NIST Cybersecurity Framework (CSF) and CTEM – Better Together

05 September 2024The hacker newsThreat detection/vulnerability management

It's been a decade since the National Institute of Standards and Technology (NIST) introduced its Cybersecurity Framework (CSF) 1.0. Established following a 2013 Executive Order, NIST was tasked with developing a voluntary cybersecurity framework to help organizations manage cyber risk and provide guidance based on established standards and best practices. While that version was originally tailored for critical infrastructure, 2018's version 1.1 was designed for any organization looking to address cybersecurity risk management.

CSF is a valuable tool for organizations seeking to assess and improve their security posture. The framework helps security stakeholders understand and evaluate their current security measures, organize and prioritize risk management efforts, and improve communication within and outside organizations through a common language. It is a comprehensive collection of guidelines, best practices, and recommendations organized into five core capabilities: Identify, Protect, Detect, Respond, and Recover. Each capability includes several categories and subcategories, specifically:

1. Identify – Understand which assets need to be secured.
2. Protect – Take steps to ensure that assets are adequately and sufficiently protected.
3. Recognize – Establish mechanisms to detect attacks or vulnerabilities.
4. Answer – Develop detailed plans for notifying individuals affected by data breaches and current events that could compromise data, and test response plans regularly to minimize the impact of attacks.
5. Recovered – Establish processes to resume operations after an attack.

(Want to learn more about the 5 steps of CSF 1.1? Download our NIST CSF checklist here!)

Changes to CSF ​​2.0 with a focus on continuous improvement

In February 2024, NIST released CSF 2.0. The goal of this new version is to make CCSF more adaptable and thus disseminate it to a wider range of organizations. Any organization that wants to adopt CSF for the first time should use this newer version, and organizations that already use it can continue to do so, but with the goal of adopting 2.0 in the future.

2.0 brings some changes; among other advancements, the first step is the addition of “Govern” because, according to ISC.2.org, “The Governance component of the CSF emphasizes that cybersecurity is a major source of enterprise risk that leaders must consider alongside others such as finance and reputation. The goals are to integrate cybersecurity into broader risk management, roles and responsibilities, policies and oversight in organizations, as well as to better support the communication of cybersecurity risks to leaders.”

It also has an expanded scope, is clearer and easier to use, and most importantly (for the purposes of this article, anyway), it focuses heavily on emerging threats and focuses on a continuous and proactive approach to cybersecurity via the newly added improvement category in the identification function. A continuous approach means that organizations are encouraged to regularly assess, reassess, and then update their cybersecurity practices. This means organizations can respond to events more quickly and accurately to reduce the impact.

CSF and CTEM – Better together

Today, there are several actionable frameworks and tools that work within the parameters of the high-level CSF guidelines. For example, Continuous Threat Exposure Management (CTEM) is highly complementary to CSF. The CTEM framework, published by Gartner in 2022, represents a major shift in the way organizations approach threat risk management. While CSF is a high-level framework for identifying, assessing and managing cyber RisksCTEM focuses on the continuous monitoring and evaluation of Threats for the company’s security situation – precisely those threats that represent the actual risk.

The core capabilities of CSF align well with the CTEM approach, which includes identifying and prioritizing threats, assessing the organization's vulnerability to those threats, and continuously monitoring for signs of compromise. By adopting CTEM, cybersecurity leaders can significantly improve their organization's NIST CSF compliance.

Before CTEM, regular vulnerability assessments and penetration testing to find and fix vulnerabilities were considered the gold standard for threat management. The problem, of course, was that these methods only provided a snapshot of the security situation – one that was often out of date before it was even analyzed.

CTEM has come to change all this. The program describes how to gain continuous insight into the organization's attack surface and proactively identify and mitigate vulnerabilities and risks. before Attackers exploit them. To make this possible, CTEM programs integrate advanced technologies such as threat assessment, security validation, automated security validation, attack surface management, and risk prioritization. This aligns perfectly with NIST CSF 1.1 and provides tangible benefits for all five core CSF functions:

1. Identify – CTEM requires organizations to rigorously identify and inventory assets, systems, and data. This often uncovers unknown or forgotten assets that pose security risks. This improved visibility is essential to establishing a solid foundation for cybersecurity management, as described in the NIST CSF's identification function.
2. Protect – CTEM programs proactively identify vulnerabilities and misconfigurations before they can be exploited. CTEM prioritizes risks based on their true potential impact and the likelihood of exploitation. This helps organizations address the most critical vulnerabilities first. In addition, the attack path modeling provided by CTEM helps organizations reduce the risk of compromise. All of this dramatically impacts the protective function of the CSF program.
3. Recognize – CTEM requires continuous monitoring of the external attack surface, which impacts the detection capability of CSF as it provides early warning of potential threats. By identifying changes to the attack surface, such as new vulnerabilities or exposed services, CTEM helps organizations quickly detect and respond to potential attacks. before they cause damage.
4. Answer – When a security incident occurs, CTEM's risk prioritization provisions help organizations prioritize their response and ensure that the most critical incidents are addressed first. In addition, the attack path modeling required by CTEM helps organizations understand how attackers may have gained access to their systems. This impacts the CSF response function by enabling organizations to take targeted actions to contain and eradicate the threat.
5. Recovered – CTEM's continuous monitoring and risk prioritization plays a critical role in the CSF recovery capability. CTEM enables organizations to quickly identify and remediate vulnerabilities, which minimizes the impact of security incidents and speeds up recovery. In addition, attack path modeling helps organizations identify and remediate vulnerabilities in their recovery processes.

The conclusion

The NIST Cybersecurity Framework (CSF) and the Continuous Threat Exposure Management (CTEM) program are true brothers in arms – they work together to protect organizations from cyber threats. CSF provides a comprehensive plan to manage cybersecurity risks, while CTEM offers a dynamic and data-driven approach to threat detection and mitigation.

The CSF-CTEM alignment is particularly evident in how CTEM's focus on continuous monitoring and threat assessment seamlessly integrates with the core capabilities of CSF. By adopting CTEM, organizations significantly improve their CSF compliance – while gaining valuable insight into their attack surface and being able to proactively remediate vulnerabilities.