In the rapidly evolving landscape of cybersecurity, effective governance is paramount. With the release of NIST Cybersecurity Framework (CSF) 2.0, organizations now have an enhanced toolset to manage and reduce cybersecurity risks. FortiSOAR, a robust Security Orchestration, Automation, and Response (SOAR) platform, plays a critical role in reinforcing governance across all phases of the NIST CSF 2.0. This blog explores how FortiSOAR empowers organizations to implement the framework's guidelines effectively.
Introduction to NIST CSF 2.0
The NIST Cybersecurity Framework 2.0 provides comprehensive guidance for organizations to manage cybersecurity risks. It expands its scope beyond critical infrastructure to include all types and sizes of organizations, introducing a new "Govern" function to emphasize the importance of cybersecurity governance as a major enterprise risk. Read more about NIST CSF 2.0 here.
How FortiSOAR Enhances Governance Across NIST CSF 2.0 Phases
1. Identify
- Asset Management: FortiSOAR integrates with asset management tools to provide a unified view of all assets, ensuring that they are accurately tracked and their security statuses are monitored. A good demonstration is available here.
- Risk Assessment: By correlating threat intelligence, vulnerabilities, and incident data, FortiSOAR helps organizations assess risks effectively, identifying potential security gaps and prioritizing remediation efforts. A video demonstration that takes through how Risk is accounted for in this context, can be found here.
2. Protect
- Access Control: FortiSOAR automates access control policies, ensuring only authorized users access sensitive information. It integrates with IAM solutions to enforce these policies seamlessly. A good quick read about Access control can be found here. There's a lot more in terms of granularity of access control that FortiSOAR brings in, for example, ability to control what actions in an integration can the user execute, what playbooks can they run etc. and a lot more - that are available to control and monitor the security aspect.
- Protective Technologies: The platform orchestrates the deployment and management of protective technologies like firewalls and IPS, ensuring they are up-to-date and configured correctly to maintain a robust security posture. FortiSOAR, can be used to manage the deployment lifecycle of Firewalls for example, FortiGate Firewalls - a very good solution pack for the same and good read along with it for ZTP of FortiGates using FortiSOAR is available here. Additionally, using multiple integrations with protective/response solutions, like Firewalls, EDR/NDR solutions, Email Gateways and much more - FortiSOAR is able to enable dynamic and immediate Protection in place. Often these can also be with coupled with a TTP or an approval step in FortiSOAR, say a limited time isolation of an asset till the investigation is completed and so forth.
3. Detect
- Anomalies and Events: FortiSOAR enhances threat detection by integrating with SIEM systems and security monitoring tools, automating the collection and analysis of security events to identify potential threats in real-time. These FortiSOAR integrations, say with FortiSIEM for example, are very comprehensive, where not only the anomalies are received, analyzed and acted upon but FortiSOAR goes back to the SIEM and searches/pulls useful data as per the investigation requirement. There is also a strong feedback loop, for example, FortiSOAR updates the IOCs (with their latest enrichment) back to the FortiSIEM reference lists (essentially ensuring more empowered detections going forth).
- Continuous Monitoring: Continuous monitoring capabilities of FortiSOAR ensure that security events are detected promptly, maintaining situational awareness and reducing the time to detect threats. There is also Hunting modules built in FortiSOAR, using which threat hunting teams can set up and monitor their hunting routines from a central place. Outbreak Response is another example of the same, where we hunt for outbreak related TTPs in multiple places from FortiSOAR, say in SIEM, EDR etc. - once found, collect the related events in FortiSOAR for further analysis.
4. Respond
- Response Planning: FortiSOAR enables the creation and automation of incident response playbooks, ensuring consistent and effective responses to various types of incidents.
- Mitigation: The platform facilitates rapid threat mitigation by orchestrating actions across multiple security tools, such as isolating compromised assets, applying patches, and removing malware.
Refer the FortiSOAR Content Hub to understand more around the integrations and use cases that come with FortiSOAR (knowing that this list is an ever growing list!)
5. Recover
- Recovery Planning: FortiSOAR supports the development and execution of recovery plans, ensuring that procedures are well-documented and can be automated to restore normal operations quickly after an incident. Multiple FortiSOAR features and modules are helpful here - for example, the Knowledge Base module (which few customers refer as the SOC Wiki also), that contains the learnings from all the past and ongoing investigations. Automated Audit Logging across all activities (user/automation), helps in evidence collection when needed. Recovery playbooks/workflows can be made to ensure all parties (human and system) are involved while the recovery phase is ongoing - take for example, confirming with the user whose endpoint was isolated, on slack, that his/her machine is up now, or say, sending out questionnaire to users in bulk and proceeding based on that.
- Improvements: Post-incident analysis and reporting in FortiSOAR help organizations learn from incidents and improve their security posture, fostering a continuous improvement cycle. The above point covers a lt of this, and further modules like Task Management make this process easier.
6. Govern
- Policy Enforcement: FortiSOAR ensures consistent enforcement of cybersecurity policies and procedures across the organization. It provides visibility into policy compliance and manages deviations effectively. A good relatable example is GDPR Policy Enforcement and Compliance Orchestration using FortiSOAR. There are multiple examples like this say NERC-CIP, NIS, HIPPA, BOD 22-01 etc. where FortiSOAR helps in Policy Enforcement.
- Metrics and Reporting: Comprehensive reporting and dashboard capabilities in FortiSOAR offer key metrics and insights into the effectiveness of cybersecurity controls, aiding senior leadership in informed decision-making. Have a look at our one of our favourites here!
Conclusion
FortiSOAR enhances the governance capabilities of organizations by streamlining and automating cybersecurity processes across all phases of the NIST CSF 2.0. By leveraging FortiSOAR, organizations can ensure a holistic and effective approach to managing cybersecurity risks, ultimately strengthening their overall security posture.
This article should give you a summary on FortiSOAR's capabilities and how it integrates with NIST CSF 2.0, but there's lot more that FortiSOAR has to offer in ensuring you are able to drive your Security Operations in the most efficient manner.
