With the easy availability of tools and knowledge, cyberattacks have run rampant, putting pressure on organizations to better defend themselves. Security is a continuous process that grows over time — exactly why organizations need to create a strong foundation. Two important questions every organization has asked themselves: Where do we start, and have we done enough?
Cybersecurity frameworks can help you find answers to these questions. They act as a reference to compare with your organization's security state. In this post, you'll learn about different security frameworks. We'll start by covering what a security framework is, why organizations need them, and how organizations can benefit from them. Then we'll go through some top cybersecurity frameworks, including:
- ISO 27001
- CIS Controls
- PCI DSS
- MITRE ATT&CK
(For the latest in all things security, check out these security & InfoSec events.)
What is a security framework?
When you think of implementing security for your infrastructure, network, applications or any other assets, it might be difficult to know where to start. There are so many aspects of cybersecurity and cyber hygiene that it can be overwhelming. In addition, how do you know if what you've done is enough? How do you know what the baseline is? Security frameworks can help you understand what this baseline is.
A cybersecurity framework includes guidelines, standards and best practices to manage security risks. Security frameworks act as a blueprint for security teams to implement security and incorporate certain practices. Aligning your security with these frameworks reduces the chances of your being breached. That's because frameworks are designed to consider:
- What risks organizations face
- How attackers can exploit security weaknesses
(Understand the differences between vulnerabilities, threats and risk.)
Benefits of using security frameworks
Think of a security framework like a seatbelt. It's not that you can't drive a car without wearing a seatbelt. It doesn't mean that you wear a seatbelt because you expect to have an accident. It's a precaution — but a crucial one. Similarly, security frameworks are precautionary steps to improve security.
One of the challenges organizations face when implementing security is where to start. You don't need to reinvent the wheel. Think of the time and resources it would take if you had to explore every security aspect of your organization. How soon you implement it is crucial, and security frameworks kickstart your security journey. They provide you with knowledge of the steps you should take to set up the first lines of defense.
Who should use security frameworks
Most security frameworks generally apply to almost all kinds of organizations. You can tweak them to make them more suitable for your organization. As most security frameworks are designed with flexibility and scalability in mind, they can help you create a strong security foundation over the long run. Security frameworks can also help you fill gaps in your existing security model.
Leading Cybersecurity Frameworks
Now let’s turn to the most common and most well-known frameworks in the industry.
NIST Cybersecurity Framework
The NIST cybersecurity framework is among the most popular. It's a result of a U.S. presidential order aimed at enhancing security against internal and external threats. The NIST framework was initially created to secure critical infrastructure. However, this framework has multiple guidelines that apply to organizations generally. The framework focuses on five core functions.
- Identify: Identify all the assets that you need to secure and define the scope.
- Protect: Implement security and best practices to ensure the security of the assets.
- Detect: Create systems to monitor what's happening and detect any suspicious or malicious activity.
- Respond: Be prepared for when things go wrong. Inform the stakeholders and contain attacks.
- Recover: Create processes and mechanisms to repair the damage and restore the state post-incident.
Businesses of all sizes and domains can follow the NIST framework. You can also get your service or product NIST certified if it meets the requirements.
ISO 27001 is widely considered the baseline for information security management systems (ISMS). It focuses on the three pillars of cybersecurity: confidentiality, integrity, and availability (the CIA Triad). ISO 27001 provides guidelines to keep an organization's data safe. As most organizations deal with sensitive data, ISO 27001 is applicable to almost every organization.
This framework provides guidelines for 114 security objectives and controls covering the following aspects:
- Information security policies
- Organization of information security
- Human resources security
- Asset management
- Access control
- Physical and environmental security
- Operational security
- Communications security
- System acquisition, development and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
Along with security benefits, ISO 27001 provides reputational benefits. If you meet all the requirements, you can certify in ISO 27001, which increases the trust and confidence of your customers and other stakeholders.
The Center for Internet Security (CIS) has published eighteen security practices called CIS Critical Security Controls, aka CIS controls, to enhance security. CIS controls don't just increase security but also help you plan security strategies for your organization. It covers implementation, monitoring, training and incident handling. This framework aims to improve the overall security of an organization — which means that all organizations can benefit from it.
CIS controls are categorized into different sections: basic, foundational and organizational. This categorization will help you prioritize your tasks. And here are the CIS controls:
- Inventory and control of enterprise assets
- Inventory and control of software assets
- Data protection
- Secure configuration of enterprise assets
- Account management
- Access control management
- Continuous vulnerability management
- Audit log management
- Email and web browser protections
- Malware defenses
- Data recovery
- Network infrastructure management
- Network monitoring and defense
- Security awareness and skills training
- Service provider management
- Application software security
- Incident response management
- Penetration testing
CIS provides certification for software security vendors if they meet the requirements of the CIS Benchmark profile.
- Processing integrity
SOC2, along with being a security framework, is also an auditing standard. It provides tough procedures to audit systems and controls to ensure data security and privacy. It applies to most organizations. Post-audit, auditors generate a SOC2 report that's specific to an organization proving the organization's compliance with the standards. The SOC2 framework and audit are mostly applicable to organizations providing services and systems to other organizations, as it focuses on improving the trust between providers and clients.
The practice of online payment is more common than ever. And card payments are among the most common modes of payment. The Payment Card Industry Data Security Standard (PCI DSS) framework, as the name suggests, specifically focuses on keeping users' card data secure. There are twelve requirements for an organization to be PCI DSS compliant:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Protect all systems against malware and regularly update antivirus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by a business's need to know.
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for all personnel.
This framework applies to any organization providing, storing, or using payment card data. Organizations can get PCI DSS certified by meeting the requirements.
(Explore the zero trust concept.)
The Health Insurance Portability and Accountability Act (HIPAA) is the guideline for the healthcare industry, as it focuses on the privacy of medical records and health data. HIPAA provides best practices to secure healthcare information along with guidelines to train individuals.
One major challenge organizations face is keeping up with the changing guidelines as technology changes. Because HIPAA is not specific to any technology, any organization can implement HIPAA practices. Of course, for any healthcare or related industry, HIPAA is likely mandatory.
Organizations can get HIPAA certification by meeting the standards set for these major rules:
- Breach notification
MITRE ATT&CK Framework
The MITRE ATT&CK Framework is one of the most detailed cybersecurity frameworks, covering a variety of tactics, techniques, and procedures. In addition, it provides mitigation instructions you can use to defend yourself from attacks. This framework is beneficial for Security Operations Centers (SOCs) especially when it comes to detecting malicious and suspicious activity and evaluating the current state of an organization's security.
The framework is categorized into three matrices: Enterprise, Mobile and Industrial Control Systems (ICS). The Framework covers these tactics:
- Resource development
- Initial access
- Privilege escalation
- Defense evasion
- Credential access
- Lateral movement
- Command and control
MITRE doesn't provide certification for organizations, but all organizations can benefit from this framework.
(Compare the MITRE ATT&CK framework with common cyber kill chain models.)
Open Cybersecurity Schema Framework
This framework, announced at the 2022 Black Hat, is a new player in town. Open Cybersecurity Schema Framework (OCSF) is an open-source project that covers various domains and events. This framework is a result of several major players in the security industry — Splunk, AWS, Rapid7, Cloudflare and many others — coming together to create a common ground for logs and alerts and a common format and data model.
OSCF aims to make the detection, investigation and handling of attacks more efficient. Data and intelligence play a major role in security. Various tools and systems generate humungous amounts of data. It might slow down things for an organization to deal with this amount of data, extract value from it and act upon it. OSCF mainly focuses on improving this aspect of security to reduce the time taken by the process so that organizations can act faster. This framework benefits almost all organizations.
We've covered some of the most popular cybersecurity frameworks that organizations can benefit from. Some of these frameworks are applicable to specific industries or use cases, while others are applicable to organizations generally. You'll also find some best practices overlapping. For example, encryption is a practice that every framework recommends.
Cybersecurity frameworks have become a baseline for security for most organizations. It helps organizations understand risks and threats and implement security accordingly. An organization can comply with multiple frameworks and also slightly tweak the guidelines to better fit their use cases. Although different frameworks follow different approaches, the core idea remains: improving security.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.