This week’s State of the Union Address was the fourth in a
row in which President Obama highlighted the critical nature of cybersecurity. Until
the most recent onslaught of headlines painted a painful picture of the
consequences of a data breach, all too many of our organizations have been
focused on passing compliance audits and dealing with a broad variety of
threats to long-term business viability. Times have changed, and the headlines
and the tough reality are all crystal clear: the bad guys are strong,
dedicated, and working productively together, and they are in our networks today.
As President Obama said, lawmakers must “finally pass the
legislation we need to better meet the evolving threat of cyber-attacks,” and,
“If we don’t act, we’ll leave our nation and our economy vulnerable.” Recently
proposed legislation would relieve some of the risk of participating in the
information-sharing for which the federal government is asking. Defending our
organizations is becoming increasingly complicated for legal and security
teams, so it’s crucial for such legislation to increase the incentives or
decrease the exposure that companies would experience in being more transparent
and collaborative with government when data breaches occur.
Showing posts with label NIST Cybersecurity Framework. Show all posts
Showing posts with label NIST Cybersecurity Framework. Show all posts
How Legal Can Leverage the Latest Version of the NIST Cybersecurity Framework
Last week, the National Institute of Standards and
Technology (NIST) released an update to its Framework for Improving Critical
Infrastructure Cybersecurity, incorporating feedback from its October
workshop as well as responses to an August Request for Information. While
adoption of the Framework remains voluntary and not a regulatory requirement,
many large organizations in a variety of industries consider it to be an
effective benchmark for security operations. We at Guidance Software believe it
will soon be considered a “commercially reasonable” standard, but we also
recommend incorporating additional, proactive security practices for a more
complete security posture.
Information-Sharing Holds Real Promise for More Effective Organizational Defense
Among the aspects of the NIST Framework that I believe holds
the most promise in defending our organizations is that of information-sharing.
Many who have responded to NIST’s calls for feedback have expressed interest in
expanding this type of collaboration in order to build more powerful threat
intelligence feeds across American industries. While interest in participation
is high, so are the levels of concern about potential impact on corporate
reputation if data breaches were made public. Since the original Framework was
published, there has been a clear call for a means of reporting a breach and
related information anonymously.
Congress has just passed the National
Cybersecurity Protection Act in order to better support cyber-threat
information exchange between the public and private sector via the National Cybersecurity and Communications
Integration Center. However, a bill that incorporates liability protections
for those reporting on breaches will have to wait until early next year.
NIST Senior Policy Advisor Adam Sedgewick to Present in Webinar Series on NIST Cybersecurity Framework
To help organizations better understand the merits of the National Institute of Standards and Technology Cybersecurity Framework, Guidance Software is hosting a two-part webinar, “Implementing the Detect Function in the NIST Cybersecurity Framework.” Senior Information Technology Advisor Adam Sedgewick of NIST will be the featured presenter. The webinar will also feature a presentation by Alfred Chung, EnCase Analytics product manager for Guidance Software.
A Legal Perspective on the NIST Cybersecurity Framework
Yesterday’s release of the final NIST Cybersecurity
Framework is an immediate call to action for companies managing critical
infrastructure in the United States. With the core of the Framework having
changed very little from preliminary versions, it calls for companies in a
broad range of industries from finance and healthcare to energy and information
technology, to be prepared to adopt it and prove that their cybersecurity
practices are consistent with the outlined practices. The primary difference
from the preliminary draft is a revision to the privacy section, because critics
felt the preliminary draft of the privacy section would be so costly and
prescriptive as to deter widespread adoption of the Framework, which is, at
present, still voluntary.
The NIST
Cybersecurity Framework: “Commercially Reasonable?”
Over time, as federal incentives are offered and these
industries increasingly accept and comply with the Framework, it’s likely that
the private sector will move toward the NIST Cybersecurity model through common
law liability. Some data-privacy specialists are already speculating that the Framework
is likely to become a standard for what’s considered “commercially reasonable”
for corporations who come under regulatory scrutiny or are involved in
litigation related to a data breach.
- Categories: NIST Cybersecurity Framework
NIST Cybersecurity Framework Needs More Focus on Collaboration and Finding Anomalies
A few days ago, I was delighted to see the National Institute of Standards and Technology (NIST) release its Preliminary Cybersecurity Framework for reducing cyber risks to critical infrastructure. And my first read-through was pretty positive: they cover a lot of material, and I think it will help organizations understand the full picture of security readiness. Their tiered approach, for instance, is sound, and I’ve seen it work successfully in other industries–e-discovery, for instance, has the EDRM Maturity Model, and software development has the CMMI. And I’m very pleased to see such attention paid to PII and privacy.
That said, however, I saw a few structural problems on my second review. The Framework has a lot of noise about security policies and procedures and not as much of a call-to-action on collaboration and threat intelligence-sharing as I would like. It lacks any mention of proactive forensics or proactive investigation. It contains a wealth of detail on rules and process for ensuring information security, but very little in the way of the means of, or requirements for, organizations to work together to fight the good fight. And it has a major hole in its attempt to categorize threat detection and response.
The Cybersecurity Framework: Identification, Collaboration, and Proactive Defense
Think of it as the new arms race: Everyone from corporations to government agencies is engaged in a constant combat cycle with cyber-terrorists and criminals that goes through these phases:
- The bad guys launch a new type or method of attack
- Some (if not all) organizations attacked are breached
- Consequences ranging from real economic loss to destruction of physical—not virtual—resources cause the victimized organizations to begin studying and identifying the new threat
- At least one organization names the new attack method
- The organization or a security vendor finds a defense to the new threat
- The word spreads and, armed with the latest intelligence, organizations begin configuring the appropriate defenses.
- Categories: Analytics , Big Data Security Analytics , Cybersecurity , Data Breach , DFIR , NIST Cybersecurity Framework
