NIST CSF Protect Function Explained

NIST CSF 2.0 Protect Function: Safeguards to manage the organization's cybersecurity risks are used.

Source: NIST CSF 2.0

The NIST CSF 2.0's Protect Function is all about safeguarding your data and systems against online attacks. It is similar to erecting a barrier around the private data that belongs to your organization. This method helps you put protections in place to stop unwanted access and guarantee the confidentiality, availability, and integrity of your data, entailing steps like establishing security controls and mechanisms that will quickly detect and address cybersecurity breaches. The Protect Function aids in the development of a robust defense against cyberattacks and ensures the security of your organization's assets.

The goals of the Protect Function are:

• Implementing proactive security measures
• Enhancing employee awareness and training
• Securing data integrity

The Protect Function has five categories:

1. Identity Management, Authentication, and Access Control (PR.AA)
2. Awareness and Training (PR.AT)
3. Data Security (PR.DS)
4. Platform Security (PR.PS)
5. Technology Infrastructure Resilience (PR.IR)

Each category has multiple subcategories.

1. Identity Management, Authentication, and Access Control (PR.AA)

This category focuses on securing sensitive data and important assets through management of user identities, implementation of access controls, and enforcement of authentication procedures. It includes steps for confirming the identity of people and devices using the systems and resources of the company and making sure that only authorized entities are given adequate access privileges. Organizations may lower their risk of insider threats, unauthorized access, and data breaches by introducing granular access controls, robust authentication procedures, and efficient identity management. This will improve their overall cybersecurity posture.

The subcategories of PR.AA are:

• PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization.
• PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions.
• PR.AA-03: Users, services, and hardware are authenticated.
• PR.AA-04: Identity assertions are protected, conveyed, and verified.
• PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties.
• PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk.

2. Awareness and Training (PR.AT)

This category highlights the significance of staff education and empowerment in order to successfully reduce cybersecurity threats. It includes initiatives to educate staff members on cybersecurity rules, procedures, and best practices.

Organizations may improve their workforce's capacity to identify and address cyber risks by offering extensive training and instructional materials. This will strengthen the organization's overall security posture.

The subcategories of PR.AT are:

• PR.AT-01: Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind.
• PR.AT-02: Individuals in specialized roles are provided with awareness and training so that they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind.

3. Data Security (PR.DS)

This category is devoted to protecting confidential information from unwanted access, disclosure, or modification. It includes a variety of safeguards and actions intended to guarantee the confidentiality, availability, and integrity of data assets. PR.DS aims to secure sensitive data by identifying it, categorizing it according to its level of sensitivity, and putting in place the necessary controls for securing it. Data loss prevention (DLP) techniques, encryption, access restrictions, and safe data disposal procedures are a few examples of these measures. Furthermore, this category stresses the importance of continuous audits, monitoring, and incident response protocols to quickly identify and address data security concerns. PR.DS offers businesses a complete framework for putting in place and keeping up efficient data security procedures that are consistent with their risk management goals.

The subcategories of PR.DS are:

• PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected.

  This subcategory addresses the crucial elements of confidentiality, integrity, and availability with a focus on protecting data while it's at rest. In order to prevent unauthorized disclosure or exposure, confidentiality refers to limiting access to sensitive data to only those persons or entities that are permitted. Integrity protects against illegal alteration or tampering by guaranteeing that data is accurate, complete, and unmodified throughout its existence.

  Availability reduces downtime and interruptions to corporate operations by guaranteeing that data is available and useful when needed. Organizations must put in place a thorough set of security controls and procedures designed to effectively protect data at rest in order to comply with PR.DS-01.

  To safeguard data security and guarantee that only authorized users may access and decipher sensitive information, this may include using encryption technology. Digital signatures and checksums are examples of data integrity systems that can identify and stop unwanted changes to stored data, preserving its accuracy and dependability. Organizations should also set up strong authentication and access controls to manage who may access data at rest depending on user roles, permissions, and business needs.

  Organizations may mitigate risks and ensure regulatory compliance by immediately detecting and responding to security issues through continuous monitoring and auditing of data-at-rest settings.

  PR.DS-01 emphasizes the significance of implementing a comprehensive strategy for data security that takes availability, confidentiality, and integrity into account to adequately safeguard data at rest and reduce the possibility of loss, alteration, or unauthorized access. Organizations may strengthen their resistance to cyberattacks and protect their most precious asset, data, by putting strong security policies and procedures in place that are in line with this categorization.

  ManageEngine Log360 is a unified SIEM solution with DLP capabilities that secures data at rest. Log360 helps avoid data exposure by blocking high-risk file copy activities to USB devices and across local and network shares. Log360 also monitors file servers by tracking and recording a complete audit trail of all files copied by auditing your clipboard for Ctr+C and right-click copy actions. By leveraging Log360, you can secure your data at rest by monitoring file servers, failed and successful data exfiltration attempts, and possible ransomware attempts.

• PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected.

  The goal of this subcategory is to protect data's availability, confidentiality, and integrity when it's being transferred across networks or systems. It highlights how having strong security measures in place to guard private data against illegal access, alteration, or transmission interception is critical. To protect private information and prevent it from being decoded by unauthorized parties, organizations must encrypt data in transit using encryption techniques like Secure Sockets Layer (SSL) or Transport Layer Security (TLS). Organizations should also have robust authentication measures in place, including certificate-based authentication or mutual authentication, to confirm the identity of the sender and recipient of data in transit and prohibit illegal access to private data. To further guarantee that data integrity is preserved throughout transmission, companies should use data integrity measures, such as digital signatures or message authentication codes (MACs).

  In order to minimize the danger of illegal interception or eavesdropping, organizations should also establish network segmentation and access controls to limit access to data in transit to only authorized users or systems. And to identify any irregularities or strange activity that would point to unauthorized access or tampering with data in transit, it is imperative that companies routinely monitor and document network traffic. Finally, setting up incident response policies and protocols will mitigate the effect of security events or breaches affecting data in transit and restore the confidentiality, integrity, and availability of impacted data.

  In addition to assisting companies in preventing unwanted access to or exposure of sensitive data, compliance with PR.DS-02 builds confidence in their data handling procedures and promotes a safe and robust cybersecurity posture.

  Log360 is a unified SIEM solution with DLP capabilities that secures data in transit. Log360 helps prevent files containing highly sensitive data from being shared via email as attachments. Log360 also allows the tracking of data sharing patterns via web apps like SharePoint, Exchange, OneDrive, Dropbox, and more with details on who made the request, when, and from where. Leverage Log360 to secure your data in transit by monitoring workstations, file servers, cloud applications, and more.

• PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected.

  This essential subcategory focuses on protecting the availability, confidentiality, and integrity of data during processing or access. It highlights how important it is for businesses to have strong security measures in place to safeguard data that is actively being accessed, modified, or processed by users or apps. Organizations can stop unwanted access or exposure of sensitive data during its processing lifetime by guaranteeing the confidentiality of data in use. The purpose of PR.DS-10's integrity controls is to guard against unauthorized changes or tampering with data while it's being used, preserving its reliability and validity.

  In order to maintain business continuity and the availability of data in use, it is necessary to put in place safeguards against interruptions or denials of access to vital data during processing. To reduce the risks of data in use, such as insider threats, unauthorized access, and data breaches, PR.DS-10 promotes the use of encryption, access restrictions, and monitoring tools. To manage risks and safeguard sensitive data throughout its lifespan, organizations must evaluate their data processing workflows, identify vulnerabilities, and apply the necessary security measures.

  Organizations may improve their overall data security posture and lessen the possible impact of security events on stakeholder trust and business operations by adhering to PR.DS-10 criteria.

  Log360 is a unified SIEM solution with DLP capabilities that secures data in use. Leverage Log360 to monitor and report on a wide range of file activities, including create, delete, modify, overwrite, rename, move, read, etc., in real time. Also gather details on all file activities via browsers, such as potential upload and download actions by employees. It also allows you to classify files based on their sensitivity into categories, like Public, Private, Confidential, or Restricted, to help secure at-risk confidential files. Secure your organization's data in use by adopting Log360 now.

• PR.DS-11: Backups of data are created, protected, maintained, and tested.

4. Platform Security (PR.PS)

This category is responsible for protecting the hardware, software, and firmware components of the organization from cybersecurity threats. PR.PS highlights how crucial it is to have strong security measures in place to safeguard the underlying platforms that underpin vital business processes. The category covers a range of components, such as cloud infrastructure, mobile devices, servers, and endpoints, all of which need to be actively protected against vulnerabilities and attacks. In order to reduce platform-related risks, PR.PS places a strong emphasis on the use of security measures such as encryption, patch management, access restrictions, and secure settings. Organizations can reduce the chance and consequences of cyberattacks, data breaches, and system intrusions by properly safeguarding their platforms.

The PR.PS category is essential to maintaining the integrity, availability, and confidentiality of the company's platforms and related data as well as strengthening its overall cybersecurity posture.

The subcategories of PR.PS are:

• PR.PS-01: Configuration management practices are established and applied.
• PR.PS-02: Software is maintained, replaced, and removed commensurate with risk.
• PR.PS-03: Hardware is maintained, replaced, and removed commensurate with risk.
• PR.PS-04: Log records are generated and made available for continuous monitoring.

  This essential subcategory emphasizes the need to keep thorough records of security-related events and activities throughout an organization's IT infrastructure. Organizations may obtain important data on user behavior, system events, network traffic, and other security-related activities by creating log entries. These log files are an essential source of information for identifying malicious activity, responding, investigating security issues, and making sure regulatory requirements are met. Organizations that continuously monitor their log records can quickly detect and address unusual or suspicious activity that can point to a security breach or illegal access.

  Organizations should use automated tools and technologies that can aggregate, analyze, and provide real-time alerts on security incidents, such as a SIEM solution, in order to monitor log data efficiently. Organizations may enhance their capacity to identify and mitigate cybersecurity risks and expedite incident response operations by centralizing log management and providing easy access to log information for security staff. In addition, maintaining the efficacy of log records as a reliable repository of forensic evidence and audit trail during security investigations depends on maintaining their integrity and confidentiality. Organizations may learn more about their cybersecurity posture, observe trends and patterns, and pinpoint areas where their security controls and policies need to be improved by regularly reviewing and analyzing their log data.

  PR.PS-04 assists organizations in improving their data security abilities, fortifying their defense against cyberattacks, and preserving stakeholders' faith and confidence in their detection and response capacity.

  Log360 is a unified SIEM solution with significant log management capabilities. Log360 automatically discovers the Windows and syslog devices on your network and ingests log data. It also automatically imports log data at regular time intervals from applications such as vulnerability scanners, and databases. With features such as custom log parsing, real-time analytics, secure log archival, and automated workflows, Log360 bolsters your organization's cybersecurity.

• PR.PS-05: Installation and execution of unauthorized software are prevented.

  One of the most important subcategories under the Platform Security category, PR.PS-05 highlights how crucial it is to put precautions in place to lessen the hazards connected to installing and running unauthorized software on platforms used by organizations. Organizations can reduce the chance of introducing dangerous or susceptible programs that could jeopardize the security and integrity of their systems by prohibiting the installation and execution of unauthorized software. Under this subcategory, software installation and execution are limited to authorized persons and approved programs by putting strong access controls in place, such as user permissions and allow listing techniques.

  Organizations should also use endpoint security solutions, including privilege management and application control, to enforce policies and keep an eye on software installations in real time. Establishing precise rules and procedures that specify acceptable software sources, installation techniques, and approval procedures is crucial for controlling program installation and execution.

  By conducting routine audits and monitoring software installations and executions, organizations can spot illegal activity or policy violations and take swift action. Patch management procedures and ongoing vulnerability assessments are essential for fixing software flaws that might be used by unauthorized programs. Employees should learn about the dangers of using unapproved software and the significance of following corporate rules and procedures through training and awareness initiatives. Establishing efficient controls and preserving a safe platform environment need cooperation between IT teams, system administrators, and software developers.

  PR.PS-05 is essential for maintaining platform security, boosting defenses against attacks involving unapproved software, and protecting company information and assets.

  Log360 is a unified SIEM solution with significant log management and UEBA capabilities. Log360, with its complex log collection capabilities, uses both agent-based and agentless log collection methods to leave no entity or abnormal behavior unnoticed. Log360 UEBA also provides insights into unauthorized or abnormal software installations or executions within your network.

• PR.PS-06: Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle.

5. Technology Infrastructure Resilience (PR.IR)

Assuring the resilience of an organization's technological assets against interruptions is the main goal of this category. PR.IR includes plans and actions for preserving the functioning, availability, and integrity of vital parts of the technological infrastructure, such as data, systems, networks, and apps.

Organizations may lessen the effects of interruptions like cyberattacks, natural catastrophes, or system failures by putting strong resilience measures in place. This will help them maintain operations and meet business continuity goals.

The subcategories of PR.IR are:

• PR.IR-01: Networks and environments are protected from unauthorized logical access and usage.

  This subcategory emphasizes the significance of protecting networks and environments against illegal logical access and usage. Organizations must have strong security controls and procedures in place to stop unauthorized people or entities from accessing vital systems and data in order to do this. To limit access to authorized users exclusively, they must use access restrictions, authentication procedures, and encryption technologies. They should also keep a close eye on user activity and network traffic in order to quickly identify and address any unauthorized efforts or abnormalities.

  Organizations can minimize the risk of malicious access to sensitive information by employing least privilege principles and strong authentication techniques like multi-factor authentication (MFA) and regularly update and patch software and systems. Organizations should also set up and implement rules and guidelines controlling user accounts, password regulations, and access revocation procedures, among other things, that control access to networks and environments. Employee education and awareness campaigns can further emphasize the value of upholding security measures and keeping an eye out for any efforts at illegal access.

  Complying to PR.IR-01 helps organizations successfully safeguard against unauthorized logical access and usage and improve the resilience of their technological infrastructure.

  Log360 is a unified SIEM solution with threat intelligence and advanced threat analytics capabilities that help secure networks from malicious accesses. By tracking malicious IP addresses attempting to access your company's vital resources and assisting with the analysis of users accessing unsafe and banned websites, the solution will aid in both threat detection and mitigation. The solution will also help you gain more insights about the attack techniques, IP reputation scores, and the geolocations of hostile actors trying to infiltrate your network. ManageEngine Log360's Advanced Threat Analytics module identifies threats and attack types including malware, phishing, and other known attacks. The incident investigation team can make greater use of these contextual details to conduct threat triage and confirm allegations.

• PR.IR-02: The organization's technology assets are protected from environmental threats.

• PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations.

  This subcategory highlights the need of establishing safeguards that guarantee the IT infrastructure of an organizationis resilient in both favorable and unfavorable circumstances. In order to sustain continuous operations and reduce downtime, these systems are made to resist and recover from interruptions, such as natural disasters, cyberattacks, and system failures. Disaster recovery plans, business continuity strategies, redundant systems, and failover capabilities are a few examples of such techniques. Organizations may lessen the effect of interruptions on crucial parts of their IT infrastructure, such as servers, networks, and data centers, by putting these safeguards in place.

  Organizations should also evaluate and test these resilience mechanisms on a regular basis to make sure they work well and spot any areas that might be improvement. Working together with IT, security, and business continuity teams, among other stakeholders within the company, is crucial to ensuring a thorough and well-coordinated strategy to technology infrastructure resilience. PR.IR-03's ultimate objective is to increase an organization's technological infrastructure's overall resilience, protecting it from unforeseen obstacles while still enabling it to carry out its purpose and provide critical services.

  Log360 is a unified SIEM solution with real-time correlation and UEBA capabilities. With Log360's intuitive correlation dashboard, you can view a summary of all detected security threats, including ransomware attacks, file integrity threats, and database and web server threats, malicious use of command line tools, suspicious process spawning, and exploitation of built-in binary tools and utilities. With Log360's UEBA console, you can analyze all anomaly trends and get insights on the number of detected anomalies, anomaly report statistics, and risk levels for users and entities in your network. You can also gain information on the top 10 anomalous activities and anomalies by category.

• PR.IR-04: Adequate resource capacity to ensure availability is maintained.