Imbalance between proactive and reactive cybersecurity

Imbalance between proactive and reactive cybersecurity

by Paresh Borkar

NIST Cybersecurity Framework (aka Framework for Improving Critical Infrastructure Cybersecurity) is an excellent resource for all organizations. There are 3 components to the framework as below:

  1. Core – Provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand.
  2. Tiers – These implementation Tiers help assist organizations by providing context on how an organization views cybersecurity risk management.
  3. Profiles – These are an organizations’ unique alignment of their organizational requirements and objectives, risk appetite and resources against the desired outcomes of the Framework Core.

The Framework Core Elements work together as follows:

  • Functions organize cybersecurity activities at their highest level. These functions are: Identify, Protect, Detect, Respond, Recover.
  • Categories are the subdivisions of a Function into groups of cybersecurity outcomes closely tied programmatic needs and particular activities. For example – “Asset Management”, “Identity Management and Access Control”, etc.
  • Subcategories further divide a Category into specific outcomes of technical and/or management activities. They provide a set of results that, while not exhaustive, help support achievement of the outcomes in each Category. Examples include “Data-at-rest is protected”, “External information systems are catalogued”, etc.
  • Information References – While NIST Cybersecurity Framework does not directly provide guidance on “how” part, these information references are specific sections of standards, guidelines and practices that illustrate a method to achieve the outcomes associated with each Subcategory.

Let us take a deeper look into the Five Core Functions below. Note that these functions are not intended to form a serial path or lead to a static desired state. Rather, these functions should be performed concurrently and continuously from an operational culture that addresses the dynamic cybersecurity risk.

  • Identify – Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data and capabilities.
  • Protect – Develop and implement appropriate safeguards to ensure delivery of critical services
  • Detect – Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. Most of us will quick correlate this with SIEM tools.
  • Respond – Develop and implement appropriate activities to take action regarding a detected cybersecurity incident. We are all familiar with Incident Response (IR).
  • Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities that were impaired due to a cybersecurity incident. Most of us will relate with Mean Time To Repair or Mean Time To Recover.

The table below lists some categories for each of the Core Functions:

NIST Cyber Security Functions

At a high level we can bucket the Five Core Functions as:

  • Proactive
    • Identify
    • Protect
  • Reactive
    • Detect
    • Respond
    • Recover

Most organizations tend to have lot of security tooling for Reactive side as compared to Proactive. For example most organizations deploy SIEM, UEBA and other tools on the Reactive side. However they don’t necessarily have tools for proactively identifying security weakness that could simply be plugged in or patched. Perhaps Proactive Cybersecurity is simply just not sexy enough.

We will all agree that vulnerability management tools needed a transformation since these typically required running a scan or scheduling one to identify issues. However, with ThreatWorx there is no need for scans (or scheduled scans) altogether. Also, ThreatWorx has support for inside-out security assessments (aka Third Party Cyber Risk Management [TPCRM]) for Supply Chain Risk Management, which is an important aspect under “Identify” Core Function of NIST Cybersecurity Framework. Now is the time to strengthen your approach to Proactive Cybersecurity.

Contact us for more details at

Comments are closed.