NIST CSF Identify Function explained

NIST CSF 2.0 Identify Function: The organization's current cybersecurity risks are understood.

Source: NIST CSF 2.0

The NIST CSF 2.0 Identify Function helps you better understand and manage cybersecurity risks through identifying and prioritizing threats, vulnerabilities, and assets. Your organization can build a thorough awareness of your cybersecurity posture, including your present condition, risk tolerance, and business objectives, with the help of this systematic method.

The Identify Function helps you identify and prioritize your most important systems, data, and assets. Examples of these tasks include asset management and risk assessment. You can also gain a thorough grasp of your organization's cybersecurity threats and lay the groundwork for efficient cybersecurity controls and risk management techniques. In all, the Identify Function gives you the ability to recognize and handle cybersecurity issues in a proactive manner, strengthen your defenses against online attacks, and safeguard your vital resources and operations.

The goals of the Identify Function are:

• Organizational environmental analysis
• Cybersecurity posture measurement
• Strategies of continuous improvement

The Identify Function has three categories:

1. Asset Management (ID.AM)
2. Risk Assessment (ID.RA)
3. Improvement (ID.IM)

Each category has multiple subcategories.

1. Asset Management (ID.AM)

This category concentrates on the fundamental duty of thoroughly identifying and overseeing all organizational assets that facilitate business operations. This covers both intangible assets, like data, intellectual property, and reputational assets, as well as physical assets, like hardware, software, and facilities. Organizations may efficiently manage resources and prioritize tasks to safeguard and secure their most important assets from cybersecurity threats by keeping a precise inventory of assets and comprehending their worth, criticality, and interdependencies.

The subcategories of ID.AM are:

• ID.AM-01 : Inventories of hardware managed by the organization are maintained.
• ID.AM-02 : Inventories of software, services, and systems managed by the organization are maintained.
• ID.AM-03 : Representations of the organization’s authorized network communication and internal and external network data flows are maintained.
• ID.AM-04 : Inventories of services provided by suppliers are maintained.
• ID.AM-05 : Assets are prioritized based on classification, criticality, resources, and impact on the mission.
• ID.AM-07 : Inventories of data and corresponding metadata for designated data types are maintained.
• ID.AM-08 : Systems, hardware, software, services, and data are managed throughout their life cycles.

2. Risk Assessment (ID.RA)

The main objective of this category is understanding and controlling cybersecurity risks. It entails the methodical process of locating, evaluating, and ranking any threats to the information assets, operations, and systems of an organization. Organizations may make well-informed choices, efficiently allocate resources, and apply suitable measures to manage identified risks by carrying out risk assessments.

The subcategories of ID.RA are:

• ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded.
• ID.RA-02: Cyber threat intelligence is received from information-sharing forums and sources.

  This subcategory highlights the significance of utilizing cyberthreat intelligence (CTI) from many information-sharing platforms and sources to improve corporate risk assessment capabilities. Organizations may obtain significant insights on new risks, attack patterns, and adversary tactics, techniques, and procedures (TTPs) by actively engaging in information-sharing forums and working with trustworthy partners. Organizations may proactively detect possible threats and vulnerabilities that may cause hazards to their assets, systems, and operations by having access to timely and relevant CTI.

  By improving the precision and efficacy of risk identification, prioritization, and mitigation activities, CTI integration into risk assessments enables organizations to allocate resources effectively and make well-informed choices. Additionally, by using CTI to keep up to date with the constantly shifting threat landscape, organizations may modify their security policies and procedures to counter new threats and stay one step ahead of cybercriminals.

  Using CTI from information-sharing platforms and sources is crucial to bolstering an organization's defenses against cyberattacks, improving its capacity to safeguard vital resources, and accomplishing its cybersecurity goals.

  ManageEngine Log360's integrated threat detection module and sophisticated threat analytics add-on will assist you with blocking perilous sources, data breaches, and malicious site visits. This integrated platform helps prioritize essential security threats, decrease false positives, and expedite threat detection by combining both commercial and open-source threat feeds. By tracking malicious IP addresses attempting to access your company's vital resources and analyzing users accessing unsafe and banned websites, Log360 will aid in both detection and mitigation. The solution will also help you gain more insights about the attack techniques, IP reputation scores, and geolocations of hostile actors trying to infiltrate your network.

  With Log360, your organization can not only stop communication from a malicious source, but also initiate an automated process to add blacklisted IPs to the firewall and block them permanently with predefined Threat Alerts capabilities. Log360's Threat Intelligence Solution verifies every outgoing communication, instantly cuts off contact with harmful IPs, domains, or URLs, and alerts the relevant analyst—all in real time.

  Log360's Advanced Threat Analytics module identifies threats and attack types, including malware, phishing, and other known attacks. The incident investigation team can make greater use of these contextual details to conduct threat triage and confirm allegations.

• ID.RA-03: Internal and external threats to the organization are identified and recorded.

  This subcategory's main emphasis is the critical duty of recognizing and documenting internal and external risks to the organization's cybersecurity posture.

  Insider fraud, accidental data breaches, and hostile personnel modifying systems without authorization are examples of internal dangers. Cyberattacks like malware infections, phishing campaigns, and distributed denial-of-service (DDoS) attacks are all considered forms of external threats. Through the methodical identification and documentation of various risks, organizations acquire a significant understanding of the complexity of the risks they experience. Comprehensive threat intelligence collection, vulnerability assessments, and security audits are all part of this procedure.

  Organizations can keep an up-to-date inventory of possible hazards by documenting these threats in a unified repository. Additionally, it makes continuous risk management tasks, like resource allocation, planning for mitigation, and risk prioritization, easier. And by offering actionable knowledge for prompt identification and response, the documentation of internal and external risks enhances incident response readiness. By carefully recognizing and documenting both internal and external risks, organizations may proactively improve their cybersecurity resilience and better safeguard their assets, reputation, and stakeholders' confidence.

  Log360 is a unified SIEM solution with effective attack detection capabilities. Log360 provides an advanced TDIR engine, Vigil IQ, which helps organizations identify, navigate, and investigate threats. Vigil IQ provides vast coverage to both internal and external security threats, intuitive analytics, and automated playbooks to help organizations overcome cybersecurity challenges.

  With features such as real-time correlation, MITRE ATT&CK reports, and ML-based UEBA, Log360 Vigil IQ enables granular visibility to spot both internal and external attackers. Examples of insider threat activity that it can detect include the use of PowerShell for domain enumeration, event logs cleared, and repeated failed SUDO commands. External threat activity it detects includes illegal cryptomining or cryptojacking, repeated SQL injection attempts, and parent processes spawning suspicious child processes.

• ID.RA-04 : Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded.
• ID.RA-05 : Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization.
• ID.RA-06 : Risk responses are chosen, prioritized, planned, tracked, and communicated.
• ID.RA-07 : Changes and exceptions are managed, assessed for risk impact, recorded, and tracked.
• ID.RA-08 : Processes for receiving, analyzing, and responding to vulnerability disclosures are established.
• ID.RA-09 : The authenticity and integrity of hardware and software are assessed prior to acquisition and use.
• ID.RA-10 : Critical suppliers are assessed prior to acquisition.

3. Improvement (ID.IM)

This category is dedicated to constantly enhancing the cybersecurity posture of the organization. It highlights the criticality of having procedures in place that help find and rank areas for improvement in accordance with the organization's goals and priorities for risk management. Organizations may boost their entire cybersecurity posture, adapt more effectively to new threats, and increase resilience by cultivating a culture of continuous improvement.

The subcategories of ID.IM are:

• ID.IM-01 : Improvements are identified from evaluations.
• ID.IM-02 : Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties.
• ID.IM-03 : Improvements are identified from execution of operational processes, procedures, and activities.
• ID.IM-04 : Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved.