Geoffrey is a cybersecurity business executive and leader with over 25 years of experience and a proven track record in sales and solutions across a wide variety of information security technologies, risk management, and regulatory compliance solutions. Geoffrey currently runs Strategic Alliances at MixMode and before coming to MixMode he ran large solutions teams at Splunk, Palo Alto Networks, and SAP.
The evolving cybersecurity landscape and the increasing complexity of threats have made it crucial for organizations to adopt effective cybersecurity frameworks. Two prominent governing bodies that define such frameworks are the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA). These frameworks provide guidelines and best practices for organizations to secure their information systems and mitigate cyber risks.
Experienced CISOs are already aware that it is critical to implement and align with the NIST Risk Management Framework, the Zero Trust adoption guidelines, and the CISA Zero Trust Maturity Model. They are deploying these standards across their on-premises data, most traditionally, for compliance reasons.
But what about their cloud data?
Are CISOs continuously monitoring, in real-time, the trillions of cloud records flowing through their environment and adapting NIST / CISA standards to monitoring cloud data for zero-day threats?
According to our recent eBook on the Inefficiencies of Legacy Tools, 80% of CISOs are not able to identify excessive access to sensitive data in cloud production environments. The size and complexity of big data has made most legacy platforms (i.e. SIEMS) incapable of effectively collecting, analyzing, and correlating data from multiple cloud sources.
Before diving into this challenge – and solutions for real-time threat detection on large volumes of cloud data – let’s have a quick refresher on what are the NIST and CISA frameworks.
The NIST Risk Management Framework
The NIST Risk Management Framework is a comprehensive approach to risk management in federal government agencies as well as enterprise organizations. It provides a systematic process for identifying, assessing, and mitigating risks to information systems through continuous monitoring.
Continuous monitoring is the foundation of the NIST Risk Management Framework. It involves continuously observing and evaluating the effectiveness of security controls to ensure the ongoing protection of information systems. The goal is to identify and address vulnerabilities, detect anomalies, and improve security practices over time.
However, the volume and complexity of data – specifically cloud data – in modern information systems make it challenging to effectively monitor and detect threats using traditional techniques and rules-based legacy platforms.
SOCs have been forced to extract, transform, normalize, and manually enrich data from multiple data sources in order to identify relevant information about anomalous and suspicious behavior. This ineffective, legacy rules-based approach is a common and significant industry-wide problem.
Security leaders want to solve problems identifying and understanding anomalies or account access behaviors by correlating anomalous behaviors of specific accounts with other parameters like geography or ingress and egress points, but few rules-based Cybersecurity tools have the ability to do that without a great deal of manual data massaging and manipulating.
This is where AI becomes critical.
AI can augment human capabilities by automating the detection and monitoring process, analyzing vast amounts of data in real-time and by identifying patterns and anomalies that indicate potential security risks.
Implementing AI-informed detection and monitoring of the entirety of relevant data, including cloud, on-premises, and network, at every level of the risk management framework can significantly enhance an organization’s cybersecurity posture. AI continuous monitoring can help identify and respond to threats efficiently, detect anomalies typically missed by traditional methods, and continuously improve best practices and controls.
The CISA Framework Builds on NIST
NIST’s Zero Trust approach is a cybersecurity paradigm that focuses on resource protection and the premise that trust is never granted implicitly but must be continuously evaluated. Both NIST and CISA’s guidelines for Zero Trust adoption, unsurprisingly, emphasize the importance of continuous evaluation and monitoring.
CISA’s Zero Trust Maturity Model builds upon the NIST frameworks and provides further guidance for organizations to implement Zero Trust principles effectively. It advocates for continuous monitoring and assessment of security capabilities to detect unauthorized access and changes as organizations mature from their initial state to a desirable end state.
Applying CISA and NIST to Cloud Data Monitoring
Now CISOs can take a step back and truly ask themselves, “Am I applying CISA / NIST standards to ALL data in my environment, including the exponentially growing volumes of relevant cloud data?”
This is one more critical question CISOs should be asking as they face the many security challenges driven by cloud adoption and hybrid environments.
When polled, most CISOs admit to attempting to address foundational NIST continuous monitoring of cloud data sources by normalizing and filtering cloud “flow” and “API” data into various data lakes. These lakes become latent sources for SQL query access and rules-based detections.
While somewhat appropriate for compliance requirements, the inability to monitor, triage, and detect correlative anomalies with other relevant data sources remains a critical issue. One that becomes more critical when considering the relevance of “Identity” details in cloud API data specifically, that must be taken into consideration for Zero Trust adoption across cloud data monitoring, network detection and response NDR, and SIEM use cases.
AI-Based Solutions: Overcoming Inherent Cloud Monitoring Challenges
When it comes to cloud data monitoring, modern SOCs and forward-thinking CISOs are looking at AI-based cybersecurity solutions to tackle the mounting challenges of real-time data monitoring on trillions of cloud records.
While AI-based solutions offer significant benefits in terms of enhanced cybersecurity, there are challenges that organizations and CISOs must address when implementing AI in the NIST/CISA frameworks.
A persistent challenge is vendor fatigue driven by the growing number of cybersecurity vendors making false claims. Vendors often present product-specific solutions, leading to confusion and overlapping functionalities. Teams can become inundated with multiple, incongruent tools requiring so much effort to coordinate that they quickly lose their effectiveness.
To simplify defense in depth and avoid configuration mistakes, organizations should focus on best-in-suite solutions that cover multiple security aspects. This approach reduces complexity and streamlines the integration of AI-based tools into existing security infrastructures.
Adhering to the principles outlined in the NIST and CISA frameworks is crucial. Both frameworks emphasize simplicity and the avoidance of complexity in security practices. Applying those best practices to cloud data monitoring is also critical.
With the increasing complexities and volumes of data that today’s hybrid environments present, organizations must choose data-agnostic solutions that can handle various data types, including traditional log files, network traffic data, and cloud data. This approach ensures a comprehensive and holistic continuous monitoring process.
Operational Feasibility and Affordability are Also Important Considerations
Organizations need to evaluate the scalability and cost-effectiveness of AI-based solutions, especially when dealing with large volumes of data. AI can help drive down operational costs by automating threat identification, triage, context identification, and root cause analysis, leading to improved efficiency and resource optimization.
Implementing AI-based solutions can provide immediate outcomes in terms of enhanced security. These solutions can address various security requirements, such as anomaly detection, identity management, threat detection, and behavioral analytics. Platforms like MixMode offer AI-driven capabilities that enable continuous monitoring, efficient detection, and response across multiple data sources.
It may not be immediately obvious to pinpoint where to start on a journey to complying with the Zero Trust framework for cloud data. Questions around where to even look for identity information among vast cloud data resources can be challenging to answer. MixMode’s patented Generative AI technology can analyze behaviors that traverse cloud environments by reviewing flow information, allowing teams to gain insight into entity and/or identity from cloud environments to triage behaviors, entities and identities as they move laterally across network sources.
Generative AI for Cloud Security
AI-based solutions offer significant benefits in terms of continuous monitoring, efficient anomaly detection, and enhanced threat response. Adhering to the principles outlined in the NIST and CISA frameworks and leveraging AI solutions effectively, CISOs can navigate the complexities of modern cybersecurity and contribute to the protection of organizational assets.
While challenges exist, including vendor fatigue, complexity, and operational feasibility, organizations can overcome these hurdles by choosing best-in-suite solutions, adopting data-agnostic approaches, and evaluating the scalability and affordability of AI-based solutions. With the integration of AI into the risk management framework and the implementation of Zero Trust principles, organizations can achieve improved cybersecurity outcomes and establish a robust defense against evolving cyber threats.
Reach out to learn more about how MixMode can help CISOs apply NIST / CISA standards to all data within their hybrid environments.