The NIST Cybersecurity Framework (CSF) 2.0 and ISO/IEC 27001:2022 are two prominent frameworks that organizations use to manage and mitigate cybersecurity risks. While both aim to enhance an organization’s cybersecurity posture, they differ in structure, focus, and implementation approach. This comparison provides a detailed mapping between the two frameworks, identifies significant gaps, and highlights unique elements that appear only in one of the documents.

1. High-Level Overview

Scope and Focus

• NIST CSF 2.0: Designed to provide a flexible framework for managing cybersecurity risks, applicable to organizations of any size, sector, or maturity level. It emphasizes cybersecurity outcomes and is particularly tailored for critical infrastructure.
• ISO/IEC 27001:2022: An international standard specifying requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). It has a broader focus on information security management, encompassing not just cybersecurity but also other aspects of information protection.

Structure

• NIST CSF 2.0:
• Core Functions: Identify, Protect, Detect, Respond, Recover, and the newly added Govern.
• Categories and Subcategories: Each function is divided into categories and subcategories that outline specific cybersecurity activities and outcomes.
• ISO/IEC 27001:2022:
• Clauses 4–10: Requirements for the ISMS, including context, leadership, planning, support, operation, performance evaluation, and improvement.
• Annex A: Contains 93 controls divided into four themes: Organizational, People, Physical, and Technological controls.

2. Detailed Mapping of Key Areas

The following mapping aligns the NIST CSF 2.0 functions with the relevant clauses and controls in ISO/IEC 27001:2022.

A. Identify (ID)

Objective: Develop an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

B. Protect (PR)

Objective: Develop and implement appropriate safeguards to ensure delivery of critical services.

C. Detect (DE)

Objective: Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.

D. Respond (RS)

Objective: Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.

E. Recover (RC)

Objective: Develop and implement appropriate activities to maintain plans for resilience and restore any capabilities or services impaired due to a cybersecurity incident.

F. Govern (GV)

Objective: Ensure that cybersecurity risk management is adequately addressed at the organizational governance level.

3. Significant Gaps and Unique Elements

While there is substantial overlap between the two frameworks, each contains unique elements that are not directly mapped to the other.

Unique Elements in NIST CSF 2.0

• Supply Chain Risk Management (ID.SC): NIST CSF provides specific guidance on managing cybersecurity risks in the supply chain, emphasizing the need to understand and manage risks associated with third-party vendors and service providers. ISO/IEC 27001:2022 addresses supplier relationships but does not provide as detailed guidance on supply chain risks.
• Cybersecurity Culture and Governance (GV): The “Govern” function in NIST CSF 2.0 highlights the importance of organizational culture, leadership, and governance in cybersecurity risk management. While ISO 27001 embeds governance principles, it does not have a dedicated function for it.
• Detailed Subcategories and Implementation Tiers: NIST CSF includes detailed subcategories for each category and introduces implementation tiers to help organizations understand their current cybersecurity posture and set targets for improvement.
• Profiles: NIST CSF allows organizations to create profiles to align cybersecurity activities with business requirements, risk tolerance, and resources, providing a customized approach.

Unique Elements in ISO/IEC 27001:2022

• Information Security Management System (ISMS) Requirements: ISO 27001 provides a formal specification for an ISMS, including requirements for documentation, management commitment, internal audits, and continual improvement processes (Clauses 4–10). NIST CSF does not specify requirements for an ISMS.
• Certification: ISO 27001 is a certifiable standard, enabling organizations to demonstrate compliance through external audits. NIST CSF does not have a certification process.
• Detailed Control Requirements: Annex A of ISO 27001 lists 93 specific controls organized into four themes, providing comprehensive coverage of information security controls beyond cybersecurity, including physical security, HR security, and legal compliance.
• Plan-Do-Check-Act (PDCA) Model: ISO 27001 is based on the PDCA cycle, promoting a systematic approach to managing and improving information security processes.

Items Appearing Only in One Document

Only in NIST CSF 2.0

• Implementation Tiers: Provide context on how an organization views cybersecurity risk and processes.
• Profiles: Allow for customization of the framework to align with organizational needs.
• Detailed Focus on Cybersecurity Outcomes: Emphasizes specific cybersecurity outcomes rather than prescribing controls.
• Threat Intelligence Integration (ID.RA): Includes subcategories for leveraging threat intelligence, which is not explicitly covered in ISO 27001.

Only in ISO/IEC 27001:2022

• ISMS Documentation Requirements (Clause 7.5): Specifies the need for documented information, including policies, procedures, and records.
• Internal Audits (Clause 9.2): Requires organizations to conduct internal audits at planned intervals to provide information on the ISMS’s effectiveness.
• Management Review (Clause 9.3): Mandates top management to review the organization’s ISMS at planned intervals.
• Compliance Obligations (Annex A: A.18): Addresses the need to identify and meet legal, regulatory, and contractual requirements.
• Human Resource Security (Annex A: A.7): Includes controls related to background checks, terms and conditions of employment, and information security responsibilities.
• System Acquisition, Development, and Maintenance (Annex A: A.14): Provides detailed controls for secure development practices, change management, and technical review of applications.

4. Conclusion

While NIST CSF 2.0 and ISO/IEC 27001:2022 share common goals in enhancing cybersecurity and information security, they differ in structure, focus, and implementation approaches. NIST CSF offers a flexible, outcome-oriented framework tailored for organizations seeking to understand and improve their cybersecurity posture without the need for formal certification. ISO 27001 provides a comprehensive, certifiable standard for establishing an ISMS, with detailed requirements and controls that extend beyond cybersecurity to encompass all aspects of information security.

Organizations may benefit from integrating both frameworks, leveraging the flexibility and detailed cybersecurity focus of NIST CSF alongside the structured, comprehensive ISMS approach of ISO 27001. This integrated approach can provide robust risk management, compliance with international standards, and continual improvement of cybersecurity practices.

Key Takeaways

• Overlap Exists: Both frameworks cover essential aspects of cybersecurity risk management, including risk assessment, incident response, and recovery planning.
• Different Emphases:
• NIST CSF focuses on flexibility, allowing organizations to adapt the framework to their specific needs and risk profiles.
• ISO 27001 emphasizes a formalized approach with detailed requirements and the option for certification.
• Unique Elements:
• NIST CSF includes unique elements like supply chain risk management and profiles for customization.
• ISO 27001 includes requirements for an ISMS, documentation, internal audits, and management reviews.
• No One-to-One Mapping for Some Items: Certain elements in each framework do not have direct counterparts in the other, highlighting areas where organizations may need to address gaps if using only one framework.

สไลด์นำเสนอ: การเปรียบเทียบ NIST CSF 2.0 กับ ISO/IEC 27001:2022

สไลด์ที่ 1: ชื่อเรื่อง

การเปรียบเทียบและการแมประหว่าง NIST Cybersecurity Framework 2.0 กับ ISO/IEC 27001:2022

สไลด์ที่ 2: บทนำ

• วัตถุประสงค์: นำเสนอการเปรียบเทียบเชิงลึกระหว่าง NIST CSF 2.0 และ ISO/IEC 27001:2022
• เป้าหมาย:
• ระบุความเหมือนและความแตกต่างระหว่างสองกรอบการทำงาน
• ชี้ให้เห็นถึงช่องว่างและองค์ประกอบที่เป็นเอกลักษณ์ของแต่ละมาตรฐาน
• ให้คำแนะนำสำหรับการนำไปปฏิบัติในองค์กร

สไลด์ที่ 3: ภาพรวมระดับสูง

ขอบเขตและจุดเน้น

• NIST CSF 2.0:
• กรอบการทำงานที่ยืดหยุ่นสำหรับการจัดการความเสี่ยงไซเบอร์
• เหมาะสำหรับองค์กรทุกขนาดและทุกอุตสาหกรรม
• เน้นที่ผลลัพธ์ด้านความมั่นคงปลอดภัยไซเบอร์
• ISO/IEC 27001:2022:
• มาตรฐานสากลสำหรับการจัดตั้งและปรับปรุงระบบบริหารจัดการความมั่นคงปลอดภัยสารสนเทศ (ISMS)
• ครอบคลุมการปกป้องข้อมูลในทุกมิติ ไม่เฉพาะไซเบอร์

สไลด์ที่ 4: การเปรียบเทียบโครงสร้าง

• NIST CSF 2.0:
• Function หลัก: Identify, Protect, Detect, Respond, Recover, Govern
• Category และ Subcategory: ระบุกิจกรรมและผลลัพธ์เฉพาะด้านความมั่นคงปลอดภัยไซเบอร์
• ISO/IEC 27001:2022:
• Clause 4–10: ข้อกำหนดสำหรับ ISMS
• Annex A: 93 Control แบ่งเป็น 4 หมวดหมู่ (องค์กร, บุคคล, กายภาพ, เทคโนโลยี)

สไลด์ที่ 5: การแมปของ Function และ Control

A. Identify (ID)

• วัตถุประสงค์: พัฒนาความเข้าใจองค์กรเพื่อจัดการความเสี่ยงไซเบอร์
• การแมป:
• ID.AM (Asset Management) ↔ Annex A: A.5, A.8
• ID.BE (Business Environment) ↔ Clause 4, Clause 5
• ID.GV (Governance) ↔ Clause 5, Annex A: A.5
• ID.RA (Risk Assessment) ↔ Clause 6.1, Annex A: A.6
• ID.RM (Risk Management Strategy) ↔ Clause 6, Clause 8
• ID.SC (Supply Chain Risk Management) ↔ Annex A: A.15

สไลด์ที่ 6: การแมปของ Function และ Control (ต่อ)

B. Protect (PR)

• วัตถุประสงค์: พัฒนาและดำเนินการป้องกันที่เหมาะสม
• การแมป:
• PR.AC (Access Control) ↔ Annex A: A.9
• PR.AT (Awareness and Training) ↔ Annex A: A.7
• PR.DS (Data Security) ↔ Annex A: A.8, A.18
• PR.IP (Information Protection Processes) ↔ Annex A: A.5, Clause 7.5
• PR.MA (Maintenance) ↔ Annex A: A.12
• PR.PT (Protective Technology) ↔ Annex A: A.13, A.14

สไลด์ที่ 7: ช่องว่างและองค์ประกอบที่เป็นเอกลักษณ์

องค์ประกอบเฉพาะของ NIST CSF 2.0

• การจัดการความเสี่ยงในห่วงโซ่อุปทาน (ID.SC)
• วัฒนธรรมและการกำกับดูแลด้านไซเบอร์ (GV)
• Implementation Tiers และ Profiles
• การบูรณาการ Threat Intelligence (ID.RA)

องค์ประกอบเฉพาะของ ISO/IEC 27001:2022

• ข้อกำหนดสำหรับ ISMS (Clause 4–10)
• การรับรองมาตรฐาน (Certification)
• รายละเอียดของ Control ใน Annex A
• โมเดล PDCA (Plan-Do-Check-Act)

สไลด์ที่ 8: สรุปผล

• ความเหมือน: ทั้งสองมาตรฐานครอบคลุมการจัดการความเสี่ยงไซเบอร์ในหลายด้าน
• ความแตกต่าง:
• NIST CSF เน้นความยืดหยุ่นและการปรับใช้ตามความต้องการองค์กร
• ISO 27001 เน้นการปฏิบัติตามข้อกำหนดที่เป็นทางการและการรับรอง
• คำแนะนำ: การผสานทั้งสองกรอบการทำงานจะช่วยให้องค์กรมีระบบการจัดการความมั่นคงปลอดภัยที่ครอบคลุมและมีประสิทธิภาพ

สไลด์ที่ 9: ข้อเสนอแนะและความห่วงใย

• เน้นการปฏิบัติจริง: ควรให้ความสำคัญกับการนำไปใช้จริงในองค์กร มากกว่าการปฏิบัติตามข้อกำหนดทางวิชาการอย่างเคร่งครัด
• ภาระในการดำเนินงาน: การปฏิบัติตามมาตรฐานหลาย ๆ อย่างอาจเพิ่มภาระเกินความจำเป็น
• บทบาทของคณะอนุกรรมการ: ควรเข้าใจและสนับสนุนการดำเนินงานด้านไซเบอร์ที่สอดคล้องกับบริบทองค์กร
• การเตรียมความพร้อมของประเทศ: สนับสนุนความพยายามของ สกมช. ในการยกระดับความมั่นคงปลอดภัยไซเบอร์ของประเทศ ผ่าน NCRI

สไลด์ที่ 10: คำกล่าวปิดท้าย

• การตัดสินใจที่มีข้อมูล: ด้วยความเข้าใจในความแตกต่างและจุดแข็งของแต่ละมาตรฐาน องค์กรสามารถตัดสินใจได้อย่างเหมาะสม
• การปรับใช้ที่ยืดหยุ่น: เลือกกรอบการทำงานที่สอดคล้องกับวัตถุประสงค์ ทรัพยากร และข้อกำหนดขององค์กร
• ความร่วมมือและการสนับสนุน: คณะอนุกรรมการและผู้เกี่ยวข้องควรร่วมมือกันเพื่อเสริมสร้างความมั่นคงปลอดภัยไซเบอร์

NIST Cybersecurity Framework (CSF) 2.0 versus ISO/IEC 27001:2022 was originally published in CyOps on Medium, where people are continuing the conversation by highlighting and responding to this story.

• Firewalls: การใช้กฎที่แข็งแกร่งบนอุปกรณ์ firewall เพื่อกรองการจราจรที่มีเจตนาทำลาย
• Intrusion Prevention Systems (IPS): ระบบเหล่านี้ตรวจสอบการจราจรเครือข่ายเพื่อตรวจหาและป้องกันช่องโหว่
• Anti-DDoS Measures: การใช้มาตรการเพื่อบรรเทาการโจมตี Distributed Denial of Service อย่างเช่นการใช้เครื่องมือหรือบริการป้องกัน DDoS

Best Practices for Perimeter Security: ชุดกฎ firewall ควรได้รับการปรับปรุงอย่างสม่ำเสมอเพื่อรวมข้อมูลข่าวกรองข้อบกพร่องล่าสุดและข้อมูลความปลอดภัย. นอกจากนี้ยังควรกำหนดค่า IPS เพื่อตรวจจับและบล็อกเทคนิคโจมตีที่ใช้กันอย่างแพร่หลายต่อเว็บไซต์บริการสาธารณะ

2. Network Security (ความปลอดภัยของเครือข่าย):

• Segmentation: การแบ่งส่วนเครือข่ายเพื่อให้แน่ใจว่าระบบที่ละเอียดอ่อนถูกแยกจากระบบที่มีความละเอียดอ่อนน้อยลง
• Encryption: การใช้การเข้ารหัสสำหรับข้อมูลในการถ่ายโอนเพื่อป้องกันการรับและการเข้าถึงโดยไม่ได้รับอนุญาต
• Virtual Private Network (VPN): การใช้ VPN เพื่อการเข้าถึงระยะไกลที่ปลอดภัย

Best Practices for Network Security: ควรแบ่งส่วนเครือข่ายเพื่อแยกระบบและข้อมูลที่สำคัญจากระบบและข้อมูลที่มีความละเอียดอ่อนน้อยลง นอกจากนี้ยังควรตรวจสอบการจราจรระหว่างส่วนของเครือข่ายโดย firewall หรืออุปกรณ์ความปลอดภัยอื่น ๆ

3. ความมั่นคงปลอดภัยโฮสต์:

• เครื่องมือตรวจจับและกําจัดมัลแวร์: ติดตั้งและบํารุงรักษาเครื่องมือป้องกันไวรัสและมัลแวร์
• การจัดการแพทช์: ตรวจสอบให้ระบบมีการแพทช์ตัวเพื่อให้ทันสมัยอยู่เสมอ
• การจัดการการกําหนดค่า: จัดตั้งและบํารุงรักษาค่ากําหนดค่าความมั่นคงปลอดภัยของระบบทั้งหมด

แนวปฏิบัติที่ดีสําหรับความมั่นคงปลอดภัยโฮสต์: นอกจากการติดตั้งและบํารุงรักษาเครื่องมือตรวจจับและกําจัดมัลแวร์แล้ว การใช้มาตรการควบคุมความมั่นคงปลอดภัยอื่นๆ เช่น application whitelisting และ system hardening ก็มีความสําคัญเพื่อป้องกันมัลแวร์ร้ายแรงบนเซิร์ฟเวอร์เว็บไซต์

4. ความมั่นคงปลอดภัยของแอปพลิเคชัน:

• Web Application Firewall (WAF): ใช้ WAF ที่ขับเคลื่อนด้วย AI เพื่อป้องกันแอปพลิเคชันเว็บจากการโจมตีทั่วไปและการโจมตีที่กำลังเปลี่ยนแปลงอยู่
• การตรวจสอบข้อมูลที่ป้อน: ใช้เทคนิคการตรวจสอบข้อมูลที่ป้อนขั้นสูงเพื่อป้องกัน SQL injection, cross-site scripting, และการโจมตีประเภทอื่นๆ
• การตรวจสอบตัวตนและการอนุญาต: ใช้การตรวจสอบตัวตนแบบ multifactor (MFA) และควบคุมการอนุญาตที่มีประสิทธิภาพเพื่อให้แน่ใจว่ามีเพียงบุคคลที่ได้รับอนุญาตเท่านั้นที่สามารถเข้าถึงข้อมูลบางประเภท

ทั้งนี้เป็นวิธีที่ดีที่สุดสำหรับความมั่นคงปลอดภัยของแอปพลิเคชัน:

• WAF ควรได้รับการอัปเดตอย่างสม่ำเสมอเพื่อรวมกฎสำหรับช่องโหว่ที่ทราบล่าสุดและควรถูกกำหนดค่าเพื่อป้องกันการโจมตี zero-day
• ใช้นโยบายความปลอดภัยของเนื้อหาเพื่อป้องกันการโจมตี cross-site scripting
• กฎการตรวจสอบข้อมูลที่ป้อนควรได้รับการตรวจสอบและอัปเดตอย่างสม่ำเสมอเพื่อให้แน่ใจว่ายังมีประสิทธิภาพต่อประเภทการโจมตีใหม่ๆ
• กลไกการตรวจสอบตัวตนควรรวมมาตรการป้องกันการโจมตีแบบ brute force เช่น CAPTCHA, นโยบายการล็อกบัญชี, และกลไกการล่าช้าที่เพิ่มขึ้นอย่างต่อเนื่อง
• การจัดการเซสชันควรปลอดภัย พร้อมนโยบายการหมดเวลาของเซสชันและการล็อกเอาต์อัตโนมัติเมื่อไม่มีการใช้งาน

The defense-in-depth approach emphasizes multiple layers of security controls and measures within an information system’s environment. Here is a comprehensive list of security measures and controls to protect a public service website from cyber-attacks and malicious activities: 1. Perimeter Security: — Firewalls: Implementing a strong set of rules on firewall appliances to filter out malicious traffic. — Intrusion Prevention Systems (IPS): These systems monitor network traffic to detect and prevent vulnerability exploits. — Anti-DDoS Measures: Implementing measures to mitigate Distributed Denial of Service attacks, such as using DDoS prevention tools or services. Best Practices for Perimeter Security: The firewall ruleset should be regularly updated to include the latest threat intelligence and vulnerability information. Additionally, the IPS should be configured to detect and block specific attack techniques that are commonly used against public service websites. 2. Network Security: — Segmentation: Segregating the network to ensure that sensitive systems are separated from less sensitive systems. — Encryption: Employing encryption for data in transit to prevent interception and unauthorized access. — Virtual Private Network (VPN): Utilizing VPNs for secure remote access. Best Practices for Network Security: The network should be segmented to isolate critical systems and data from less sensitive systems and data. Additionally, all traffic between network segments should be inspected by a firewall or other security device. 3. Host Security: — Anti-malware Tools: Installing and maintaining anti-malware tools to detect and remove malicious software. — Patch Management: Ensuring that all systems are up-to-date with the latest security patches. — Configuration Management: Establishing and maintaining a secure configuration posture across all assets. Best Practices for Host Security: In addition to installing and maintaining anti-malware tools, it is also important to implement security controls such as application whitelisting and system hardening to prevent malicious software from executing on the website’s servers. 4. Application Security: — Web Application Firewall (WAF): Utilizing a WAF to protect the web application from common web application attacks. — Input Validation: Ensuring that input from users is validated to prevent SQL injection, cross-site scripting, and other injection attacks. — Authentication and Authorization: Implementing strong authentication and authorization controls to ensure only authorized individuals can access certain information. Best Practices for Application Security: The WAF should be configured to protect against the latest web application attacks, and the input validation rules should be regularly reviewed to ensure that they are effective. Additionally, authentication and authorization controls should be implemented in a way that prevents common attacks such as password brute-forcing and session hijacking.

5. Data Security: — Encryption at Rest: Encrypting sensitive data at rest to prevent unauthorized access. — Data Masking: Employing data masking techniques to hide specific data within a structured data environment. — Access Controls: Implementing strict access control policies to ensure that only authorized individuals have access to sensitive data. Best Practices for Data Security: Sensitive data should be encrypted at rest and in transit, and access controls should be implemented to restrict access to sensitive data only to authorized individuals. Additionally, data masking techniques should be used to protect sensitive data from unauthorized disclosure even if it is accessed by authorized individuals.

6. Monitoring and Incident Response: — Logging and Monitoring: Continuously monitoring and logging system and network activity to detect malicious activity. — Incident Response Plan: Having a well-defined incident response plan in place to address any security incidents promptly. Best Practices for Monitoring and Incident Response: In addition to continuously monitoring and logging system and network activity, it is also important to implement security analytics tools and processes to detect malicious activity in real time. Additionally, the incident response plan should be regularly tested and updated to ensure that it is effective and can be executed efficiently in the event of an attack.

7. Identity and Access Management (IAM): Privileged Access Management: Implementing solutions to control and monitor privileged access within the environment. — User Awareness Training: Training users on security best practices and how to identify phishing attempts or other malicious activity. Best Practices for Identity and Access Management (IAM): Privileged access management controls should be implemented to restrict access to privileged accounts and monitor their use. Additionally, user awareness training should be provided to educate users on security best practices and how to identify phishing attempts or other malicious activity.

8. Compliance and Auditing: — Regular Audits: Conducting regular security audits to identify and mitigate potential vulnerabilities. Compliance with Standards: Ensuring compliance with necessary cybersecurity standards and regulations, such as the General Data Protection Regulation (GDPR) or ISO 27001. Best Practices for Compliance and Auditing: Security audits should be conducted on a regular basis to identify and mitigate potential vulnerabilities. Additionally, the organization should ensure that it is compliant with all necessary cybersecurity standards and regulations.

9. Physical Security: — Data Center Security: Employing physical security measures to protect data centers and other critical infrastructure. — Disaster Recovery and Business Continuity Planning: Developing and testing disaster recovery and business continuity plans to ensure the organization can continue operations in the event of a physical or cyber-incident.

Best Practices for Physical Security: Data center security measures should be implemented to protect the website’s servers and other critical infrastructure from physical attack. Additionally, disaster recovery and business continuity plans should be developed and tested to ensure that the organization can continue operations in the event of a physical or cyber-incident. 10. Third-party Security: — Vendor Risk Management: Assessing the security posture of third-party vendors to ensure they meet the organization’s security standards. — Third-party Audits: Conducting audits of third-party vendors to ensure compliance with contractual and regulatory requirements.

Best Practices for Third-party Security: When working with third-party vendors, the organization should assess their security posture and conduct regular audits to ensure that they meet the organization’s security standards. Additionally, the organization should include security requirements in all third-party contracts. Best Practices in general: * **Adversary Simulation:** Conducting regular adversary simulations to identify and mitigate security gaps in the website and its supporting infrastructure. * **Attack Surface Management:** Maintaining a comprehensive inventory of the website’s attack surface and prioritizing remediation efforts for the most critical vulnerabilities. * **Threat Modeling:** Performing threat modeling to identify potential threats and vulnerabilities to the website, and designing security controls to mitigate those risks. * **Zero Trust Security:** Implementing a zero trust security model to ensure that all users and devices are authenticated and authorized before they are granted access to the website. * **Security Information and Event Management (SIEM):** Deploying a SIEM solution to collect and analyze security logs from across the website’s environment to detect malicious activity. * **Incident Response Testing:** Regularly testing the incident response plan to ensure that it is effective and can be executed efficiently in the event of an attack.

Web Site Security was originally published in CyOps on Medium, where people are continuing the conversation by highlighting and responding to this story.

Splunk’s Search Processing Language (SPL) and Swimlane’s SOAR (Security, Orchestration, Automation, and Response) platform serve somewhat different primary purposes but have areas of overlap in their functionalities, particularly when it comes to data analysis and operational workflows. Below is a comparison between Splunk’s SPL and the features in Swimlane SOAR platform that are most similar to SPL:

1. Data Search and Retrieval:

• Splunk SPL: Provides a powerful and flexible search language that enables users to search, investigate, and analyze data stored in Splunk. Users can execute complex searches to retrieve or manipulate data.
• Swimlane: Includes a visual query builder that allows users to search and filter through data. However, it may not be as robust or flexible as Splunk’s SPL in terms of complex querying.

2. Data Analysis:

• Splunk SPL: Can perform sophisticated data analytics, statistical evaluations, and other advanced analysis to derive insights from data.
• Swimlane: Offers analytics capabilities, but they might be more focused on incident analysis and response rather than broad data analytics.

3. Operational Workflows:

• Splunk SPL: Primarily focused on data searching and analytics, but operational workflows can be managed through other Splunk features or integrated solutions.
• Swimlane: Emphasizes orchestration and automation of security operations, allowing for the creation and automation of workflows to improve incident response times.

4. Integration:

• Splunk SPL: SPL is part of the broader Splunk platform which can integrate with a wide range of other systems and applications to collect and analyze data.
• Swimlane: Designed with integration in mind, offering numerous pre-built integrations to work with various security tools and systems, and also provides APIs for custom integrations.

5. Customization and Extensibility:

• Splunk SPL: Highly customizable through the use of SPL commands and functions, allowing users to tailor data queries and analysis to their specific needs.
• Swimlane: Provides customization options through a drag-and-drop interface and also allows for scripting to extend functionality.

6. User Interface:

• Splunk SPL: The user interacts with SPL through a text-based interface, writing and executing search commands.
• Swimlane: Provides a more graphical user interface with a drag-and-drop functionality which may be easier for some users, especially those without a scripting or programming background.

7. Automation and Orchestration:

• Splunk SPL: Not designed specifically for automation and orchestration, though Splunk has other solutions like Splunk Phantom for these purposes.
• Swimlane: Core functionality includes automation and orchestration to streamline and automate routine tasks and complex workflows.

While Splunk’s SPL excels in searching, retrieving, and analyzing data, Swimlane’s SOAR platform shines in the orchestration, automation, and optimization of security operations workflows. The two platforms could complement each other in a comprehensive security infrastructure, with Splunk handling data analytics and Swimlane managing operational workflows and incident responses.

Splunk’s Search Processing Language (SPL) and Swimlane’s SOAR (Security, Orchestration, Automation… was originally published in CyOps on Medium, where people are continuing the conversation by highlighting and responding to this story.

You may find yourself in a tech role someday, where

you

need to design and influence a culture of security

within an organization. This project is your opportunity to practice these important skillsets.

Assignment: In this project, you’ll create a security infrastructure design document for a fictional organization.

The security services and tools you describe in the document must be able to meet the needs of the

organization. Your work will be evaluated according to how well you met the organization’s requirements.

About the organization: This fictional organization has a small, but growing, employee base, with 50 employees

in one small office. The company is an online retailer of the world’s finest artisanal, hand-crafted widgets.

They’ve hired you on as a security consultant to help bring their operations into better shape.

Organization requirements: As the security consultant, the company needs you to add security measures to

the following systems:

- An external website permitting users to browse and purchase widgets

- An internal intranet website for employees to use

- Secure remote access for engineering employees

- Reasonable, basic firewall rules

- Wireless coverage in the office

- Reasonably secure configurations for laptops

Since this is a retail company that will be handling customer payment data, the organization would like to be

extra cautious about privacy. They don’t want customer information falling into the hands of an attacker due to

malware infections or lost devices.

Engineers will require access to internal websites, along with remote, command line access to their workstations.

Grading: This is a required assignment for the module.

What you’ll do: You’ll create a security infrastructure design document for a fictional organization. Your plan

needs to meet the organization’s requirements and the following elements should be incorporated into your

plan:

- Authentication system

- External website security

- Internal website security

- Remote access solution

- Firewall and basic rules recommendations

- Wireless security

- VLAN configuration recommendations

- Laptop security configuration

- Application policy recommendations

- Security and privacy policy recommendations

- Intrusion detection or prevention for systems containing customer data

Please produce a security infrastructure design document plan must not be longer than 10,000 characters.

— — — — — — — — —
**Security Infrastructure Design Document**

**1. Authentication System:**
Implement a multi-factor authentication (MFA) system for all employees. This will require users to provide at least two forms of identification before gaining access to the systems.

**2. External Website Security:**
Use HTTPS for secure communication, and ensure that the website is regularly updated and patched. Implement a Web Application Firewall (WAF) to protect against common web-based threats like SQL injection and cross-site scripting (XSS).

**3. Internal Website Security:**
The internal intranet should be accessible only via the company’s secure network. Use a VPN for remote access and ensure that all traffic is encrypted.

**4. Remote Access Solution:**
Implement a Virtual Private Network (VPN) for secure remote access. This will allow engineers to access internal resources from outside the company network.

**5. Firewall and Basic Rules Recommendations:**
Implement a stateful firewall that inspects incoming and outgoing traffic. Basic rules include denying all inbound traffic by default, allowing only necessary outbound traffic, and permitting internal traffic.

**6. Wireless Security:**
Use WPA3 for wireless encryption. Change the default SSID and disable SSID broadcasting. Regularly change the wireless password.

**7. VLAN Configuration Recommendations:**
Segment the network using VLANs to isolate different types of traffic. For example, have separate VLANs for the sales department, engineering, and management.

**8. Laptop Security Configuration:**
All laptops should have full disk encryption, automatic locking after a period of inactivity, and up-to-date antivirus software. Regularly patch and update operating systems and applications.

**9. Application Policy Recommendations:**
Implement a policy of least privilege for application access. Regularly review and update access permissions. Ensure all applications are regularly patched and updated.

**10. Security and Privacy Policy Recommendations:**
Create a comprehensive security and privacy policy that includes guidelines for handling customer data, reporting security incidents, and acceptable use of company resources. Regularly train employees on these policies.

**11. Intrusion Detection or Prevention:**
Implement an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) to monitor network traffic for suspicious activity. Regularly review and update IDS/IPS rules to ensure they are effective against current threats.

This plan provides a comprehensive approach to security, covering all aspects of the organization’s operations. It prioritizes the protection of customer data and provides secure methods for employees to access the resources they need.

Security Design Document was originally published in CyOps on Medium, where people are continuing the conversation by highlighting and responding to this story.

1. Understand Your User Base: The first step is to understand your user base. How many users do you expect to have? How often will they use your application? At what time of day will they be most active? This information can help you estimate the number of transactions per user.

2. Identify Transaction Types: Next, identify the types of transactions that will be performed in your application. A transaction could be anything from a user logging in, updating a record, or making a purchase. Each of these transactions will have different frequencies.

3. Estimate Transaction Frequency: Once you have identified the types of transactions, estimate how often each transaction will occur. For example, a user might log in once per day, update a record 10 times per day, and make a purchase once per week.

4. Calculate Total Transactions: Multiply the number of users by the frequency of each transaction to estimate the total number of each type of transaction per day. Then add up all the transactions to get a total estimate.

5. Consider Peak Times: Your total estimate gives you an average number of transactions per day, but real-world usage is unlikely to be evenly distributed. Consider when your peak usage times might be and how much higher the transaction volume will be during those times.

6. Account for Growth: If you expect your user base to grow, you should factor that into your estimates. A good way to do this is to estimate the number of transactions for several different user base sizes and see how the total number of transactions scales.

7. Use Load Testing: Once you have an estimate, you can use load testing to simulate the expected number of transactions and see how your application performs. This can help you identify any potential issues before they become problems in a live environment.

Remember, these are just estimates. The actual number of transactions can vary based on a number of factors. Monitoring your application’s performance and adjusting your estimates as necessary is important.

estimate number of transactions in a large scale web application was originally published in CyOps on Medium, where people are continuing the conversation by highlighting and responding to this story.

• Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems
• Federal Information Processing Standard (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems
• NIST Special Publication (SP) 800-30 Rev. 1, Guide for Conducting Risk Assessments
• NIST Special Publication (SP) 800-39, Managing Information Security Risk: Organization, Mission, and Information System View

https://ntrl.ntis.gov/NTRL/dashboard/searchResults/titleDetail/ADA606355.xhtml

• NIST SP 800-37
• NIST Special Publication (SP) 800-160 Vol. 1, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems
• NIST Special Publication (SP) 800-88 Rev. 1, Guidelines for Media Sanitization
• NIST Special Publication (SP) 800-125, Guide to Security for Full Virtualization Technologies
• Assessing ISCM Programs: NIST SP 800-137A | CSRC
• NIST Special Publication (SP) 800-100, Information Security Handbook: A Guide for Managers
• NIST Special Publication (SP) 800-18 Rev. 1, Guide for Developing Security Plans for Federal Information Systems
• NIST Special Publication (SP) 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations

CISSP ISSEP was originally published in CyOps on Medium, where people are continuing the conversation by highlighting and responding to this story.

1. Why has the perimeter defense failed us, even though it has been in use for so long?

The ramifications of a massive, months-long hack of some of the most sensitive agencies and databases in U.S. government were unraveled towards the end of 2020. At the center of the breach, believed by some officials to have been perpetrated by Russia, was a little-known Texas-based network management software company called SolarWinds. When hackers infiltrated SolarWinds by attaching malware to a software update, they gained access to dozens of government agencies and thousands of companies. Beyond plunging the publicly traded company’s stock by nearly 40%, the hack called into doubt whether firewalls, a staple of online security, can effectively thwart sophisticated attacks.

“It’s a failure of the paradigm that you can have a gate and castle wall and everything on the inside is fine,” says McKinnon.

The first assumption we make when it comes to perimeter is that there only needs to be one perimeter for the entire organization. The complexity of modern IT infrastructure makes it really difficult to defend our digital resources using one single perimeter. There has been a concept deperimeterization since the time of Jericho Forum back in 2003, using a mixture of encryption, secure computer protocols, secure computer systems and data-level authentication.

There were attempts to make perimeters more compact and surrounding individual resources that need protection. This came a concept of microsegmentation where you can isolate workloads and secure them individually. Policies can then be applied to limit network traffic between workloads.

2. The ABC concepts behind ZT are lofty and high sounding. Are they realistic?

Assume nothing should really be assume breach.

Believe nobody or trust no one was a really popular catch phrase of a famous Sci-Fi series back in the 90s.

Check everything or always verify.

Implementing a ZTA is a journey rather than a wholesale replacement of infrastructure or processes. An organization should seek to incrementally implement zero trust principles, process changes, and technology solutions that protect its highest value data assets. Most enterprises will continue to operate in a hybrid zero-trust along side perimeter-based mode for an indefinite period while continuing to invest in ongoing IT modernization initiatives. It is important to balance security, usability, and cost-effectiveness. Putting security way ahead of usability, there may be unhappy users looking for ways around your system.

3. Are the concepts behind ZT really new?

Deperimeterization, Microsegmentation, Software-Defined Perimeter,

ZTX Framework:

• Network: How does the technology enable network isolation, segmentation, and security?
• Data: How does it enable data categorization, schemas, isolation, encryption, and control?
• People: What does the solution do to secure the people using the network and business infrastructure? Does it reduce the threat that users create?
• Workload: Does it secure cloud networks, apps, and other things used to make businesses operate technically?
• Devices: Does it always isolate, secure, and control every device (including mobile devices) accessing enterprise resources?
• Visibility and Analytics: What kinds of useful analytics and data points does it provide?
• Automation and Orchestration: How does it automate Zero Trust principles? How does it provide more control of disparate systems?

Google BeyondCorp:

• Access to services must not be determined by the network from which you connect
• Access to services is granted based on contextual factors from the user and their device
• Access to services must be authenticated, authorized, and encrypted

Continuous Adaptive Risk and Trust Assessment (CARTA):

• 100% device visibility and automated control
• Continuous monitoring, assessment and remediation of cyber and operational risk
• Micro-segmentation to contain breaches and limit lateral movement/damage
• Technologies and products from multiple vendors
• New levels of multivendor orchestration and process/response automation
• Discovery, posture assessment and remediation/control of physical and virtual devices as well as cloud infrastructure and workloads
• Effective security management of agentless IoT devices and cyber-physical OT systems

4. How does the ZT philosophy change the way we approach security?

Defense-in-depth, Visibility, Continuous Diagnostics and Mitigation (CDM)

• What is connected?: What devices, applications, and services are used by the organization? This includes observing and improving the security posture of these artifacts as vulnerabilities and threats are discovered.
  • Who is using the network?: What users are part of the organization or are external and allowed to access enterprise resources? These include NPEs that may be performing autonomous actions.
  • What is happening on the network?: An enterprise needs insight into traffic patterns and messages between systems.
  • How is data protected?: The enterprise needs a set policy on how information is protected at rest, in transit, and in use.

5. Do we have to throw away what we know so far & start anew?

Security has always been a team sport. You need nuts, bolts and gears in place, functioning together and performing the best in their roles in order to improve the overall security posture of your enterprise. You may need to replace dated equipment with next gen solutions.

6. What concrete actions should I take to embrace ZT in my organization?

High availability is security.

Part of the security of the Cloud Application Platform is high availability. A highly available application absorbs fluctuations in availability, load, and temporary failures in the dependent services and hardware.

1. VMs: ensure capacity and high availability even in case of partial VM outage occurring due to maintenance tasks.
2. PaaS services: ensure high availability of all the PaaS services, e.g. a primary and a replica, automatic failover
3. Database: design to connect to secondary instance in case of failure in primary instance
4. Environments: Provide a detailed sizing document for IaaS and PaaS components in production environment. Ensure DR and Test are adequate.
5. Storage: encryption and redundancy. Backup data across regions for business continuity for virtual machine disks, blob/bucket storage, storage for logs and storage for backup data.

ATP on the same platform, old VPN to ZTNA

Deep packet inspection

Users expect high performance with low latency, because if it is slow, unhappy users will look for ways around your system.

engineered for high performance and located in the places that your users are.

Many vendors are adapting or virtualizing their software and calling it a cloud-based solution. If it isn’t designed properly, you may end up with multiple administrative consoles, complex policies that are hard to manage, and time-wasting tools for conducting investigations.

Choose a solution that has a single management console, single client, and a single policy engine to streamline operations and effectiveness for network and security teams.

Let’s talk about ABC: was originally published in CyOps on Medium, where people are continuing the conversation by highlighting and responding to this story.

• CISM Certification | Certified Information Security Manager | ISACA
• PMP Certification | Project Management Institute
• CAMS Certification Steps | ACAMS
• Certified Analytics Professional (CAP®) -- For Professionals

CISM, PMP, CAMS, CAP was originally published in CyOps on Medium, where people are continuing the conversation by highlighting and responding to this story.

splunk-core-certified-consultant

Splunk Fundamentals 1
4 hours

Splunk Core Certified User
$125

Splunk Fundamentals 2
2 days
$2,000

Splunk Core Certified Power User
$125

Splunk Enterprise System Administration
2 days
$1,000

Splunk Enterprise Data Administration
3 days
$1,500

Splunk Enterprise Certified Admin
$125

Architecting Splunk Enterprise
2 days
$1,500

Troubleshooting Splunk Enterprise
2 days
$1,000

Splunk Enterprise Cluster Administration
3 days
$1,500

Splunk Enterprise Practical Lab
24 hours
$1,000

Splunk Enterprise Certified Architect
$125

Splunk Fundamentals 3
2 days
$2,000

Creating Dashboards with Splunk
2 days
$1,000

Advanced Searching and Reporting with Splunk
1 day
$500

Cost of 21-day trainings: $13,000
Cost of 4 exams: $500

Total in Thai Baht: ฿425,000

https://www.youracclaim.com/org/splunk/badge/splunk-core-certified-consultant

Splunk Core Certified Consultant was originally published in CyOps on Medium, where people are continuing the conversation by highlighting and responding to this story.

• Pentester Academy: Learn Pentesting Online
• Virtual Hacking Labs | IT Security Training Labs & Courses
• Advanced Web Hacking and Security Code Review Training | PentesterLab
• The IT competency hub

Virtual Labs was originally published in CyOps on Medium, where people are continuing the conversation by highlighting and responding to this story.