Leverage cyber frameworks
To help guard against malicious threat actors, many companies align to industry best practices or frameworks to maintain, monitor, and disable cybersecurity risks before they occur. A cybersecurity framework is, essentially, a system of standards, guidelines, and best practices to help manage risks. They typically align to a business's security objectives, such as avoiding unauthorized system access, with controls like requiring a username and password or multi-factor authentication.
Business benefits
Cybersecurity frameworks approach securing digital assets much like a frame does to a building or house. The framework is designed to give security managers a reliable, systematic way to mitigate cyber risk, no matter how complex the environment might be. Cybersecurity frameworks are often mandatory in specific industries, or at least strongly encouraged, for companies that want to comply with state, industry, and international cybersecurity regulations. For example, in order to handle credit card transactions, a business must pass an audit attesting to its compliance with the Payment Card Industry Data Security Standards (PCI DSS) framework.
Benefits of implementing a cyber framework include:
- Using common language, systematic approach, and unbiased cybersecurity
- Enabling long-term cybersecurity and risk management
- Creating an approach for all stakeholders between technical and business-side
- Providing flexibility and adaptability
- Preparing for future risk mitigation, regulation, and compliance requirements
Best practice
There are many different cyber frameworks to work from and implementing one may depend on what your use or requirements are. However, a few are prominent and can make a big impact in the way you conduct security operations and compliance. In addition to payment card cyber frameworks such as PCI DSS, popular frameworks can help develop in-depth approaches to defense by understanding attacker tactics and techniques common frameworks such as MITRE ATT&CK or Kill Chain can help your SOC identify threats that are both to the local and external environments.
Types of frameworks
Threat and risk frameworks
MITRE ATT&CK
MITRE started by documenting common cyberattack tactics, techniques, and procedures (TTPs) used against Windows enterprise networks. The MITRE MITRE ATT&CK framework became the baseline acting as a common language for offensive and defensive researchers. MITRE ATT&CK has become one of the most popular approaches to detecting threat actors and advanced persistent threats (APTs) within a corporate ecosystem. Using several hundred techniques and sub-techniques, security teams gain a deep understanding of the methods of attack. MITRE ATT&CK has quickly become the go-to framework for detection and response.
Cyber Kill Chain
Cyber Kill Chain was originally developed by Lockheed Martin in 2011 and based on the US military. Cyber Kill Chain outlines the various stages of several common cyberattacks and, by extension, the points at which the information security team can prevent, detect or intercept attackers. The Cyber Kill Chain is intended to defend against sophisticated cyberattacks, also known as advanced persistent threats (APTs), in which adversaries spend significant time surveilling and planning an attack. Most commonly these attacks involve a combination of malware, ransomware, Trojans, spoofing, and social engineering techniques to carry out their plan.
There are 7 phases to the Cyber Kill Chain:
- Phase 1: Reconnaissance
- Phase 2: Weaponization
- Phase 3: Delivery
- Phase 4: Exploitation
- Phase 5: Installation
- Phase 6: Command and Control
- Phase 7: Actions on Objective
NIST
The NIST Framework for Improving Critical Infrastructure Cybersecurity, sometimes just called the “NIST cybersecurity framework,” is, as its name suggests, intended to be used to protect critical infrastructure like power plants and dams from cyber attacks. However, its principles can apply to any organization that seeks better security. It is one of several NIST standards that cover cybersecurity.
Controls frameworks
ISO 27001 and 27002
Created by the International Organization for Standardization (ISO), ISO 27001 and ISO 27002 certifications are considered the international standard for validating a cybersecurity program — internally and across third parties. With an ISO certification, companies can demonstrate to the board, customers, partners, and shareholders that they are doing the right things to manage cyber risk. A well implemented ISO framework proves that you have mature cybersecurity practices and controls in place.
SOC2
Service Organization Control (SOC) Type 2 is a trust-based cybersecurity framework and auditing standard developed by the American Institute of Certified Public Accountants (AICPA) to help verify that vendors and partners are securely managing client data. SOC2 has more than 60 compliance requirements and extensive auditing processes for third-party systems and controls. Because of its comprehensiveness, SOC2 is one of the toughest frameworks to implement — especially for organizations in the finance or banking sector who face a higher standard for compliance than other sectors.
CIS20
Formerly the SANS Critical Security Controls (SANS Top 20) these are now officially called the CIS Critical Security Controls (CIS Controls). The guidelines consist of 18 (originally 20) key actions, called critical security controls (CSC), that organizations should implement to block or mitigate known attacks. The controls are designed so that primarily automated means can be used to implement, enforce, and monitor them. The security controls give no-nonsense, actionable recommendations for cyber security, written in language that’s easily understood by IT personnel.
What cyber frameworks can I put in place?
- Assessing and expanding MITRE ATT&CK coverage in Splunk Enterprise Security
- The MITRE ATT&CK framework and its application to existing SIEM deployments, particularly Splunk Enterprise Security, helps security teams understand where they have threats covered and where they do not.
- Getting started with MITRE ATT&CK in Enterprise Security and Security Essentials
- The MITRE ATT&CK framework and its application to existing SIEM deployments, particularly Splunk Enterprise Security, helps security teams understand where they have threats covered and where they do not.
- Prescriptive Adoption Motion - Cyber frameworks
- A cybersecurity framework provides a common language and set of standards for security leaders across countries and industries to better understand their security postures and those of their vendors.