top of page

Risk Modeling and Real-Time Intelligence - Part 2

Learn about NIST 2.0 now to avoid becoming a statistic in the future

By 2025, 45% of all organizations will have experienced a cyber-attack through a supply chain partner.

This explains why we are now seeing more inquiries and discussions about the NIST 2.0 Cybersecurity Framework from our customer base, this blog seeks to discuss the topic for senior cybersecurity stakeholders.  This revised framework is not just a compliance checklist; it's a strategic tool to enhance overall security resilience and align with industry-leading practices.

As a security leader responsible for threat intelligence and hunting, this blog is an excellent primer to help you navigate the new NIST 2.0 framework and align your team and organization to it.

Keep reading and learn about:

  • The new Govern section and how to align risk management to business functions and company strategies.

  • How to use DPRM solutions for the cybersecurity risk inputs needed to fortify overall risk planning and incident response.

  • What provisions you need to make for privacy, supply chain security, and the incorporation of new technologies.

  • Why automating asset discovery and continual prioritization leads lower risks from supply chain partners. 

  • How to drive up the cost for a threat actor to attack your organization using collaborative efforts.

  • Actionable insights for implementing NIST 2.0, tailored to cater to different cybersecurity maturity levels within organizations. 

With the significant changes that 2.0 brings, it's clear that NIST wants to make its framework more accessible. It's a smart move when you consider that the majority of news-worthy cyber-attacks happen through supply chain partners. Not only that, but the number of cyber-attacks has risen considerably. Some Other sources indicate more than a 200% YoY increase in supply chain cyber-attacks, representing a significant step forward in guiding organizations to strengthen their cybersecurity measures.

NIST 2.0 Focuses on Reducing Risk For Companies of All Sizes

Regardless of the industry analyst or news source, it would be hard to disagree that supply chain and third-party cyber-attacks are increasing exponentially.

The challenge is that large organizations must find ways to protect what isn't theirs, as they are still held liable for cybersecurity oversights at the supply chain and third-party levels. It is too costly for a company not to strategize to find a way to ensure security using risk and threat platforms. NIST is very timely to introduce this guidance for all company sizes as supply chain and third-party cybersecurity is a problem everyone owns. It requires a unique approach that combines real-time threat intelligence, continuous asset discovery, and increased collaboration for parent companies, subsidiaries, and partners.

NIST now provides guidance and examples for its 2.0 framework for companies of any size. If you have enterprise customers, you may feel the effects of the 2.0 Cybersecurity Framework as recommendations are being translated by larger organizations into new security and audit requirements for their suppliers and third-party services. There is no getting away from the fact NIST 2.0 is a sizable body of work. Instead of rattling off all the changes, let's discuss where security leaders should take note

DPRM Platforms Play Center Stage in the NIST 2.0 Cyber Security Framework

Are large enterprise organizations amongst your customers or your does your company play a role in the supply chain delivery of a customer or critical service?

The new "Govern" function and its implementation examples show how DPRM solutions are the cornerstone to providing the cybersecurity risk inputs needed to fortify overall risk planning and incident response. Nowhere is that emphasis more apparent than in the new "Govern" function, providing cross-functional recommendations and examples aimed at better executive collaboration. The Govern functions lend more clarity to categorizing assets so that security leaders can take a more proactive approach and prioritize response.

You may be one step ahead if you already use the inputs from a DPRM platform. If your team engaged in these activities, you may have a short path to show alignment with NIST 2.0 recommendations. Ensure the tools you use can keep pace and enable the benefits of proactive defense. Here are some salient points to think about when considering a threat and risk management platform to realize the advantages contained in the 2.0 cybersecurity framework recommendations.

Do you have a DPRM solution that provides:

  • Multi-score impact methodology that considers the severity of the vulnerability via CVSS scoring critical aspects of the infrastructure and includes other factors, such as manual inputs, to generate a score.

  • Automates the impact score on an asset using CVSS scoring, combined with human and AI/ML generated input.

  • Continual asset discovery – Shadow IT requires SecOps to diligently discover and inventory new IT systems as they are added to the external attack surface you monitor.

  • Integration opportunities with GRC systems and other business management systems via API

Supply Chain Security Measures Go Mainstream with NIST 2.0 Recommendations

Many security leaders likely didn’t need reminders about supply chain risk. But, you know it's time to get even more serious about supply chain security when Homeland Security builds a new supply chain risk management office. Then, NIST released its first update to its Cybersecurity Framework.

Regardless of whether you need to act now or wait until a later point, you need to know about the new NIST 2.0 recommendations and prepare. If you are with a parent company with a long list of supply chain partners, you must bring them into your cybersecurity programs.

The infrastructure you need to secure is your partner's rather than yours. But at the same time, you are still responsible for any breach resulting from their cybersecurity shortcomings.

If you are in an industry where a customer and/or critical system relies on third-party services, you are responsible for the breach regardless of the source.

So, as a security leader, how do you put another company's assets under your purview and collaborate to reduce risk?

Ultimately, you are responsible for your and your supply chain partners' security shortcomings.

The NIST release of 2.0 recommendations and implementation examples highlight the minimum capabilities needed for increased supply chain security; the timing could not be better. Due diligence will always depend on human interactions and assessments, as it should be. At the same time, a lot of tedious and manual work goes into assessing risk. So, the more you can increase the efficacy, automation, and coverage of your cybersecurity programs to include key partner relationships, the better off you will be in the long term.

Supporting supply chain partners by collaborating on cybersecurity is a win-win situation for everyone involved. Here are some key ways that a DPRM solution can augment your supply chain security program:

  • Multiple risk scores – DPRM platforms enable multiple scores by business unit, subsidiary, supply chain partners, and third-party services.

  • Create specific groups – Monitor risk by groups you create, such as function, geography, partner, or type of service, to measure individual and overall group risk scores.

  • Benchmark – Compare business risk scores to highlight weak links. Evaluate similar groups, partners, or applications against each other to benchmark risk reduction across groups and identify security gaps.

  • Automate scanning and discovery – Supply chain and third-party service partners should have their infrastructure scanned and assessed regularly. Partners should be able to show improvement from past scans, such as reducing the number or severity of vulnerabilities within their infrastructure.

  • Map vulnerabilities of a group of partners to track the overall and individual risk scores and provide guidance for remediation where possible. 

Automate Asset Discovery and Continual Prioritization for In-Depth Situational Awareness

Corporate IT environments are constantly in flux, with new applications being spun up and business units sometimes going rogue and standing up new infrastructure. It's hard to keep up with, even with visibility into your infrastructure. Nowhere is automated asset discovery needed more than for your externally exposed infrastructure. Once you have performed your initial in-depth discovery, it must be followed up with frequent scans as new software, configuration changes, and admin updates will affect the risk score of that asset.

Discovery is just the beginning; it is just one facet of managing vulnerabilities. It is vital that initial discovery and continual scanning take place, but it only answers the question of where? Vulnerability management needs more; it needs business logic that enables automating the priority of assets to help answer the what? And why? Solutions that can automate prioritizing assets by bringing together CVSS severity scores along with business impact scoring will give vulnerability management teams the automation they need to weed through the noise of low-level alerts and concentrate on what matters most. So, what is the best way to prioritize assets? Because what matters most is not always a straightforward answer.

Consider these attributes when looking to prioritize response.

  1. Severity The first step is ascertaining the vulnerability severity. If exploited, how much damage would it cause? To a certain extent, business context is needed, but you can make a reasonable estimate based on your knowledge of your software and hardware environment.

  1. Likelihood  This can be defined by the exposure of a system to your external attack surface, the frequency of threats or exploits, and how much publicity the vulnerability has received. But probably the indicator of likelihood is the capabilities and motivations of attackers. This may be a more important attribute if you suffer from repeated attacks and relentless threat actors.

  1. Risk – It is always a central theme in prioritizing security response. Its calculation takes into account the loss a company might suffer in the case of a successful attack. Risk helps you examine and rank vulnerabilities by the assets they affect and how those assets may interact with other business systems.

  1. Context – Not all high-value assets are externally facing and well-known. But they carry the same weight when it comes to risk. This could include a work stoppage or business downtime as the main risk. You may place more value on that asset even if it is not externally facing or otherwise well-known.

NIST 2.0 Emphasizes Real-Time Intelligence. Why should you also?

We get it. Operationalizing threat intelligence is not easy. Even worse is operationalizing something that doesn’t matter anymore.You can use threat reports to block IP addresses, and that can help but only until attackers change tactics again. Things like the MITRE ATT&CK framework can tell you about possible TTPs (Techniques, Tactics, and Procedures). But they are not investigative tools that will tell you what adversary is targeting you and how to defend yourself in anticipation of an attack.

The 2.0 recommendations include many examples of the need for real-time threat intelligence to complement the capabilities of a DPRM solution. The new 2.0 standard recognizes that security analysts need to be able to observe attacker behavior and conduct a more thorough investigation. The ability to do a deeper dive into an incident requires having a view beyond your perimeter that enables analysts to make queries and quickly know the nature of an incident, including:

  • Quickly know if a suspect IP should be further investigated

  • Understand what happened during an event.

  • Observe attacker behavior to anticipate an attack.

  • Attribute attackers to an incident

  • Determine the root cause of an incident.

  • Stop exfiltration by blocking c2 communications

These actions provide security analysts with the means to create playbooks using real-time intelligence. The data generated can also be used to identify other third parties and help compromised victims with remediation advice.  The NIST 2.0 framework is a welcomed update. Implementation examples represent a better way for companies of all sizes to consume this information and build better processes while taking advantage of new collaboration opportunities.

The NIST 2.0 Cybersecurity framework recognizes the need for more collaboration in cybersecurity. When we all work together, the collective efforts pay off by driving up the cost for a threat actor to attack while enriching our threat intelligence sources for a proactive cyber defense.

Further Reading:

Learn more about the threat vectors you should be considered about here

Read our customer case study about the discoveries made when external Threat Intelligence is applied over a Threat Model. 

Learn more about the value of monitoring external risks and how that empowers organizational success, read our customer case study here

Mature threat intelligence teams add tangible financial business value and reduction of business risk., Learn more about how our Fortune 10 customer integrated real-time threat intelligence to enact a proactive defense that goes beyond the MITRE ATT&CK framework to offer pre-compromise defense.

1 comment

1 Comment

Albert Dexter
Albert Dexter
Dec 28, 2023

Education is a vital foundation, fostering critical thinking and knowledge. However, the growing trend to pay someone to write literature review raises concerns about genuine learning. It's crucial for students to engage authentically with their academic work, developing skills that extend beyond grades. Let's prioritize education's intrinsic value over shortcuts, ensuring a robust foundation for future success.

bottom of page