NISTIR 8374 (Ransomware Framework)

Preliminary Draft

Falling victim to a ransomware attack is something you want to avoid. Trust me. It won’t be fun.

If you didn’t already know, ransomware is a type of malicious cyberattack where cybercriminals encrypt an organization’s data and hold it for ransom to restore access. In some instances, attackers may also steal an organization’s information and demand additional payment in return for not disclosing the information to authorities, competitors, or the public. Ransomware can disrupt or halt organizations’ operations and has the potential to cripple an organization in a matter of hours.

 

The recent ransomware attacks on the Colonial Pipeline ($4.4 million payout) and JBS USA Holdings Inc. ($11 million payout) represent the growing brazen nature of organized, deliberate attacks on increasingly significant targets. These successful attacks also highlight the ongoing struggle to keep pace with cyber threats. Cybercrime is a growing, highly successful, and profitable industry. According to Cybersecurity Ventures, “cybercrime costs will grow by 15 percent per year to reach $10.5 trillion by 2025: the third greatest ‘economy’ in the world, after those of the U.S. and China.”

 

Furthermore, ransomware attacks have increased by nearly 500% since the start of the COVID-19 pandemic, with an average ransom of $200,000 – and that number does not include the follow-on payments typically demanded down the road. As a result, organizations such as the National Institute of Standards and Technology (NIST) have been hard at work building and updating best practices to prevent, combat, and recover from these insidious attacks.

 

The Ransomware Framework Preliminary Draft

On June 9th, 2021, NIST released its’ preliminary draft for the Cybersecurity Framework Profile for Ransomware Risk Management (NISTIR 8374), a new ransomware risk management framework. The framework builds upon NIST’s already popular Cybersecurity Framework (CSF), leveraging its existing control mappings. The extensive table of NISTIR 8374 controls can be found here. However, the 5 CSF functions on which the framework is predicated are highlighted below.

  • Identify – Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.
  • Protect – Develop and implement appropriate safeguards to ensure delivery of critical services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event.
  • Detect – Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events.
  • Respond – Develop and implement appropriate activities to take action regarding a detected cybersecurity incident. The Respond Function supports the ability to contain the impact of a potential cybersecurity incident.
  • Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity incident.

 

There are many subcategories within each of these functional categories, and they often map to other frameworks. In the instance of NISTIR 8374, NIST utilized the existing control mappings for NIST 800-53 and ISO 27001 and selected best-practice policies and procedures to prevent and recover from a ransomware attack. For your organization, this means that implementing the NISTIR 8374 Framework requires focus on compliance primarily with the NIST 800-53 controls or the ISO 27001 controls. Unfortunately, traditional compliance approaches don’t make this as easy as one would like.

 

A security breach can happen at any time. As such, staying current with each CSF Function is important. Each aspect of the CSF is important, but perhaps none as much as the Protect and Detect Functions. These Functions are crucial to preventing a ransomware attack and that is why they need to be implemented with real-time continuous monitoring. An organization cannot rely on outdated data, even if it’s just a few hours old. Properly securing an organization through the use of compliance and industry best practices requires monitoring an organization’s data in real-time, continuously. Legacy compliance monitoring solutions require substantial up front investments and major additional costs for maintenance and ongoing updates. Modern approaches employ automation, are more cost-efficient, and actually work in real-time. Enter real-time continuous monitoring using Qmulos.

 

Qmulos Automates the Process

We deliver innovative solutions that enable customers to achieve operational cybersecurity risk management goals while meeting compliance requirements. Q-Compliance disrupts the legacy IT compliance and risk management markets and enables CISOs to realize that “doing compliance” on top of big data is the best way to dramatically improve security. Founded on a risk-based approach, NISTIR and Q-Compliance provide a way for organizations to finally combine their operational security and compliance budgets, and align resources toward one common goal: better security, protecting against ransomware attacks.

 

Q-Compliance enables our customers to achieve the 5 Functions of the CSF, which form the basis of NISTIR 8374, making the process easy for any organization, no matter the size. NISTIR 8374 compliance is easily achieved and proven by ingesting data sources into Splunk and contextualizing the data into the numerous NIST 800-53 control requirements through pre-built analytics.

 

Our dashboards give the users a simple to use, click-through interface to quickly see which controls are failing and how to remediate them. The result is an automated, cutting-edge way to achieve ongoing assessments, ongoing authorizations, and continuous monitoring in a way never done before. Q-Compliance includes the ability to perform these actions for frameworks and overlays such as NIST 800-53 r4 and r5, CSF, NIST RMF, CDM, FedRAMP, StateRAMP, SOX, HIPAA, CMMC, PCI DSS, NERC CIP, CJIS, among many others – not to mention custom control groupings.

 

For more information on how you can leverage your data to help you with your compliance automation activities, please contact Qmulos at sales@qmulos.com, or fill out the form to the right and we will get back to you.

You are now leaving Qmulos

Qmulos provides links to web sites of other organizations in order to provide visitors with certain information. A link does not constitute an endorsement of content, viewpoint, policies, products or services of that web site. Once you link to another web site not maintained by Qmulos, you are subject to the terms and conditions of that web site, including but not limited to its privacy policy.

You will be redirected to
in 7 seconds...

Click the link above to continue or CANCEL