April 12, 2024 strategycompliance

NIST Cybersecurity Framework 2.0. Update Takeaways

By Roman Krasnov

ALL SIEM STRATEGY SECURITY ANNOUNCEMENT DEPLOYMENT COMPLIANCE COMPARISON RSS

On February 26, 2024, the U.S. National Institute of Standards and Technology (NIST) officially released Cybersecurity Framework (CSF) 2.0. This release has had the most significant changes since its inception in 2014. Let’s quickly walk through the updates it brought and how log collection supports the functions of the renewed framework.

What is NIST CSF

The U.S. NIST Cybersecurity Framework is one of the most widely used security frameworks (with ISO27001, CIS, and others), helping organizations estimate, manage, and reduce their cybersecurity risks. It was initially published in 2014 as a response to "Executive Order 13636: Improving Critical Infrastructure Cybersecurity" issued by President Obama in Feb 2013. The order requested the design of a voluntary cybersecurity framework. This framework consists of standards, guidelines, and best practices. Its purpose is to help the nation’s critical infrastructure organizations, including financial, energy, health care, and others. The goal is to better protect their information and physical assets from cyberattacks. The framework was created through public-private collaboration. It serves a crucial role by providing a common language to address and manage cyber risk. This is achieved cost-effectively based on business needs. Moreover, it accomplishes this without imposing additional regulatory requirements on businesses.

NIST CSF went through the years with just one minor 1.1 update in 2018. Ten years later, the threat landscape has changed significantly, and NIST proposed version 2.0, which is quite a change to adapt the framework to the latest cybersecurity best practices. While the core structure of the NIST CSF stays the same in general, proposed changes enhance the framework’s capabilities.

The framework is structured around a set of high-level core functions, which are essential for any cybersecurity program. They include Identify, Protect, Detect, Respond, Recover, and, with the latest update, Govern. This structure provides a strategic overview of an organization’s approach to cybersecurity risk management. Those six core functions are broken down into 22 categories and 106 subcategories. Each subcategory is an atomic control, which defines best practices to consider when assessing an organization’s cybersecurity program. It is essential to highlight that NIST CSF is vendor-agnostic and non-prescriptive. Consider the framework as a tool rather than a checklist to follow.

What’s changed in CSF 2.0?

As you know, the initial version of CSF focused on the nation’s critical infrastructure. The introduction of CSF 2.0 officially broadened its reach, since it now includes all sorts of organizations, not just those deemed necessary. The next major shift was adding a new top-level "Govern" function, which includes many function categories to align with modern security risk management best practices.

Another structural change in CSF 2.0 is noteworthy, in that it introduces 'implementation examples'. These examples help organizations translate the framework’s technical requirements into actual improvements in security posture and ensure alignment with business objectives. Also, CSF 2.0 established a direct connection with other security frameworks to build a holistic vision for cybersecurity.

Previously, "cybersecurity supply chain risk management" was mixed into different functions. Now, it has become a separate sub-category under the Govern function. This change highlights the importance of supply chain management. It follows the transformation trend of the Risk Management Framework (NIST 800-37) and the Controls Catalog (NIST 800-53), with both moved software supply chain security to dedicated sections in the latest revisions.

How NXLog helps comply with NIST CSF 2.0

NXLog Enterprise Edition enables an autonomous pipeline to support security monitoring systems (SIEM, UEBA, XDR, APM, and others) with the necessary log data for ongoing analysis.

NXLog helps to implement the PROTECT function in the “Platform Security“ category.

CSF Subcategory	Implementation Examples	Informative Reference	NXLog
PR.PS-04: Log records are generated and made available for continuous monitoring.	Example 1: Configure all operating systems, applications, and services (including cloud-based services) to generate log records. Example 2: Configure log generators to securely share their logs with the organization’s logging infrastructure systems and services. Example 3: Configure log generators to record the data needed by zero-trust architectures.	NIST Special Publication 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities: PO.3.3 CIS Controls: 8.2 CRI Profile Version 2.0: PR.PS-04 CRI Profile Version 2.0: PR.PS-04.01 CRI Profile Version 2.0: PR.PS-04.02 CRI Profile Version 2.0: PR.PS-04.03	NXLog Enterprise Edition lets you capture logs generated by operating systems (Windows, Linux, macOS, AIX, Solaris, BSD, etc.) and applications. It provides over a hundred integrations out-of-the-box to ensure you can deliver all your valuable log data to the right place (SIEM or APM) for ongoing monitoring.

CSF Subcategory

Implementation Examples

Informative Reference

NXLog

PR.PS-04:
Log records are generated and made available for continuous monitoring.

Example 1:
Configure all operating systems, applications, and services (including cloud-based services) to generate log records.

Example 2:
Configure log generators to securely share their logs with the organization’s logging infrastructure systems and services.

Example 3:
Configure log generators to record the data needed by zero-trust architectures.

NIST Special Publication 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities: PO.3.3

CIS Controls: 8.2
CRI Profile Version 2.0: PR.PS-04
CRI Profile Version 2.0: PR.PS-04.01
CRI Profile Version 2.0: PR.PS-04.02
CRI Profile Version 2.0: PR.PS-04.03

NXLog Enterprise Edition lets you capture logs generated by operating systems (Windows, Linux, macOS, AIX, Solaris, BSD, etc.) and applications.

It provides over a hundred integrations out-of-the-box to ensure you can deliver all your valuable log data to the right place (SIEM or APM) for ongoing monitoring.

NXLog supports “Data Security” (PR.DS) category implementation about logs data, whether the data is at rest or in transit.

CSF Subcategory	Implementation Examples	Informative Reference	NXLog
PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected.	Example : Encryption, digital signatures, and cryptographic hashes protect the confidentiality and integrity of stored data in files, databases, virtual machine disk images, container images, and other resources.	NIST Special Publication 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities: PS.1.1 NIST Special Publication 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities: PS.2.1 NIST Special Publication 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities: PS.3.1 CIS Controls: 3.11 CRI Profile Version 2.0: PR.DS-01 CRI Profile Version 2.0: PR.DS-01.01 CRI Profile Version 2.0: PR.DS-01.02 CRI Profile Version 2.0: PR.DS-01.03	The File Integrity Monitoring (FIM) feature of NXLog Enterprise Edition can scan files and directories and report detected changes.
PR.DS-02: The confidentiality, integrity, and availability of data in transit are protected.	Example: Use encryption, digital signatures, and cryptographic hashes to protect the confidentiality and integrity of network communications.	CIS Controls: 3.10 CRI Profile Version 2.0: PR.DS-02 CRI Profile Version 2.0: PR.DS-02.01	NXLog Enterprise Edition has an SSL/TLS module to provide secure transport for log messages. NXLog Enterprise Edition supports certificates with TPM-generated keys. Trusted Platform Module (TPM) chips provide tamper-resistant security functions, making it the most secure way of encrypting data.
PR.DS-11: Backups of data are created, protected, maintained, and tested.	Example: Continuously back up critical data in near-real-time and back up other data frequently at agreed-upon schedules.	NIST Special Publication 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities: PS.3.1 CIS Controls: 11.2 CIS Controls: 11.3 CIS Controls: 11.5 CRI Profile Version 2.0: PR.DS-11 CRI Profile Version 2.0: PR.DS-11.01	NXLog Enterprise Edition can route log streams to multiple destinations and automate log rotation. Together with the NXLog FIM module, it allows you to build a robust backup pipeline.

CSF Subcategory

Implementation Examples

Informative Reference

NXLog

PR.DS-01:
The confidentiality, integrity, and availability of data-at-rest are protected.

Example :
Encryption, digital signatures, and cryptographic hashes protect the confidentiality and integrity of stored data in files, databases, virtual machine disk images, container images, and other resources.

NIST Special Publication 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities: PS.1.1

NIST Special Publication 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities: PS.2.1

NIST Special Publication 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities: PS.3.1

CIS Controls: 3.11
CRI Profile Version 2.0: PR.DS-01
CRI Profile Version 2.0: PR.DS-01.01
CRI Profile Version 2.0: PR.DS-01.02
CRI Profile Version 2.0: PR.DS-01.03

The File Integrity Monitoring (FIM) feature of NXLog Enterprise Edition can scan files and directories and report detected changes.

PR.DS-02:
The confidentiality, integrity, and availability of data in transit are protected.

Example:
Use encryption, digital signatures, and cryptographic hashes to protect the confidentiality and integrity of network communications.

CIS Controls: 3.10
CRI Profile Version 2.0: PR.DS-02
CRI Profile Version 2.0: PR.DS-02.01

NXLog Enterprise Edition has an SSL/TLS module to provide secure transport for log messages.

NXLog Enterprise Edition supports certificates with TPM-generated keys. Trusted Platform Module (TPM) chips provide tamper-resistant security functions, making it the most secure way of encrypting data.

PR.DS-11:
Backups of data are created, protected, maintained, and tested.

Example:
Continuously back up critical data in near-real-time and back up other data frequently at agreed-upon schedules.

NIST Special Publication 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities: PS.3.1

CIS Controls: 11.2
CIS Controls: 11.3
CIS Controls: 11.5
CRI Profile Version 2.0: PR.DS-11
CRI Profile Version 2.0: PR.DS-11.01

NXLog Enterprise Edition can route log streams to multiple destinations and automate log rotation. Together with the NXLog FIM module, it allows you to build a robust backup pipeline.

NXLog Enterprise Edition also complements the “Technology Infrastructure Resilience” (PR.IR-03 and PR.IR-04) category within the PROTECT function by providing robust log collection architecture capabilities.

CSF Subcategory	Implementation Examples	Informative Reference	NXLog
PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations.	Example 1: Avoid single points of failure in systems and infrastructure. Example 2: Use load balancing to increase capacity and improve reliability. Example 3: Use high-availability components like redundant storage and power supplies to improve system reliability.	CRI Profile Version 2.0: PR.IR-03 CRI Profile Version 2.0: PR.IR-03.01	NXLog Enterprise Edition allows for high-availability deployments. NXLog integrates with third-party load-balancing solutions and ships with built-in failover capabilities. See the High Availability section in the NXLog agent User Guide for more information.

CSF Subcategory

Implementation Examples

Informative Reference

NXLog

PR.IR-03:
Mechanisms are implemented to achieve resilience requirements in normal and adverse situations.

Example 1:
Avoid single points of failure in systems and infrastructure.

Example 2:
Use load balancing to increase capacity and improve reliability.

Example 3:
Use high-availability components like redundant storage and power supplies to improve system reliability.

CRI Profile Version 2.0: PR.IR-03
CRI Profile Version 2.0: PR.IR-03.01

NXLog Enterprise Edition allows for high-availability deployments. NXLog integrates with third-party load-balancing solutions and ships with built-in failover capabilities. See the High Availability section in the NXLog agent User Guide for more information.

Finally, as a powerful and versatile log collection and shipping software, NXLog Enterprise Edition helps implement the core DETECT function of the framework, including "Continuous Monitoring" (DE.CM) and "Adverse Event Analysis" (DE.AE) category controls.

CSF Subcategory Implementation Examples Informative Reference NXLog

CSF Subcategory	Implementation Examples	Informative Reference	NXLog
DE.CM-01: Networks and network services are monitored to find potentially adverse events.	Example 1: Monitor DNS, BGP, and other network services for adverse events. Example 2: Monitor wired and wireless networks for connections from unauthorized endpoints. Example 3: Monitor facilities for unauthorized or rogue wireless networks. Example 4: Compare actual network flows against baselines to detect deviations. Example 5: Monitor network communications to identify changes in security postures for zero trust purposes.	CIS Controls: 13.1 CRI Profile Version 2.0: DE.CM-01 CRI Profile Version 2.0: DE.CM-01.01 CRI Profile Version 2.0: DE.CM-01.02 CRI Profile Version 2.0: DE.CM-01.03 CRI Profile Version 2.0: DE.CM-01.04 CRI Profile Version 2.0: DE.CM-01.05 CRI Profile Version 2.0: DE.CM-01.06	NXLog Enterprise Edition can monitor and proactively analyze Domain Name Server (DNS) queries and responses. See the DNS Monitoring section in the NXLog agent User Guide for more information. NXLog also allows for passive network monitoring by generating logs for various protocols. It uses the `libpcap` and `WinPcap` libraries to capture network traffic. See the Packet capture section in the NXLog Agent Reference Manual for more information.
DE.CM-02: The physical environment is monitored to find potentially adverse events.	Example: Monitor logs from physical access control systems (e.g., badge readers) to find unusual access patterns (e.g., deviations from the norm) and failed access attempts.	CRI Profile Version 2.0: DE.CM-02 CRI Profile Version 2.0: DE.CM-02.01	NXLog Enterprise Edition allows the capture of logs from physical access control systems and sending them for centralization and analysis.
DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events.	Example 1: Use behavior analytics software to detect anomalous user activity to mitigate insider threats. Example 2: Monitor logs from logical access control systems to find unusual access patterns and failed access attempts. Example 3: Continuously monitor deception technology, including user accounts, for any usage.	CIS Controls: 10.7 CRI Profile Version 2.0: DE.CM-03 CRI Profile Version 2.0: DE.CM-03.01 CRI Profile Version 2.0: DE.CM-03.02 CRI Profile Version 2.0: DE.CM-03.03	NXLog helps integrate all valuable logs into monitoring systems and ensures nothing is missed. NXLog Enterprise Edition is compatible with all the major SIEM/UEBA/XDR systems, such as Google Chronicle, Microsoft (Azure) Sentinel, MicroFocus ArcSight, IBM QRadar, and others.
DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.	Example 1: Monitor email, web, file sharing, collaboration services, and other common attack vectors to detect malware, phishing, data leaks and exfiltration, and other adverse events. Example 2: Monitor authentication attempts to identify attacks against credentials and unauthorized credential reuse. Example 3: Monitor software configurations for deviations from security baselines. Example 4: Monitor hardware and software for signs of tampering.	CIS Controls: 10.1 CRI Profile Version 2.0: DE.CM-09 CRI Profile Version 2.0: DE.CM-09.01 CRI Profile Version 2.0: DE.CM-09.02 CRI Profile Version 2.0: DE.CM-09.03	NXLog Enterprise Edition allows you to capture and centralize logs from operating systems and applications, including those stored in files and database structures, sent over network sockets, and others. NXLog helps collect all valuable logs and analyze them properly in the security system.
DE.AE-02: Potentially adverse events are analyzed to better understand associated activities.	Example 1: Use security information and event management (SIEM) or other tools to continuously monitor log events for known malicious and suspicious activity. Example 2: Utilize up-to-date cyber threat intelligence in log analysis tools to improve detection accuracy and characterize threat actors, their methods, and indicators of compromise. Example 3: Regularly conduct manual reviews of log events for technologies that cannot be sufficiently monitored through automation. Example 4: Use log analysis tools to generate reports on their findings first: - 1st Party Risk.	CIS Controls: 8.11 CRI Profile Version 2.0: DE.AE-02 CRI Profile Version 2.0: DE.AE-02.01 CRI Profile Version 2.0: DE.AE-02.02	NXLog Enterprise Edition allows you to analyze your log data on the fly, trigger events in real-time, filter data, and send it for correlation analysis to SIEM systems. NXLog provides powerful data filtration and transformation capabilities to offload your SIEM system, make security analysis more efficient, and save storage costs.
DE.AE-03: Information is correlated from multiple sources.	Example 1: Constantly transfer log data generated by other sources to a relatively small number of log servers. Example 2: Use event correlation technology (e.g., SIEM) to collect information captured by multiple sources. Example 3: Utilize cyber threat intelligence to help correlate events among log sources.	CRI Profile Version 2.0: DE.AE-03 CRI Profile Version 2.0: DE.AE-03.01 CRI Profile Version 2.0: DE.AE-03.02	NXLog allows you to capture security and audit logs from various data sources, including operating systems, applications, and network devices, and send them to SIEM for correlation. You can also simultaneously route the collected data to other destinations, such as a log backup storage.

DE.CM-01:
Networks and network services are monitored to find potentially adverse events.

Example 1:
Monitor DNS, BGP, and other network services for adverse events.

Example 2:
Monitor wired and wireless networks for connections from unauthorized endpoints.

Example 3:
Monitor facilities for unauthorized or rogue wireless networks.

Example 4:
Compare actual network flows against baselines to detect deviations.

Example 5:
Monitor network communications to identify changes in security postures for zero trust purposes.

CIS Controls: 13.1
CRI Profile Version 2.0: DE.CM-01
CRI Profile Version 2.0: DE.CM-01.01
CRI Profile Version 2.0: DE.CM-01.02
CRI Profile Version 2.0: DE.CM-01.03
CRI Profile Version 2.0: DE.CM-01.04
CRI Profile Version 2.0: DE.CM-01.05
CRI Profile Version 2.0: DE.CM-01.06

NXLog Enterprise Edition can monitor and proactively analyze Domain Name Server (DNS) queries and responses. See the DNS Monitoring section in the NXLog agent User Guide for more information.

NXLog also allows for passive network monitoring by generating logs for various protocols. It uses the libpcap and WinPcap libraries to capture network traffic. See the Packet capture section in the NXLog Agent Reference Manual for more information.

DE.CM-02:
The physical environment is monitored to find potentially adverse events.

Example:
Monitor logs from physical access control systems (e.g., badge readers) to find unusual access patterns (e.g., deviations from the norm) and failed access attempts.

CRI Profile Version 2.0: DE.CM-02
CRI Profile Version 2.0: DE.CM-02.01

NXLog Enterprise Edition allows the capture of logs from physical access control systems and sending them for centralization and analysis.

DE.CM-03:
Personnel activity and technology usage are monitored to find potentially adverse events.

Example 1:
Use behavior analytics software to detect anomalous user activity to mitigate insider threats.

Example 2:
Monitor logs from logical access control systems to find unusual access patterns and failed access attempts.

Example 3:
Continuously monitor deception technology, including user accounts, for any usage.

CIS Controls: 10.7
CRI Profile Version 2.0: DE.CM-03
CRI Profile Version 2.0: DE.CM-03.01
CRI Profile Version 2.0: DE.CM-03.02
CRI Profile Version 2.0: DE.CM-03.03

NXLog helps integrate all valuable logs into monitoring systems and ensures nothing is missed.

NXLog Enterprise Edition is compatible with all the major SIEM/UEBA/XDR systems, such as Google Chronicle, Microsoft (Azure) Sentinel, MicroFocus ArcSight, IBM QRadar, and others.

DE.CM-09:
Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.

Example 1:
Monitor email, web, file sharing, collaboration services, and other common attack vectors to detect malware, phishing, data leaks and exfiltration, and other adverse events.

Example 2:
Monitor authentication attempts to identify attacks against credentials and unauthorized credential reuse.

Example 3:
Monitor software configurations for deviations from security baselines.

Example 4:
Monitor hardware and software for signs of tampering.

CIS Controls: 10.1
CRI Profile Version 2.0: DE.CM-09
CRI Profile Version 2.0: DE.CM-09.01
CRI Profile Version 2.0: DE.CM-09.02
CRI Profile Version 2.0: DE.CM-09.03

NXLog Enterprise Edition allows you to capture and centralize logs from operating systems and applications, including those stored in files and database structures, sent over network sockets, and others.

NXLog helps collect all valuable logs and analyze them properly in the security system.

DE.AE-02:
Potentially adverse events are analyzed to better understand associated activities.

Example 1:
Use security information and event management (SIEM) or other tools to continuously monitor log events for known malicious and suspicious activity.

Example 2:
Utilize up-to-date cyber threat intelligence in log analysis tools to improve detection accuracy and characterize threat actors, their methods, and indicators of compromise.

Example 3:
Regularly conduct manual reviews of log events for technologies that cannot be sufficiently monitored through automation.

Example 4:
Use log analysis tools to generate reports on their findings first: - 1st Party Risk.

CIS Controls: 8.11
CRI Profile Version 2.0: DE.AE-02
CRI Profile Version 2.0: DE.AE-02.01
CRI Profile Version 2.0: DE.AE-02.02

NXLog Enterprise Edition allows you to analyze your log data on the fly, trigger events in real-time, filter data, and send it for correlation analysis to SIEM systems.

NXLog provides powerful data filtration and transformation capabilities to offload your SIEM system, make security analysis more efficient, and save storage costs.

DE.AE-03:
Information is correlated from multiple sources.

Example 1:
Constantly transfer log data generated by other sources to a relatively small number of log servers.

Example 2:
Use event correlation technology (e.g., SIEM) to collect information captured by multiple sources.

Example 3:
Utilize cyber threat intelligence to help correlate events among log sources.

CRI Profile Version 2.0: DE.AE-03
CRI Profile Version 2.0: DE.AE-03.01
CRI Profile Version 2.0: DE.AE-03.02

NXLog allows you to capture security and audit logs from various data sources, including operating systems, applications, and network devices, and send them to SIEM for correlation. You can also simultaneously route the collected data to other destinations, such as a log backup storage.

NXLog Platform is an on-premises solution for centralized log management with
versatile processing forming the backbone of security monitoring.

With our industry-leading expertise in log collection and agent management, we comprehensively
address your security log-related tasks, including collection, parsing, processing, enrichment, storage, management, and analytics.

Start free Contact us