The US National Institute of Standards and Technology (NIST) has long served as the US federal government’s officially designated creator and publisher of controls frameworks for cybersecurity. The organization developed the first NIST Cybersecurity Framework (NIST CSF) in 2014. The goal of the framework was to help critical infrastructure providers (such as dams and power utilities) improve their cyber defenses in accordance with a voluntary set of standards (see: 2013 Executive Order 13636, "Improving Critical Infrastructure Cybersecurity).
But a lot has changed since 2014. The cyber threat environment has grown more severe, affecting sectors beyond critical infrastructure. In March 2024, NIST published its Cybersecurity Framework 2.0, which recommended controls and cybersecurity tips for organizations in any industry.
This is a major development, one that reflects the reality that cyber threats are now ubiquitous and threaten every part of the economy. And all organizations are wise to follow NIST’s expanded set of requirements. Indeed, the NIST CSF 2.0 framework validates a core idea: everyone needs to take cybersecurity seriously.
While compliance with NIST CSF 2.0 is mandatory for some sectors, it is voluntary for others; And some organizations may balk at putting in the effort to implement voluntary policy. But given the insecure state of digital business, it’s worth the effort.
This article highlights key parts of the NIST CSF 2.0 where Rubrik people and products can help put these new cybersecurity recommendations into action—particularly in the areas of data protection and cyber resiliency. Rubrik has particular expertise in this matter and Rubrik experts reviewed early drafts of the new framework and provided feedback that was incorporated into the final product.
An Overview of NIST CSF 2.0
In the press release announcing the release of NIST CSF 2.0,NIST director Laurie Locascio described the new framework as “a suite of resources that can be customized and used individually or in combination over time as an organization's cybersecurity needs change and its capabilities evolve." The updated framework aligns with the Biden administration’s National Cybersecurity Strategy, which was adopted in early 2023.
The NIST CSF 2.0 is organized into six core functions that broadly mirror the spheres of cybersecurity operations. They also mimic the zones of a defense in depth cybersecurity strategy, where all resources in an organization work together to create a variety of cyber defenses throughout the organization.
Here are the six core functions:
- Govern (GV): This new function addresses organizational leadership and policy, reflecting the reality that cybersecurity cannot be implemented solely by the IT and security teams
- Identify (ID): Describes efforts made to ensure and organization’s cybersecurity risks are understood
- Protect (PR): Governs the implementation of countermeasures that will mitigate cyber risks
- Detect (DE): Tools and policies that examine cybersecurity threats and determines which threats are serious and require action
- Respond (RS): If a threat is detected, actions taken in accordance with an established response plan
- Recover (RC): Actions taken to ensure that systems, software, infrastructure, and data affected by a cybersecurity incident are restored
Govern (GV)
Govern comprises a set of policies and controls that are meant to ensure that an organization’s leadership and key stakeholders are involved in cybersecurity risk management strategy, expectations, and policies.
GV.OC-05 (Organizational Context): Outcomes, capabilities, and services that the organization depends on are understood and communicated
In this case, Organizational Context means how stakeholders across the organization understand how cybersecurity decisions are made. GV.OC-05 is about defining cybersecurity outcomes, capabilities, and services for an organization. It is also about making sure the right people are involved in the creation, maintenance, and application of cybersecurity policy—and that those policies are properly communicated to appropriate stakeholders. For example, having a shared understanding of how the organization will report to regulatory authorities in the event of a cybersecurity incident.
How Rubrik can help with GV.OC-05: Rubrik can help organizations determine the scope of an attack and its impact on the business by providing a clear view into what data was impacted and where it resides. With rich reporting, Rubrik enables IT and security managers to collaborate with senior business leaders on reporting to customers, the public, the government, law enforcement, and other regulatory bodies.
Identify (ID)
The Identify function is all about understanding risk. It instructs stakeholders to catalog critical information assets (data, hardware, staff, facilities, etc.), interrogate these assets to expose potential risks, and propose improvements that will further strengthen the defense of these assets.
ID.AM-07 (Asset Management): Inventories of data and corresponding metadata for designated data types are maintained
How can you protect your data if you don’t know what (and where) it is? The Asset Management control requires an organization to create and maintain an inventory of data assets and to create/track metadata to help with future investigation.
How Rubrik can help with ID.AM-07: Rubrik Sensitive Data Discovery and Monitoring scans backup snapshots and identifies sensitive data in files and applications. Further, Rubrik’s User Access Analysis tool can help you understand who has access to sensitive data, to enlist support from data owners and promote data stewardship.
Protect (PR)
Protect involves developing and implementing suitable countermeasures and controls that limit or contain the impact of a cyberthreat. The controls under this function use safeguards that mitigate an organization’s cybersecurity risks.
PR.DS-01 (Data Security): The confidentiality, integrity, and availability of data-at-rest are protected, maintained, and tested
Data Security is all about making efforts to align the assessed cybersecurity risks with investments that are commensurate. To that end, each organization should take concrete steps to protect stored data from unauthorized access, prevent it from being modified or deleted by malicious actors, and ensure that it is available to users to the greatest extent possible.
How Rubrik can help with PR.DS-01: Rubrik offers immutable backups, which cannot be modified by a ransomware attacker, or any other unauthorized party. The Rubrik Cloud Vault features access controls and a logical “air gap” which protects data at rest. Additionally, the Rubrik Secure Data Layer, which is part of Rubrik Zero Trust Data Security architecture, supports the control with data encryption at rest, checksum creation, and validation throughout the entire life cycle of the data. The Secure Data Layer also keeps data continuously available through a self-healing design with fault tolerance.
PR.DS-11 (Data Security): Backups of data are created, protected, maintained, and tested Data security requires effective data backups. But backup is useless if it fails, is not sufficient to maintain business continuity, or is corrupted by an external threat. So organizations must implement an effective backup solution–and make sure it is also protected.
How Rubrik can help with PR.DS-11: Rubrik offers core enterprise data protection solutions that can address even intense backup and recovery requirements. But Rubrik backup solutions also offer immutability, meaning that an attacker cannot encrypt, delete, or modify the data once it is written. This is an important security countermeasure, because ransomware attackers often target backups as part of their strategy.
Additionally, Rubrik produces regular checksums on data backups to ensure backups are unchanged and uncorrupted by intrusions. This helps prevent the reintroduction of malware during a recovery. Rubrik also provides tools that allow the IT and InfoSec teams to test failover plans in advance of a cyber incident.
Detect (DE)
The Detect function contains controls that enable the timely discovery and review of cybersecurity events (an attack or the presence of a threat) when they occur.
DE-CM-09 (Continuous Monitoring): Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events
Continuous Monitoring requires that the IT assets identified by the organization are under regular scrutiny to catch cybersecurity events at the earliest stage. This allows stakeholders to mount the earliest possible response and potentially limit the negative impact of a cyber event. Threats can appear at any time, so security teams must remain vigilant, with tooling that constantly watches the IT estate for signs of trouble. Often, that trouble takes the form of subtle anomalies, such as excessive data download requests at odd hours.
How Rubrik can help with DE-CM-09: Rubrik has threat monitoring and threat containment functions that can meet this need. Rubrik’s automated threat monitoring detects threats early with continuous and automatic scans of backup data to identify indicators of compromise. Rubrik uses an automatically updated threat feed to analyze backup data for known threats. Metadata enhanced indexing allows Rubrik to rapidly scan data for threats, but also search for safe recovery points that allow customers to restore operations quickly. And because Rubrik Cloud Vault provides immutable backup—akin to a hardened bunker—customers can have confidence this source data is safe and sound.
DE.AE-04 (Adverse Event Analysis): The estimated impact and scope of adverse events are understood
Adverse Event Analysis requires that cyber security events (network anomalies, indicators of compromise, and other potentially adverse events) are analyzed to identify the onset of a cybersecurity incident. DE.AE-04 is about understanding the potential impact of an adverse event, and requires processes and tools that can assess how a threat will affect IT and business operations.
How Rubrik can help with DE.AE-04: Rubrik offers Anomaly Detection that enables security teams to identify malicious activity and assess the “blast radius” of a cybersecurity event or attack. Rubrik uses machine learning to detect suspicious deletions, modifications, and encryptions but also identify false positives—freeing up resources to focus on actual threats. This allows incident responders to move quickly to recover affected data assets. Coupled with sensitive data discovery, Rubrik can also identify if an attack will have an impact on sensitive data.
Respond (RS)
The Respond function is about what an organization does when a cyber threat emerges. If you detect an incursion, what do you do next?
RS.AN-08 (Incident Analysis): An incident’s magnitude is estimated and validated
Incident Analysis means investigations are conducted to ensure effective response and support forensics and recovery activities. RS.AN-08 deals with determining how much impact a threat will have on an organization in an effort to establish the priority and scale of incident response. A threat that translates into a minor impact will not require the resources and focus of a major threat.
How Rubrik can help with RS.AN-08: Rubrik’s Threat Hunting solution can identify which systems have been affected by an attack and analyze backup snapshots to determine the severity of the incident. Rubrik’s compliance and risk mitigation helps by facilitating the regulatory compliance aspects of responding to a threat.
Additionally, Rubrik’s Ransomware Response Team extends in-house cybersecurity resources to help customers restore their environments as quickly and efficiently as possible. RRT staff are available 24X7, 365 days a year to urgently and confidentially aid in incident response and data recovery operations during a ransomware event. Access to RRT is available to any Rubrik customer with an active support contract.
Recover (RC)
Recover includes policies and processes that enable an organization to return to operations after a cyber incident. It is about resilience and restoring systems to full functionality and includes efforts such as recovery planning, internal and external communications, and post-incident improvements to systems.
RC.RP-03 (Recovery Plan): The integrity of backups and other restoration assets is verified before using them for restoration
A recovery plan ensures that an organization has a predetermined set of actions to take after a cyber incident that returns systems and services to full functionality. This requires an enterprise-class backup system that can remain protected from attack. Indeed, if backup data has been tampered with, recovery efforts could result in disaster. RC.RP-03 prevents this by promoting the validation of backup data before the recovery is initiated.
How Rubrik can help with RC.RP-03: Rubrik Zero Trust Data Security and Secure Data Layer automatically creates and stores checksums on data through the complete data lifecycle. This process validates that data has not been changed since it was backed up. Users can run the process on demand, but Rubrik also performs automated validations periodically.
Additionally, with Orchestrated Application Recovery, Rubrik Security Cloud allows users to write and test recovery plans in advance of an attack. This allows IT to group several related virtual machines into a single recovery object so the recovery plan can bring business operations back online in priority order. That way, the recovery team will know how much work (and time) it will take to restore core business functions.
Putting NIST CSF 2.0 to Work
NIST CSF 2.0 is designed for broad adoption. Making it work will be a project for every organization that embraces the framework. Rubrik can help with the operationalization of NIST CSF 2.0, particularly for controls that deal with identifying data assets, protecting data, such as with immutable backups and encryption, as well as detecting threats and assessing their impact. Rubrik solutions also help with continuous monitoring, incident response, and cyber recovery planning and ultimately the restoration of affected business operations. Collectively, the capabilities enable users to comply with several of the framework’s essential control objectives.