News and blog
NXLog main page
  • Products
    NXLog Platform
    Log collection
    Log management and analytics
    Log storage
    NXLog Community Edition
    Integrations
    Professional Services
  • Solutions
    Use cases
    Specific OS support
    SCADA/ICS
    Windows event log
    DNS logging
    MacOS logging
    Solutions by industry
    Financial Services
    Government & Education
    Entertainment & Gambling
    Telecommunications
    Medical & Healthcare
    Military & Defense
    Law Firms & Legal Counsel
    Industrial & Manufacturing
  • Plans
  • Partners
    Find a Reseller
    Partner Program
  • Resources
    Documentation
    Blog
    White papers
    Videos
    Webinars
    Case Studies
    Community Program
    Community Forum
  • About
    Company
    Careers
  • Support
    Support portals
    Contact us

NXLog Platform
Log collection
Log management and analytics
Log storage
NXLog Community Edition
Integrations
Professional Services

Use Cases
Specific OS support
SCADA/ICS
Windows event log
DNS logging
MacOS logging
Solutions by industry
Financial Services
Government & Education
Entertainment & Gambling
Telecommunications
Medical & Healthcare
Military & Defense
Law Firms & Legal Counsel
Industrial & Manufacturing


Find a Reseller
Partner Program

Documentation
Blog
White papers
Videos
Webinars
Case Studies
Community Program
Community Forum

Company
Careers

Support portals
Contact us
Let's Talk Start free
NXLog search
  • Loading...
Let's Talk Start free
April 12, 2024 strategycompliance

NIST Cybersecurity Framework 2.0. Update Takeaways

By Roman Krasnov

Share
ALL SIEM STRATEGY SECURITY ANNOUNCEMENT DEPLOYMENT COMPLIANCE COMPARISON RSS

On February 26, 2024, the U.S. National Institute of Standards and Technology (NIST) officially released Cybersecurity Framework (CSF) 2.0. This release has had the most significant changes since its inception in 2014. Let’s quickly walk through the updates it brought and how log collection supports the functions of the renewed framework.

What is NIST CSF

csf core

The U.S. NIST Cybersecurity Framework is one of the most widely used security frameworks (with ISO27001, CIS, and others), helping organizations estimate, manage, and reduce their cybersecurity risks. It was initially published in 2014 as a response to "Executive Order 13636: Improving Critical Infrastructure Cybersecurity" issued by President Obama in Feb 2013. The order requested the design of a voluntary cybersecurity framework. This framework consists of standards, guidelines, and best practices. Its purpose is to help the nation’s critical infrastructure organizations, including financial, energy, health care, and others. The goal is to better protect their information and physical assets from cyberattacks. The framework was created through public-private collaboration. It serves a crucial role by providing a common language to address and manage cyber risk. This is achieved cost-effectively based on business needs. Moreover, it accomplishes this without imposing additional regulatory requirements on businesses.

NIST CSF went through the years with just one minor 1.1 update in 2018. Ten years later, the threat landscape has changed significantly, and NIST proposed version 2.0, which is quite a change to adapt the framework to the latest cybersecurity best practices. While the core structure of the NIST CSF stays the same in general, proposed changes enhance the framework’s capabilities.

The framework is structured around a set of high-level core functions, which are essential for any cybersecurity program. They include Identify, Protect, Detect, Respond, Recover, and, with the latest update, Govern. This structure provides a strategic overview of an organization’s approach to cybersecurity risk management. Those six core functions are broken down into 22 categories and 106 subcategories. Each subcategory is an atomic control, which defines best practices to consider when assessing an organization’s cybersecurity program. It is essential to highlight that NIST CSF is vendor-agnostic and non-prescriptive. Consider the framework as a tool rather than a checklist to follow.

What’s changed in CSF 2.0?

As you know, the initial version of CSF focused on the nation’s critical infrastructure. The introduction of CSF 2.0 officially broadened its reach, since it now includes all sorts of organizations, not just those deemed necessary. The next major shift was adding a new top-level "Govern" function, which includes many function categories to align with modern security risk management best practices.

Another structural change in CSF 2.0 is noteworthy, in that it introduces 'implementation examples'. These examples help organizations translate the framework’s technical requirements into actual improvements in security posture and ensure alignment with business objectives. Also, CSF 2.0 established a direct connection with other security frameworks to build a holistic vision for cybersecurity.

csf20

Previously, "cybersecurity supply chain risk management" was mixed into different functions. Now, it has become a separate sub-category under the Govern function. This change highlights the importance of supply chain management. It follows the transformation trend of the Risk Management Framework (NIST 800-37) and the Controls Catalog (NIST 800-53), with both moved software supply chain security to dedicated sections in the latest revisions.

How NXLog helps comply with NIST CSF 2.0

NXLog Enterprise Edition enables an autonomous pipeline to support security monitoring systems (SIEM, UEBA, XDR, APM, and others) with the necessary log data for ongoing analysis.

NXLog helps to implement the PROTECT function in the “Platform Security“ category.

CSF Subcategory Implementation Examples Informative Reference NXLog

PR.PS-04:
Log records are generated and made available for continuous monitoring.

Example 1:
Configure all operating systems, applications, and services (including cloud-based services) to generate log records.
​
Example 2:
Configure log generators to securely share their logs with the organization’s logging infrastructure systems and services.
​
Example 3:
Configure log generators to record the data needed by zero-trust architectures.

NIST Special Publication 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities: PO.3.3
​
CIS Controls: 8.2
CRI Profile Version 2.0: PR.PS-04
CRI Profile Version 2.0: PR.PS-04.01
CRI Profile Version 2.0: PR.PS-04.02
CRI Profile Version 2.0: PR.PS-04.03

NXLog Enterprise Edition lets you capture logs generated by operating systems (Windows, Linux, macOS, AIX, Solaris, BSD, etc.) and applications.

It provides over a hundred integrations out-of-the-box to ensure you can deliver all your valuable log data to the right place (SIEM or APM) for ongoing monitoring.

NXLog supports “Data Security” (PR.DS) category implementation about logs data, whether the data is at rest or in transit.

CSF Subcategory Implementation Examples Informative Reference NXLog

PR.DS-01:
The confidentiality, integrity, and availability of data-at-rest are protected.

Example :
Encryption, digital signatures, and cryptographic hashes protect the confidentiality and integrity of stored data in files, databases, virtual machine disk images, container images, and other resources.

NIST Special Publication 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities: PS.1.1
​
NIST Special Publication 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities: PS.2.1
​
NIST Special Publication 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities: PS.3.1
​
CIS Controls: 3.11
CRI Profile Version 2.0: PR.DS-01
CRI Profile Version 2.0: PR.DS-01.01
CRI Profile Version 2.0: PR.DS-01.02
CRI Profile Version 2.0: PR.DS-01.03

The File Integrity Monitoring (FIM) feature of NXLog Enterprise Edition can scan files and directories and report detected changes.

PR.DS-02:
The confidentiality, integrity, and availability of data in transit are protected.

Example:
Use encryption, digital signatures, and cryptographic hashes to protect the confidentiality and integrity of network communications.

CIS Controls: 3.10
CRI Profile Version 2.0: PR.DS-02
CRI Profile Version 2.0: PR.DS-02.01

NXLog Enterprise Edition has an SSL/TLS module to provide secure transport for log messages.

NXLog Enterprise Edition supports certificates with TPM-generated keys. Trusted Platform Module (TPM) chips provide tamper-resistant security functions, making it the most secure way of encrypting data.

PR.DS-11:
Backups of data are created, protected, maintained, and tested.

Example:
Continuously back up critical data in near-real-time and back up other data frequently at agreed-upon schedules.

NIST Special Publication 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities: PS.3.1
​
CIS Controls: 11.2
CIS Controls: 11.3
CIS Controls: 11.5
CRI Profile Version 2.0: PR.DS-11
CRI Profile Version 2.0: PR.DS-11.01

NXLog Enterprise Edition can route log streams to multiple destinations and automate log rotation. Together with the NXLog FIM module, it allows you to build a robust backup pipeline.

NXLog Enterprise Edition also complements the “Technology Infrastructure Resilience” (PR.IR-03 and PR.IR-04) category within the PROTECT function by providing robust log collection architecture capabilities.

CSF Subcategory Implementation Examples Informative Reference NXLog

PR.IR-03:
Mechanisms are implemented to achieve resilience requirements in normal and adverse situations.

Example 1:
Avoid single points of failure in systems and infrastructure.
​
Example 2:
Use load balancing to increase capacity and improve reliability.
​
Example 3:
Use high-availability components like redundant storage and power supplies to improve system reliability.

CRI Profile Version 2.0: PR.IR-03
CRI Profile Version 2.0: PR.IR-03.01

NXLog Enterprise Edition allows for high-availability deployments. NXLog integrates with third-party load-balancing solutions and ships with built-in failover capabilities. See the High Availability section in the NXLog agent User Guide for more information.

Finally, as a powerful and versatile log collection and shipping software, NXLog Enterprise Edition helps implement the core DETECT function of the framework, including "Continuous Monitoring" (DE.CM) and "Adverse Event Analysis" (DE.AE) category controls.

CSF Subcategory Implementation Examples Informative Reference NXLog

DE.CM-01:
Networks and network services are monitored to find potentially adverse events.

Example 1:
Monitor DNS, BGP, and other network services for adverse events.
​
Example 2:
Monitor wired and wireless networks for connections from unauthorized endpoints.
​
Example 3:
Monitor facilities for unauthorized or rogue wireless networks.
​
Example 4:
Compare actual network flows against baselines to detect deviations.
​
Example 5:
Monitor network communications to identify changes in security postures for zero trust purposes.

CIS Controls: 13.1
CRI Profile Version 2.0: DE.CM-01
CRI Profile Version 2.0: DE.CM-01.01
CRI Profile Version 2.0: DE.CM-01.02
CRI Profile Version 2.0: DE.CM-01.03
CRI Profile Version 2.0: DE.CM-01.04
CRI Profile Version 2.0: DE.CM-01.05
CRI Profile Version 2.0: DE.CM-01.06

NXLog Enterprise Edition can monitor and proactively analyze Domain Name Server (DNS) queries and responses. See the DNS Monitoring section in the NXLog agent User Guide for more information.

NXLog also allows for passive network monitoring by generating logs for various protocols. It uses the libpcap and WinPcap libraries to capture network traffic. See the Packet capture section in the NXLog Agent Reference Manual for more information.

DE.CM-02:
The physical environment is monitored to find potentially adverse events.

Example:
Monitor logs from physical access control systems (e.g., badge readers) to find unusual access patterns (e.g., deviations from the norm) and failed access attempts.

CRI Profile Version 2.0: DE.CM-02
CRI Profile Version 2.0: DE.CM-02.01

NXLog Enterprise Edition allows the capture of logs from physical access control systems and sending them for centralization and analysis.

DE.CM-03:
Personnel activity and technology usage are monitored to find potentially adverse events.

Example 1:
Use behavior analytics software to detect anomalous user activity to mitigate insider threats.
​
Example 2:
Monitor logs from logical access control systems to find unusual access patterns and failed access attempts.
​
Example 3:
Continuously monitor deception technology, including user accounts, for any usage.

CIS Controls: 10.7
CRI Profile Version 2.0: DE.CM-03
CRI Profile Version 2.0: DE.CM-03.01
CRI Profile Version 2.0: DE.CM-03.02
CRI Profile Version 2.0: DE.CM-03.03

NXLog helps integrate all valuable logs into monitoring systems and ensures nothing is missed.

NXLog Enterprise Edition is compatible with all the major SIEM/UEBA/XDR systems, such as Google Chronicle, Microsoft (Azure) Sentinel, MicroFocus ArcSight, IBM QRadar, and others.

DE.CM-09:
Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.

Example 1:
Monitor email, web, file sharing, collaboration services, and other common attack vectors to detect malware, phishing, data leaks and exfiltration, and other adverse events.
​
Example 2:
Monitor authentication attempts to identify attacks against credentials and unauthorized credential reuse.
​
Example 3:
Monitor software configurations for deviations from security baselines.
​
Example 4:
Monitor hardware and software for signs of tampering.

CIS Controls: 10.1
CRI Profile Version 2.0: DE.CM-09
CRI Profile Version 2.0: DE.CM-09.01
CRI Profile Version 2.0: DE.CM-09.02
CRI Profile Version 2.0: DE.CM-09.03

NXLog Enterprise Edition allows you to capture and centralize logs from operating systems and applications, including those stored in files and database structures, sent over network sockets, and others.

NXLog helps collect all valuable logs and analyze them properly in the security system.

DE.AE-02:
Potentially adverse events are analyzed to better understand associated activities.

Example 1:
Use security information and event management (SIEM) or other tools to continuously monitor log events for known malicious and suspicious activity.
​
Example 2:
Utilize up-to-date cyber threat intelligence in log analysis tools to improve detection accuracy and characterize threat actors, their methods, and indicators of compromise.
​
Example 3:
Regularly conduct manual reviews of log events for technologies that cannot be sufficiently monitored through automation.
​
Example 4:
Use log analysis tools to generate reports on their findings first: - 1st Party Risk.

CIS Controls: 8.11
CRI Profile Version 2.0: DE.AE-02
CRI Profile Version 2.0: DE.AE-02.01
CRI Profile Version 2.0: DE.AE-02.02

NXLog Enterprise Edition allows you to analyze your log data on the fly, trigger events in real-time, filter data, and send it for correlation analysis to SIEM systems.

NXLog provides powerful data filtration and transformation capabilities to offload your SIEM system, make security analysis more efficient, and save storage costs.

DE.AE-03:
Information is correlated from multiple sources.

Example 1:
Constantly transfer log data generated by other sources to a relatively small number of log servers.
​
Example 2:
Use event correlation technology (e.g., SIEM) to collect information captured by multiple sources.
​
Example 3:
Utilize cyber threat intelligence to help correlate events among log sources.

CRI Profile Version 2.0: DE.AE-03
CRI Profile Version 2.0: DE.AE-03.01
CRI Profile Version 2.0: DE.AE-03.02

NXLog allows you to capture security and audit logs from various data sources, including operating systems, applications, and network devices, and send them to SIEM for correlation. You can also simultaneously route the collected data to other destinations, such as a log backup storage.

NXLog Platform is an on-premises solution for centralized log management with
versatile processing forming the backbone of security monitoring.

With our industry-leading expertise in log collection and agent management, we comprehensively
address your security log-related tasks, including collection, parsing, processing, enrichment, storage, management, and analytics.

Start free Contact us
  • NIST
Share

Facebook Twitter LinkedIn Reddit Mail
Related Posts

What is File Integrity Monitoring (FIM)? Why do you need it?
5 minutes | January 24, 2020
Log aggregation with NXLog
4 minutes | January 3, 2022

Stay connected:

Sign up

Keep up to date with our monthly digest of articles.

By clicking singing up, I agree to the use of my personal data in accordance with NXLog Privacy Policy.

Featured posts

Announcing NXLog Platform 1.6
April 22, 2025
Announcing NXLog Platform 1.5
February 27, 2025
Announcing NXLog Platform 1.4
December 20, 2024
NXLog redefines log management for the digital age
December 19, 2024
2024 and NXLog - a review
December 19, 2024
Announcing NXLog Platform 1.3
October 25, 2024
NXLog redefines the market with the launch of NXLog Platform: a new centralized log management solution
September 24, 2024
Welcome to the future of log management with NXLog Platform
August 28, 2024
Announcing NXLog Enterprise Edition 5.11
June 20, 2024
Raijin announces release of version 2.1
May 31, 2024
Ingesting log data from Debian UFW to Loki and Grafana
May 21, 2024
Announcing NXLog Enterprise Edition 6.3
May 13, 2024
Raijin announces release of version 2.0
March 14, 2024
NXLog Enterprise Edition on Submarines
March 11, 2024
The evolution of event logging: from clay tablets to Taylor Swift
February 6, 2024
Migrate to NXLog Enterprise Edition 6 for our best ever log collection experience
February 2, 2024
Raijin announces release of version 1.5
January 26, 2024
2023 and NXLog - a review
December 22, 2023
Announcing NXLog Enterprise Edition 5.10
December 21, 2023
Raijin announces release of version 1.4
December 12, 2023
Announcing NXLog Enterprise Edition 6.2
December 4, 2023
Announcing NXLog Manager 5.7
November 3, 2023
Announcing NXLog Enterprise Edition 6.1
October 20, 2023
Raijin announces release of version 1.3
October 6, 2023
Upgrading from NXLog Enterprise Edition 5 to NXLog Enterprise Edition 6
September 11, 2023
Announcing NXLog Enterprise Edition 6.0
September 11, 2023
The cybersecurity challenges of modern aviation systems
September 8, 2023
Raijin announces release of version 1.2
August 11, 2023
The Sarbanes-Oxley (SOX) Act and security observability
August 9, 2023
Log Management and PCI DSS 4.0 compliance
August 2, 2023
Detect threats using NXLog and Sigma
July 27, 2023
HIPAA compliance logging requirements
July 19, 2023
Announcing NXLog Enterprise Edition 5.9
June 20, 2023
Industrial cybersecurity - The facts
June 8, 2023
Raijin announces release of version 1.1
May 30, 2023
CISO starter pack - Security Policy
May 2, 2023
Announcing NXLog Enterprise Edition 5.8
April 24, 2023
CISO starter pack - Log collection fundamentals
April 3, 2023
Raijin announces release of version 1.0
March 9, 2023
Avoid vendor lock-in and declare SIEM independence
February 13, 2023
Announcing NXLog Enterprise Edition 5.7
January 20, 2023
NXLog - 2022 in review
December 22, 2022
Need to replace syslog-ng? Changing to NXLog is easier than you think
November 23, 2022
The EU's response to cyberwarfare
November 22, 2022
Looking beyond Cybersecurity Awareness Month
November 8, 2022
GDPR compliance and log data
September 23, 2022
NXLog in an industrial control security context
August 10, 2022
Raijin vs Elasticsearch
August 9, 2022
NXLog provides native support for Google Chronicle
May 11, 2022
Aggregating macOS logs for SIEM systems
February 17, 2022
How a centralized log collection tool can help your SIEM solutions
April 1, 2020

Categories

  • SIEM
  • STRATEGY
  • SECURITY
  • ANNOUNCEMENT
  • DEPLOYMENT
  • COMPLIANCE
  • COMPARISON
logo

Subscribe to our newsletter to get the latest updates, news, and products releases. 

© Copyright 2024 NXLog FZE.

Privacy Policy. General Terms of Use

Follow us

  • Product
  • NXLog Platform 
  • Log collection
  • Log management and analysis
  • Log storage
  • Integration
  • Professional Services
  • Plans
  • Resources
  • Documentation
  • Blog
  • White papers
  • Videos
  • Webinars
  • Case studies
  • Community Program
  • Community forum
  • Support
  • Getting started guide
  • Support portals
  • About NXLog
  • About us
  • Careers
  • Find a reseller
  • Partner program
  • Contact us