, directives, standards, or industry best practices.”
In essence, scoping focuses on selecting relevant controls, while tailoring adjusts these controls to suit the organization’s specific objectives, context, and operational needs. These steps are prerequisites for technology selection.
What technology for which control?
The main challenge in implementing controls is the identification of technologies, components, or equipment, that will best serve your requirements and integrate well with existing tooling and IT environments. This is usually done via a suite of products, whether commercial off-the-shelf (COTS) or open source that will help security teams and organizations address this challenge. While vendor and tools consolidation is on the rise, fragmentation may still be a big headache when trying to meet the intent of several controls or requirements. I touched upon that subject in my very first blog post.
One of the rare publications that addresses this issue is the NIST 1800 series, which presents practical security solutions intended to serve as a “how-to” guide on implementing cybersecurity capabilities and technologies in real-world scenarios. Part of what it does is map security requirements into example solutions and implementations, featuring a variety of vendors and technology partners that offer capabilities and security products to meet or support the needs of the system in question.
It is important to remember that these are example solutions! NIST doesn’t endorse or recommend used products or vendors, and they may not always be the best fit for every purpose. Nevertheless, the series provides a valuable indication of the types of technology that can be used to implement or enhance controls. There are currently 28 documents in this series. I have selected three of them addressing data integrity use cases:
- NIST 1800-11 on data integrity covering the recovery from ransomware or other destructive events.
- NIST 1800-25 on data integrity covering the identification and protection of assets against ransomware and other destructive events,
- NIST 1800-26 on data Integrity covering the detection and response to ransomware and other destructive events,
The tables below summarize the technologies used to achieve control objectives in those scenarios. They present security technologies, their categories and functions, and their NIST 800-53 control coverage. These would be used for comparing against control baselines, for instance, such as those outlined in NIST 800-53B (Low, Moderate, or High), or other standards’ controls or requirements using mappings or relationships between existing standards and guidelines, e.g., NIST 800-53 to ISO 27001.
One key element for me here was that building security platforms is largely about leveraging the flexibility of technologies to achieve different objectives. For example, the NIST 1800-26 practice guide mainly addresses Detect/Respond capabilities, while NIST 1800-25 focuses on Identify/Protect capabilities. This difference can be seen through their use of the Tripwire Enterprise/Semperis DSP pairing. In one case, these technologies are used to establish integrity baselines; in the other, they are used for integrity checks and monitoring. The main task of implementing security requirements is not only about the selection of technologies, but also how they can be tailored, configured, or integrated (in various ways) to support target cybersecurity functions and goals.
| Security products | Category | Function | NIST 800-53 controls |
| ArcSight Enterprise Security Manager Tripwire Enterprise Tripwire Log Center Manager | Security Information and Event Management (SIEM) Security Configuration Management (SCM) Log Management/ SIEM | Logging and preserving the integrity of the data, e.g., monitoring for changes to data, audit capabilities, and change notification. | AU-1, AU-2, AU-3, AU-6, AU-7, AU-12, AU-13, AU-14, AU-16, SI-4, SI-7, SI-10, CP-2, IR-4, RA-3 |
| Spectrum Protect WORMdisk | Enterprise Backup and Recovery Zero Trust storage | Secure storage, e.g., encrypted backups and immutable storage. | MP-2, MP-3, MP-4, MP-5, MP-6, MP-7, MP-8, SC-28, CP-4, CP-6, CP-9, CM-3, CM-4, SA-10, CP-1, CP-2, CP-7, CP-10, IR-1, IR-7, IR-8, IR-9 |
| Veeam Availability | Enterprise Backup and Recovery | Logging and preserving the integrity, e.g., backup and restoration capabilities and encrypted backups. | MP-2, MP-3, MP-4, MP-5, MP-6, MP-7, MP-8, SC-28, CP-4, CP-6, CP-9, AU-1, AU-2, AU-3, AU-6, AU-7, AU-12, AU-13, AU-14, AU-16 |
| Security product | Category | Function | NIST 800-53 |
Cisco ISE Symantec Data Loss Prevention | Network Access Control (NAC) Data Loss Prevention (DLP) | Inventory, including the identification and status information for all types of assets, as well as policy enforcement. | CM-8, PM-5, IA-1, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, IA-10, IA-11, IA-12 , MP-1, MP-2, MP-3, MP-4, MP-5, MP-7, MP-8, CA-2, CA-5, CA-7, CA-8, PM-4, PM-15, RA-3, RA-5, RA-7, SA-5, SA-11, SI-2, SI-4, SI-5, AC-1, AC-17, AC-19, AC-20, SC-15, MA-1, MA-2, MA-3, MA-5, MA-6, MA-4, CA-2, CA-7 |
| Tripwire IP360 | Vulnerability Management (VM) | Identification and prioritization of vulnerabilities | CA-2, CA-5, CA-7, CA-8, PM-4, PM-15, RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5, PM-16, PM-28, RA-2, RA-3 |
| Tripwire Enterprise Semperis DSP (for AD) | Security Configuration Management (SCM) | Integrity activity and monitoring for data (e.g., files and software) and AD | SI-7, SI-10, CM-3, CM-4, SA-10, AU-1, AU-2, AU-3, AU-6, AU-7, AU-12, AU-13, AU-14, AU-16 |
| Micro Focus ArcSight Enterprise Security Manager Tripwire Log Center Manager | SIEM | Auditing and logging capabilities and automation, in addition to reporting, e.g., alerts based on organizational policy | CM-1, CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9, SA-10, CP-4, IR-3, PM-14, PS-1, PS-2, PS-3, PS-4, PS-5, PS-6, PS-7, PS-8, PS-9, SA-21, RA-1, RA-3, RA-5, SI-2, AU-1, AU-2, AU-3, AU-6, AU-7, AU-12, AU-13, AU-14, AU-16 |
| Semperis Active Directory Forest Recovery FileZilla & Duplicati | IT Resilience Orchestration Backup (to remote FTP server) | Backups of organizational data, and AD information, systems, and configurations | MP-2, MP-3, MP-4, MP-5, MP-6, MP-7, MP-8, SC-28, CM-3, CM-4, SA-10, CP-4, CP-6, CP-9, CP-1, CP-2, CP-7, CP-10, IR-1, IR-7, IR-8, IR-9 |
| WORMdisk | Zero Trust storage | Secure storage | MP-2, MP-3, MP-4, MP-5, MP-6, MP-7, MP-8, SC-28, CP-4, CP-6, CP-9 |
CryptoniteNXT Cisco Web Security Appliance | zero-trust & moving-target defense Secure Web Gateway | Network protection & Allow-listing/Deny-listing | AC-1, AC-4, AC-10, AC-12, AC-17, AC-18, AC-19, AC-20, CP-8, SC-5, SC-7, SC-8, SC-10, SC-11, SC-15, SC-20, SC-21, SC-22, SC-23, SC-31, SC-37, SC-38, SC-47, IA-1, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, IA-10, IA-11, IA-12, CM-8, PM-5 |
| Security product | Category | Function | NIST 800-53 |
| Tripwire Enterprise Semperis DSP (for AD) | Security Configuration Management (SCM) | Integrity activity and monitoring for data (e.g., files and software) and AD | SI-7, SI-10, AC-4, CA-3, CM-2, SC-16, SI-4, AC-2, AU-12, AU-13, CA-7, CM-10, CM-11, CA-7, CM-3, CM-8, PE-6, PE-20 |
| Cisco Advanced Malware Protection Glasswall FileTrust ATP for Email Cisco Stealthwatch Semperis DSP (for AD) | EDR (Endpoint Detection and Response) Email Security NDR (Network Detection and Response) ITDR (Identity Threat Detection and Response) for AD | Detect malicious events, software, emails, and anomalies in the network and user behavior. They also provide containment (e.g., sandboxing), and forensics and analysis capabilities | AU-6, CA-7, CP-2, CP-10, IR-4, IR-5, IR-8, AU-12, CA-7, CM-3, SC-5, SC-7, SC-44, SI-3, SI-4, SI-8, SC-18, CM-8, PE-6, PE-20, AU-6, RA-5, RA-3, AU-7 |
| Symantec Security Analytics Symantec Information Centric Analytics | Network Analytics and Forensics | Network traffic analysis and forensics capabilities | AU-6, CA-7, RA-5, IR-4, SI-4, AU-12, CA-7, CM-3, SC-5, SC-7 |
| Micro Focus ArcSight Enterprise Security Manager Tripwire Log Center Manager | SIEM | Auditing and logging capabilities and automation, in addition to reporting, e.g., alerts based on organizational policy | AC-4, CA-3, CM-2, SC-16, SI-4, AU-6, CA-7, IR-4, IR-5, IR-6, IR-8, CP-2, CP-10, RA-3, AU-12, CM-3, SC-5, SC-7, AC-2, AU-13, CM-10, CM-11, CM-8, PE-6, PE-20 |
| Cisco Identity Services Engine | NAC | Network access control and policy enforcement across the enterprise | SC-18, SC-44, SI-4, CP-2, CP-10, IR-4, IR-8 |
