Time is of the essence in the mitigation of any threat. In health, safety, finances, or just about any other regard, this is obvious. However, when it comes to cybersecurity, it’s especially important.  

The most common stance when it comes to data security appears to be a passive one. We tend to do the absolute minimum. We tend to set up anti-malware or antivirus software, let it run in the background, and call it a day. This is a mistake. 

For starters, when an antivirus program detects a potential threat, we tend to delete the threat, pat ourselves on the back, and call it a day. But viruses can and do hide behind each other and escape detection. In such cases, the hidden virus evades detection and lives on to do its dirty work. This is a common barrier to detection, and anyone whose machines have been compromised this way understands why it’s a problem. 

In cybersecurity, all the threat prevention in the world is ineffective without quick and effective detection.  

To this end, the NIST Cybersecurity Framework 2.0 has been carefully crafted to incorporate robust detection functionality. 

Without this, all the work that has gone into it would likely prove useless, such as in our example. Here, our topic is the NIST Cybersecurity Framework Detect Function. We will describe what it is, how it works, its value, and the reasons organizations should prioritize its implementation. 

Overview of the NIST Cybersecurity Framework 2.0 

The NIST Framework 2.0 is designed to offer guidance to businesses, government agencies, and other organizations to mitigate cybersecurity threats.  

Moreover, its purpose is to enable organizations to achieve a high degree of synchronicity and collaborative benefits to this end. It enables more people within an organization to be involved meaningfully in the prevention and reduction of harm, forming a united and more imposing front against cyberattacks. 

The Framework provides a cytology of cybersecurity outcomes which can be instructive to any organization with sensitive data to protect. The usefulness of these outcome abstracts is present regardless of the scale, sector, industry, or level of development of an organization.  

These outcomes help businesses assess, prioritize, understand, and express their data security efforts. The Framework does not dictate how these outcomes should be achieved.  

Instead, it links online resources that offer organizations the guidance they need to achieve the desired outcomes. This guidance includes best practices, assets, and controls that can be useful in achieving these outcomes. 

Most notably, it does this through the Framework’s six pillars. These are: Govern, Detect, Identify, Respond, Protect, and Recover. 

In most of the documentation we are aware of, the pillars are listed in a different order. But we feel it’s important to put them into the most intuitive order of operations and that the Detect function should come first. According to our team, the order of operations should look like this: 

  • Govern: Establish a strategy before a threat appears 
  • Detect: Realize that a potential threat exists 
  • Identify: Assess and understand the nature of the threat 
  • Respond: Mount a meaningful response 
  • Protect: Defend data and hardware 
  • Recover: Return to normal and resume productivity processes 

The Role of the “Detect” Function in Spotting Potential Cyber Threats  

The prominence of the Detect function makes its importance uncontroversial. After all, if we fail to realize that an attack may be incoming, any further appropriate action is not possible. 

NIST describes the Detect Function as follows: “Possible cybersecurity attacks and compromises are found and analyzed. DETECT enables the timely discovery and analysis of anomalies, indicators of compromise, and other potentially adverse events that may indicate that cybersecurity attacks and incidents are occurring. This function supports successful incident response and recovery activities.” 

Perhaps the most important word here is “possible.” This reflects the essential nature of persistent vigilance in data security. Detecting a possible threat does not mean detecting actual attacks in all cases, but merely being aware of any event that could be an attack.  

As we gain experience, we can adjust the sensitivity of our detection capabilities to focus on events most likely to pose a threat and ignore unlikely threats. In this way, we adjust our detection efforts to be optimally economical. Still, we recommend starting with the highest degree of vigilance and adjusting from there. 

Defining Key Outcomes of the “Detect” Function in The NIST Cybersecurity Framework 2.0 

Each of the functions is made up of several outcome categories that describe the tasks and processes organizations should engage in for the corresponding level of the Framework.  

Further, these outcome categories are divided into subcategories of activities. The purpose of the Detect Function is to develop, set up, and implement activities appropriate to identify cybersecurity events. The Detect Function is made up of three categories of outcomes, which are as follows: 

  • Anomalies and Events: these are any occurrence, scenario, or instance that could potentially compose a threat or problem that we wish to have the capacity to detect 
  • Detection Processes: these are systems, means, and modes through which we maintain the capacity for persistent alertness, making detection possible 
  • Continuous Monitoring: this is the ways and means by which we maintain consistent, persistent, and resilient detection capabilities 

Anomalies and Indicators Businesses Should Look Out For  

The good news is that we have plenty of solid data on what cybersecurity red flags look like. In the data security industry, we sometimes refer to these as indicators of compromise, (IoCs). Here are some useful threat indicators businesses should look out for. 

File-based IoCs 

These types of indicators can be seen in association with a given file or document and manifest as a file name or hash. 

Network-Based IoCs 

IoCs associated with a network such as a domain name or IP address are good examples of file-based IoCs. 

Behavioral IoCs 

These indicators are connected to system-wide behaviors. They include unusual system activity, network traffic, or a domain name. 

Artifact-Based IoCs 

These types of IoCs are connected to artifacts generated or left behind by a hacker. These could come in the form of a configuration file or registry key. 

Tools and Methods For Effective Cybersecurity Detection In Your Small Business 

In response to the NIST guidelines and shared industry experience, we have a few recommendations about means and tools for detecting potential security events. 

Intrusion Detection Systems 

Perhaps the most immediate type of threat you want to be able to be aware of is an active intrusion. Whether this is the real-time activity of a hacker or the introduction of malware in the system, knowing that such an event is in progress gives you a survival edge.  

When an intrusion is detected in a timely fashion, you can cut off access to data, unplug devices, set anti-malware apps into action, and contact emergency support. 

Network Monitoring 

This type of threat detection gives you eyes on activity within the network. It can help you maintain compliance, avoid downtime, and, of course, rapidly identify and solve problems. Network monitoring is key for spotting security threats and is indispensable for data security. 

AI-Powered Security 

Threat detection systems like Flashstart, Heimdal Threat Prevention, Orca Security, and SentinelOne are leading examples of the cutting edge of automated threat detection at the time of this writing. These applications do everything offered by intrusion detection and network monitoring, but they do it persistently and automatically. This means your team will be able to sleep at night! 

Human Vigilance 

Of course, even the most advanced AI and automation available today can miss things. For this reason, you still want human eyes to monitor your systems whenever possible. Together, human vigilance and machine security make a great team. 

Employee Training 

Remember that one of the NIST Framework’s most important advantages is that it gives more types of professionals the insight and authority they need to become active parts of your cybersecurity defense. Experts have long praised the virtues of bringing the whole workforce on board, especially when it comes to cultural attacks.  

But the NIST Framework lets us train whole departments to play an active role, share insights, and most importantly, have the knowledge they need to know when it’s time to implement security measures and to alert data security professionals. 

The great advantage your workforce has is that they occupy all points in your organization at once. Realistically, they are the core of all the total information systems under your roof. This is why it’s so important that they be trained in recognizing red flags and anomalies.  

After all, no threat can enter your system unless it first makes contact with either a human being or a machine, and humans are usually the quickest vector through which to bypass authority-dependent entry points. 

And that is why cross-departmental cybersecurity training and human vigilance are indispensable to your data security efforts. 

How the “Detect” Feeds into the “Respond” Function 

Effective detection sets the stage for timely cybersecurity incident response. Under the standard NIST recommendations, the Detect function is a direct precursor to the Respond function. If you recall, we organize them somewhat differently, which is a good example of how customizable the NIST Framework is. 

Nevertheless, the NIST standard Detect-Respond part of the Framework is perfectly serviceable and works well for a wide range of organization types. As a default standard, it is recommended for nearly every type of business, especially small businesses, particularly in the early stages of integration. After all without “detection,” no real response is even possible. 

NIST’s recommendations on the link between detection and response Small Business Adaptations For Effective Detection are designed as a kind of “catch-all” or jack-of-all-trades configuration. They will work well for most organizations. With expert consultation and experience, you should be able to tailor them to suit your unique needs, but the default configuration is a strong and reliable starting place. Customizing NIST’s recommendations to suit the unique needs and limitations of small businesses is fairly straightforward.  

What’s most important is to make sure that proactive safeguards are put in place that are well-suited to the needs of your business. Again, these safeguards will largely need to be discovered along the way.  

However, the best approach is to integrate the NIST recommendations cross-organizationally by conducting wall-to-wall workforce training. 

Making “Detect” A Routine Part of Your Cybersecurity Policy 

To get started using the NIST Framework, working with professional cybersecurity consultants in this field is necessary. Naturally, they will emphasize the importance of a well-planned “Detect” function.  

In the final analysis, small businesses need to integrate NIST Cybersecurity Framework Detect guidelines into their cybersecurity strategies. 

We hope this clarifies the meaning and purpose of the Detect Function. Be sure to reach out to Graffen for further discussions on the other key functions of the NIST Framework, how they overlap and work together, as well as recommendations on integrating them into your customized cybersecurity plan.