It’s been ten years since the National Institute of Standards and Technology (NIST) unveiled its Cyber Security Framework (CSF) 1.0. Created by a 2013 executive order, NIST was tasked with developing a voluntary cybersecurity framework to help organizations manage cyber risks by providing guidance based on established standards and best practices. While this version was originally tailored for mission-critical infrastructure, the 2018 version 1.1 was designed for any organization committed to managing cybersecurity risks.
CSF is a valuable tool for organizations looking to assess and improve their security. The framework helps security stakeholders understand and assess their current security measures, organize and prioritize risk management actions, and improve communication within and outside organizations using a common language. It’s a comprehensive collection of recommendations, best practices and recommendations, divided into five main functions: identify, protect, detect, respond and recover. Each function includes several categories and subcategories, in particular:
- Identify – Understand which assets need to be protected.
- Protect – Take measures to ensure adequate and proper provision of assets.
- Find out – Configure mechanisms to detect attacks or vulnerabilities.
- Answer – Develop detailed plans for notifying those affected by a data breach, recent events that may compromise data, and regularly review response plans to minimize the impact of attacks.
- Recover – Set up processes to recover from an attack.
(Want to learn more about the 5 steps of CSF 1.1? Download our NIST CSF Checklist here!)
Changes in CSF 2.0 with a focus on continuous improvement
Released February 2024 by NIST CSF 2.0. The goal of this new version is to help CCSF become more adaptable and thus more widespread across a wider range of organizations. Any organization that wants to adopt CSF for the first time must use this new version, and organizations that already use it can continue to do so, but with an eye toward adopting version 2.0 in the future.
2.0 brings with it some changes; among other achievements, he adds in “Management” as a first step because, according to ISC.2.org,” the governance component of the CSF emphasizes that cybersecurity is a primary source of corporate risk that senior management must consider alongside others such as finance and reputation. The goals are to integrate cybersecurity with broader enterprise risk management, roles and responsibilities, policies and oversight in organizations, and to better support the communication of executives about cybersecurity risks.”
It also has an expanded scope, it’s more intuitive and user-friendly, and most importantly (for the purposes of this article anyway) it has a strong focus on new threats and a zero attitude towards a continuous and proactive approach to cybersecurity through the recently added Enhancement Category in the identification function. Taking an ongoing approach means that organizations are encouraged to regularly assess, reassess and then update their cybersecurity practices. This means organizations can respond to events faster and with greater accuracy to reduce impact.
CSF and CTEM are better together
Today, there are many effective frameworks and tools designed to work within the parameters of the high-level CSF guidelines. For example, Continuous Threat Exposure Management (CTEM) highly complementary to the CSF. Released by Gartner in 2022, the CTEM framework represents a major shift in how organizations manage threat exposure. While the CSF provides a high-level framework for identifying, assessing and managing cyber risksCTEM focuses on continuous monitoring and evaluation threats on the state of security of the organization – the very threats that represent the risk itself.
The core functions of CSF align well with the CTEM approach, which involves identifying and prioritizing threats, assessing an organization’s vulnerability to those threats, and continuously monitoring for signs of compromise. Adopting CTEM gives cybersecurity leaders the ability to significantly improve their organization’s compliance with NIST CSF requirements.
Before the advent of CTEM, periodic vulnerability assessment and penetration testing to find and fix vulnerabilities was considered the gold standard of threat management. Of course, the problem was that these methods only offered a snapshot of the security state, which often became outdated before it was analyzed.
CTEM has come to change all that. The program outlines how to achieve continuous understanding of the organizational attack surface by proactively identifying and mitigating vulnerabilities and exposure earlier attackers use them. To make this happen, CTEM programs integrate advanced technologies such as impact assessment, security testing, automated security testing, attack surface management, and risk prioritization. It is perfectly compliant with NIST CSF 1.1 and provides tangible benefits in all five core CSF functions:
- Identify – CTEM requires organizations to rigorously identify and inventory assets, systems and data. This often results in the discovery of unknown or forgotten assets that pose a security threat. This enhanced visibility is essential to building a strong foundation for cybersecurity governance, as outlined in the NIST CSF Identification Feature.
- Protect – CTEM programs proactively detect vulnerabilities and misconfigurations before they can be exploited. CTEM prioritizes risks based on their actual potential impact and likelihood of use. This helps organizations address the most critical vulnerabilities first. Moreover, attack path modeling dictated by CTEM helps organizations reduce the risk of a breach. All this significantly affects the Protect function of the CSF program.
- Find out – CTEM requires continuous monitoring of the external attack surface, which affects the CSF detection function, providing early warnings of potential threats. By detecting changes in the attack surface, such as new vulnerabilities or exposed services, CTEM helps organizations quickly identify and respond to potential attacks earlier they cause harm.
- Answer – When a security incident occurs, CTEM’s risk prioritization provisions help organizations prioritize their response, ensuring that the most critical incidents are addressed first. Attack path modeling provided by CTEM also helps organizations understand how attackers could gain access to their systems. This impacts the CSF Respond function, allowing organizations to take targeted action to contain and eliminate the threat.
- Recover – Continuous CTEM monitoring and risk prioritization plays a critical role in CSF recovery function. CTEM enables organizations to rapidly identify and remediate vulnerabilities, which minimizes the impact of security incidents and accelerates recovery. In addition, attack path modeling helps organizations identify and address weaknesses in their recovery processes.
Bottom line
The NIST Cybersecurity Framework (CSF) program and Continuous Threat Exposure Management (CTEM) are true brothers in arms – working together to protect organizations from cyber threats. CSF provides a comprehensive roadmap for cybersecurity risk management, while CTEM offers a dynamic, data-driven approach to threat detection and mitigation.
The CSF-CTEM alignment is particularly evident in how CTEM’s emphasis on continuous threat monitoring and assessment is integrated with the core functions of CSF. Pa adoption of CTEMorganizations significantly improve their CSF compliance while gaining valuable information about their attack surface and actively mitigating vulnerabilities.