Cyberattacks evolve daily, and defenders are forced to adapt at the same rate. Cybersecurity best practices, however, are updated and codified much less frequently. There is broad experimentation in the field, and it takes some time for authoritative working groups to sort out which new practices and controls are practical and consistently effective for a large cross-section of users. Some guidelines and standards are updated every year or two and others much less frequently.
When the National Institute of Standards and Technology (NIST) announced in February 2022 that it would update the Cybersecurity Framework (CSF), leading to the publication of a “CSF 2.0,” cybersecurity policy analysts and practitioners took note. Long regarded as a key reference, the CSF is used by organizations globally to assess and enhance their cybersecurity maturity.
CrowdStrike’s Public Policy team submitted input for the first and second public comment opportunities based on our experience defending against and remediating cyberattacks. This blog post provides a quick overview of the evolution of the CSF as well as some of our ideas for this upcoming revision.
Table of Contents
Background of NIST CSF
NIST’s CSF has been applauded for its flexibility, risk-based approach and relevance to all sectors. When building the CSF ahead of its initial release in 2014, NIST engaged with various stakeholder groups, which has led to its success as a widely adopted and usable framework. A key contribution of the framework at launch was to divide a messy and overlapping set of security and risk management imperatives into five easily understandable functions: identify, protect, detect, respond and recover. These functions are further divided into more descriptive categories, and further to subcategories that map to other control sets.1 The CSF also outlines implementation tiers and provides reference profiles.
NIST released an update, CSF 1.1, in 2018, providing additional categories on identity management and supply chain cybersecurity. This reflected the evolving baseline security measures organizations needed to take to protect themselves from adversaries. In 2022, NIST began the update process again, this time pursuing a 2.0 version of the CSF to “help the Framework keep pace with technology and threat trends, integrate lessons learned, and move best practice to common practice.”2 In August 2023, the CSF 2.0 Public Draft was released for comment, and NIST noted the final CSF 2.0 will be published in early 2024.
CrowdStrike’s Recommendations
In our comments, we supported NIST’s intent to add a “Govern” function and expand its coverage of supply chain security. In the CSF 2.0 Public Draft, we were pleased to see the Govern function includes crosscutting cybersecurity governance practices such as determining priorities and risk tolerances of the organization. The NIST Privacy Framework has a Govern function, and similar CSF 2.0 categories about governance policies, processes and procedures are important because data privacy and cybersecurity cannot exist without each other and are more intertwined than ever before.
Cybersecurity supply chain security is more important than ever due to recent, widespread cybersecurity supply chain attacks. NIST updated supply chain practices in the 2018 CSF 1.1 version. Now that new technologies exist, such as cybersecurity systems that leverage artificial intelligence and machine learning to better find threats, it is timely that a supply chain security refresh is included in CSF 2.0.
Zero Trust Architecture
Zero Trust Architecture is no longer a “next step” organizations can take to bolster their security posture — it should be a security baseline. The current CSF’s characterization of best practices for identity management, authentication and access control are modest relative to widely adopted practices in the field. Explicit guidance on Zero Trust Architecture implementation would yield stronger cybersecurity outcomes. The CSF 2.0 should include a subcategory titled “Implement a Zero Trust Architecture” under the “Protect” function and “Identity Management, Authentication and Access Control” category.
A new Zero Trust subcategory can include best practices like the use of cloud-based endpoint detection and response (EDR), comprehensive logging, identity protection and use of multifactor authentication. Due to fundamental problems with today’s widely used authentication architectures, organizations must incorporate new security protections focused on authentication.
As reported in the CrowdStrike 2022 Global Threat Report, 80% of cyberattacks in 2021 leveraged identity-based techniques to compromise legitimate credentials and evade detection, and in 2022, adversaries doubled down on advertising stolen credentials and access-broker services in the criminal underground.3 Identity attacks will only continue to increase. Revising the Protect function to include ZTA will further align CSF 2.0 with existing NIST work and raise organizations’ security against these attacks.
Combine Detect and Respond
Given developments in the practice of cybersecurity in recent years, NIST should consider unifying the high-level “Detect” and “Respond” functions in the final CSF 2.0. Once conceptually separate, cybersecurity tools, practices and controls across these functions have evolved and converged over time. Whereas these functions previously took place in serial, often across separate teams, today security operations concepts employ detection and response in parallel.
The old model failed. Adversaries exploit gaps and delays to achieve their objectives. Breakout time — the time it takes an adversary to move laterally from an initially compromised host — is getting faster each year. Based on CrowdStrike data, breakout time decreased from 98 minutes in 20214 to 79 minutes in 2022.5 For this reason, when responding to a security incident or event, every moment counts.
The more an organization can do to detect and stop adversaries at the outset of an attack, the better chance of preventing them from achieving their objectives. By combining the “Detect” and “Respond” categories, the CSF 2.0 can reflect a settled consensus within the industry that detection and response are two sides of the same coin. This insight has yielded both EDR capabilities and significant ongoing investment across industry in the extended detection and response (XDR) category.
Threat Intelligence
CrowdStrike also recommends that NIST consider creating a new “Intelligence” Category under the Identify function. Given the current threat landscape, it is necessary for organizations to be familiar with the adversaries that could target their systems. Cybersecurity threats are evolving and increasing, and as the adversaries continue to evolve and find new ways to target victims, organizations need to increase their emphasis on cybersecurity practices that leverage the most effective technologies.
Next Steps
Updating the CSF is a positive step to help organizations that use the Framework stay ahead of today’s threats. In the almost 10 years the NIST CSF has existed, it has become a tool numerous organizations use to stay up-to-date with cybersecurity practice accepted by the community as best practices. If the CSF is to maintain currency over the coming years, NIST and stakeholder groups must continue to regularly update it to reflect changes in best practices to keep pace with quickly evolving adversary threats.
In the final version of the CSF 2.0, there are forward-looking changes NIST can make to bring the Framework into 2023 and beyond. We hope our recommendations inform discussion for the CSF 2.0 Public Draft and look forward to continued engagement with NIST and community stakeholders on this subject. In the meantime, organizations can evaluate and adopt these practices now.
Additional Resources
- https://www.nist.gov/cyberframework/online-learning/components-framework
- https://www.nist.gov/cyberframework/updating-nist-cybersecurity-framework-journey-csf-20
- CrowdStrike 2023 Global Threat Report: https://www.crowdstrike.com/global-threat-report/
- CrowdStrike 2022 Global Threat Report
- CrowdStrike 2023 Threat Hunting Report: https://www.crowdstrike.com/threat-hunting-report/
Leave a Reply