NIST Cybersecurity Framework: Tools and References from Microsoft – Detect Function

Sergey Tsygalnitsky

The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides voluntary guidance – a set of industry standards and best practices – for reducing cybersecurity risks to critical infrastructure. Organizations that want to utilize the framework may find the task daunting at first, but it is helpful to remember that many of the subcategories in the framework can be accomplished with products and technologies they are already using.

Countless organizations around the globe rely on Microsoft technology to achieve their objectives. Understanding how Microsoft products and technologies relate to the NIST Cybersecurity Framework can help customers make significant progress in implementing it. After having several customers and partners ask me about utilizing the NIST Cybersecurity Framework, I’ve begun mapping Microsoft products and architectural references to subcategories of the framework.

This post provides mapping for the Detect function. There’s more to come on this as I work through the Respond and Recover functions.

Identify function mapping Protect function mapping Learn more about the NIST Cybersecurity Framework Download the NIST Cybersecurity Framework PDF

Detect function mapping

About the mapping

In the tables below, I’ve mapped Microsoft products and architectural references to subcategories of the Protect function in the Framework. The resources listed reflect product information and how-to documentation, and do not include Microsoft service offerings (for example, Premier or MCS). Where I’ve left subcategories blank, the activity should be covered by the implementing organization utilizing internal resources or third parties. For Microsoft partners, that white space is the opportunity to step in and provide much needed services.

If you have a resource to add to the list below, share your feedback with me in the Enterprise Security + Mobility Partners Yammer group.

Anomalies and Events (DE.AE)

Anomalous activity is detected in a timely manner and the potential impact of events is understood.

DE.AE-1A baseline of network operations and expected data flows for users and systems is established and managed
DE.AE-2Detected events are analyzed to understand attack targets and methods
DE.AE-3Event data are aggregated and correlated from multiple sources and sensors
DE.AE-4Impact of events is determined
DE.AE-5Incident alert thresholds are established

Security Continuous Monitoring (DE.CM)

The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.

DE.CM-1The network is monitored to detect potential cybersecurity events
DE.CM-2The physical environment is monitored to detect potential cybersecurity events
DE.CM-3Personnel activity is monitored to detect potential cybersecurity events
DE.CM-4Malicious code is detected
DE.CM-5Unauthorized mobile code is detected
DE.CM-6External service provider activity is monitored to detect potential cybersecurity events
DE.CM-7Monitoring for unauthorized personnel, connections, devices, and software is performed
DE.CM-8Vulnerability scans are performed

Detection Processes (DE.DP)

Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.

DE.DP-1Roles and responsibilities for detection are well defined to ensure accountability
DE.DP-2Detection activities comply with all applicable requirements
DE.DP-3Detection processes are tested
DE.DP-4Event detection information is communicated to appropriate parties
DE.DP-5Detection processes are continuously improved

Microsoft security resources

Microsoft Trust Center Microsoft Cybersecurity website Microsoft Secure website