The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides voluntary guidance – a set of industry standards and best practices – for reducing cybersecurity risks to critical infrastructure. Organizations that want to utilize the framework may find the task daunting at first, but it is helpful to remember that many of the subcategories in the framework can be accomplished with products and technologies they are already using.
Countless organizations around the globe rely on Microsoft technology to achieve their objectives. Understanding how Microsoft products and technologies relate to the NIST Cybersecurity Framework can help customers make significant progress in implementing it. After having several customers and partners ask me about utilizing the NIST Cybersecurity Framework, I’ve begun mapping Microsoft products and architectural references to subcategories of the framework.
This post provides mapping for the Detect function. There’s more to come on this as I work through the Respond and Recover functions.
Detect function mapping
About the mapping
In the tables below, I’ve mapped Microsoft products and architectural references to subcategories of the Protect function in the Framework. The resources listed reflect product information and how-to documentation, and do not include Microsoft service offerings (for example, Premier or MCS). Where I’ve left subcategories blank, the activity should be covered by the implementing organization utilizing internal resources or third parties. For Microsoft partners, that white space is the opportunity to step in and provide much needed services.
If you have a resource to add to the list below, share your feedback with me in the Enterprise Security + Mobility Partners Yammer group.
Anomalies and Events (DE.AE)
Anomalous activity is detected in a timely manner and the potential impact of events is understood.
A baseline of network operations and expected data flows for users and systems is established and managed
Detected events are analyzed to understand attack targets and methods
Event data are aggregated and correlated from multiple sources and sensors
Impact of events is determined
Incident alert thresholds are established
Security Continuous Monitoring (DE.CM)
The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.
The network is monitored to detect potential cybersecurity events
The physical environment is monitored to detect potential cybersecurity events
Personnel activity is monitored to detect potential cybersecurity events
Malicious code is detected
Unauthorized mobile code is detected
External service provider activity is monitored to detect potential cybersecurity events
Monitoring for unauthorized personnel, connections, devices, and software is performed
Vulnerability scans are performed
Detection Processes (DE.DP)
Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.
Roles and responsibilities for detection are well defined to ensure accountability
Detection activities comply with all applicable requirements
Detection processes are tested
Event detection information is communicated to appropriate parties
Detection processes are continuously improved