Improving incident response with the NIST Cybersecurity Framework and security automation and orchestration (SAO)

5 Minute Read

NIST incident response - SAO - NIST logo

The National Institute of Standards and Technology’s (NIST) Cybersecurity Framework was developed in response to a 2013 presidential executive order to help government and private organizations better protect their critical infrastructure from cyberattacks. Now nearing its second version (1.1), the Cybersecurity Framework offers organizations a flexible way to design and implement cost-effective but holistic cybersecurity strategies. It covers the full gamut of security, from identifying and detecting threats through responding and recovery.

The NIST Cybersecurity Framework supports organizations with a flexible way to design and implement a cost-effective but holistic cybersecurity strategy.

Security Automation and Orchestration (SAO) helps organizations enact controls that align with the Framework. SAO is a collection of tools and practices that automate security detection and incident response and orchestrate security systems. With SAO, organizations make their security teams more productive and effective in responding to security incidents in accordance with the Framework.

What’s in the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework offers extensive guidance on developing, implementing and continuously improving a cybersecurity program. Its core contains five functions: identify, protect, detect, respond and recover. Each function is further broken down into categories, each of which offers subcategories for dealing with specific aspects of securing critical infrastructure against cyberattacks.

It also provides a set of implementation tiers that organizations can use to assess how well they manage cybersecurity risks. A tier 1 “partial” organization has informal, reactive responses to cyber threats. Tier 2 is “risk informed,” while tier 3 is “repeatable.” Tier 4 represents an “adaptive” organization, which is able to devise repeatable processes flexibly in response to shifting risks.

How security automation and orchestration improves incident response

Security incident response is about more than just responding to a problem. In the Cybersecurity Framework, incident response includes the core functions of detect, response and recover. All three are needed to respond properly to a security incident.

Table 1 shows the 11 categories included in these three functions, and each has a unique category identifier. For example, in the detect function DE.AE is the category for “Anomalies and Events.” To comply with the Framework, an organization must devise a way to detect anomalies or suspicious events that might signal the start of security incident. This might involve DE.CM (“Security Continuous Monitoring”) operating in concert with DE.DP (“Detection Processes”).

Function Unique Identifier Function Category Unique Identifier Category
DE Detect DE.AE Anomalies and Events
DE.CM Security Continuous Monitoring
DE.DP Detection Processes
RS Respond RS.RP Response Planning
RS.CO Communications
RS.AN Analysis
RS.MI Mitigation
RS.IM Improvements
RE Recover RC.RP Recovery Planning
RC.IM Improvements
RC.CO Communications

Table 1 – The detect, respond and recover functions from the NIST Cybersecurity Framework

Integrating security and communication technologies with SAO

Many organizations use technologies like intrusion detection systems (IDS) and security incident and event monitoring (SIEM) solutions to perform the Framework’s detect function. To attain the best outcomes from the detect function, there should be integrations enabled by SAO between SIEM, IDS, or any other security tools that generate security alerts. Integration enables productivity-enhancing orchestration and the automation of detection workflow steps.

The Framework then recommends a pre-planned response process. According to the respond categories, there should be a rigorous communications processes in place to track the progress of threat analysis and threat mitigation workflows. A rigorous communications process also requires integration. Integrating relevant communication systems, like email and ticketing, with SAO makes it possible to automate communications and relieves team members of the repetitive work of communicating alert statuses. The response outlined in the Framework then continues through recovery.

Solving the cybersecurity staffing shortage with SAO

The challenge with using the NIST Cybersecurity Framework for incident response is the inevitable limit of available resources since there are only so many skilled staffers on a cybersecurity team, and the cybersecurity staffing shortage continues to grow. With threats increasing, teams can become overwhelmed by false positives and rendered unproductive by the need to keep up with routine notification and ticketing tasks. If the team does not have the right tools, it won’t be effective in meeting the criteria for the Cybersecurity Framework.

Security automation and orchestration offers a solution to the limited resource problem by speeding up each part of the detect-respond-recover cycle. For example, imagine that a security operations team receives an alert from a SIEM solution about an anomalous event on the network. If the team responds to the alert manually, it will have to do the tedious, time-consuming work of opening a ticket, conducting threat analysis and communicating with stakeholders.

With SAO, these steps are automated. Interactions between relevant systems are orchestrated according to defined process steps. The SAO solution can automatically submit the details of the alert to a threat intelligence system, open a case management ticket in a system like JIRA, and send emails to relevant stakeholders.

Function Category Subcategory How SAO improves the process
Detect (DE) Anomalies and Events (DE.AE):
Anomalous activity is detected in a timely manner and the potential impact of events is understood.
DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed Using logs from multiple security tools and SAO, the team can continually calibrate the baseline to improve its incident response capabilities.
DE.AE-2: Detected events are analyzed to understand attack targets and methods SAO can automate the analysis process, saving time and making team members more productive.
DE.AE-3: Event data are aggregated and correlated from multiple sources and sensors SAO can automate the steps required for aggregation and correlation from multiple sources. A SAO solution can also orchestrate the systems involved in the analysis and correlation processes.
DE.AE-4: Impact of events is determined A SAO solution speeds up the process of determining the event’s impact and notifying key stakeholders.
DE.AE-5: Incident alert thresholds are established It is possible for the SAO solution to “learn” from incident alerts and become better at establishing incident alert thresholds. SAO can also automate incident reports to help understand why an attack occurred.

Figure 2 – The Subcategories of the Detect: Anomalies and Events (DE:AE) Category in the Detect Function of the NIST Framework Core.

Table 2 describes how a SAO solution helps with the specific details of incident response. Using the detect function within the anomalies and events category (DE:AE), it breaks down the SAO’s role in various sub-categories. For instance, subcategory DE.AE-3 calls forEvent data are aggregated and correlated from multiple sources and sensors,” and SAO can automate the steps required for aggregation and correlation from multiple sources. Security orchestration can also integrate the systems involved in the analysis and correlation processes.

SAO has the potential to transform incident response workflows. The right SAO solution enables a cybersecurity team to work smarter and stay on top of alerts and incidents as they arrive. The team can also leverage SAO to improve incident response over time. In this way, SAO also helps organizations move up the tiers of the Framework, developing repeatable and adaptive incident response processes.

SAO helps organizations orchestrate systems, enabling them to develop repeatable and adaptive incident response processes.

Swimlane and the NIST Cybersecurity Framework to improve incident response

Swimlane delivers security automation and orchestration that can help your organization comply with the Cybersecurity Framework and improve incident response. Easy to implement, use, manage and scale, Swimlane uses object-oriented methods that enable a security operations team to leverage the capabilities of their existing security tools.

Are you interested in learning more about how security automation can help your organization? Download our e-book – 8 Real-World Use Cases for Security Orchestration, Automation and Response.

Gartner: Create a SOC Target Operating Model to Drive Success

“Security and risk management leaders often struggle to convey the business value of their security operations centers to non security leaders, resulting in reduced investment, poor collaboration and eroding support…” — Access this Gartner SOC Operating Model report – courtesy of Swimlane.

Read More

Request a Live Demo