NIST Cybersecurity Framework: Tools and References from Microsoft – Detect Function
The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides voluntary guidance – a set of industry standards and best practices – for reducing cybersecurity risks to critical infrastructure. Organizations that want to utilize the framework may find the task daunting at first, but it is helpful to remember that many of the subcategories in the framework can be accomplished with products and technologies they are already using.
Countless organizations around the globe rely on Microsoft technology to achieve their objectives. Understanding how Microsoft products and technologies relate to the NIST Cybersecurity Framework can help customers make significant progress in implementing it. After having several customers and partners ask me about utilizing the NIST Cybersecurity Framework, I’ve begun mapping Microsoft products and architectural references to subcategories of the framework.
This post provides mapping for the Detect function. There’s more to come on this as I work through the Respond and Recover functions.
Detect function mapping
About the mapping
In the tables below, I’ve mapped Microsoft products and architectural references to subcategories of the Protect function in the Framework. The resources listed reflect product information and how-to documentation, and do not include Microsoft service offerings (for example, Premier or MCS). Where I’ve left subcategories blank, the activity should be covered by the implementing organization utilizing internal resources or third parties. For Microsoft partners, that white space is the opportunity to step in and provide much needed services.
If you have a resource to add to the list below, share your feedback with me in the Enterprise Security + Mobility Partners Yammer group.
Anomalies and Events (DE.AE)
Anomalous activity is detected in a timely manner and the potential impact of events is understood.
|DE.AE-1A baseline of network operations and expected data flows for users and systems is established and managed|
|DE.AE-2Detected events are analyzed to understand attack targets and methods|
|DE.AE-3Event data are aggregated and correlated from multiple sources and sensors|
|DE.AE-4Impact of events is determined|
|DE.AE-5Incident alert thresholds are established||
Security Continuous Monitoring (DE.CM)
The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.
|DE.CM-1The network is monitored to detect potential cybersecurity events|
|DE.CM-2The physical environment is monitored to detect potential cybersecurity events|
|DE.CM-3Personnel activity is monitored to detect potential cybersecurity events|
|DE.CM-4Malicious code is detected|
|DE.CM-5Unauthorized mobile code is detected|
|DE.CM-6External service provider activity is monitored to detect potential cybersecurity events|
|DE.CM-7Monitoring for unauthorized personnel, connections, devices, and software is performed|
|DE.CM-8Vulnerability scans are performed|
Detection Processes (DE.DP)
Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.
|DE.DP-1Roles and responsibilities for detection are well defined to ensure accountability|
|DE.DP-2Detection activities comply with all applicable requirements|
|DE.DP-3Detection processes are tested|
|DE.DP-4Event detection information is communicated to appropriate parties|
|DE.DP-5Detection processes are continuously improved|