NIST vs. MITRE – The roles of frameworks in Security Operations Center (SOC)

Many organizations ask which cybersecurity framework they should focus on. For example, manufacturing companies, particularly the ones in defense industry, are required to comply with NIST but others are focused on MITRE. So, which one do we need to work with, NIST or MITRE? Well, the answer is both.

The NIST CSF is made up of five governance areas that comprehensively describe: protect, identify, detect, respond, and recover. You may consider NIST as a self-governance framework to determine which security capabilities and processes are necessary for a certain level of cyber security maturity. MITRE, on the other hand, is a detailed framework to put forward the necessary information or use cases that should be captured to identify “why’s” and “how’s” questions, answering the “tactics” and “techniques” the attackers use.

An efficient SOC must combine the NIST and MITRE frameworks to achieve the governance and the use of predefined playbooks that are fine-tuned and supported using MITRE. This is an integrated people, process, and technology approach that I have written about in my previous posts.

At XeneX we have implemented the following steps to achieve the goal above:

Step 1 - Setup guidance and governance to align with the five NIST CSF areas.

Step 2 – Train the staff on XeneX proprietary technology platform. Test and certify security analysts before they have the responsibility to detect threats, protect systems, isolate, and remediate an attack, and recover affected systems.

Step 3 – Playbooks. Map playbooks to MITRE Framework using ATT&CK tactics, techniques, and procedures.

Step 4 – Use MITRE Framework to detect incidents. Identify tactics and techniques the attackers use.

Step 5 – Engage Autonomous Response based on customer requirements. Autonomous Response is not the answer to every incident.

Step 6 – Follow XeneX SOC governance model to escalate and communicate to management and customer.

Step 7 – Postmortem Analysis – Learn from the experience for continuous process improvement. Again, People, process and technology must come together for the optimal results.

At XeneX we have built a technology platform which integrates several tools for an enterprise view of cyber security. This includes SIEM, Log Management, IT Asset Discovery, Vulnerability Scan, PEN Test, Hacker Diversionary System, Asset Availability and Priority, NetFlow, Protocol Analysis, Packet Capture, as well as security products such as EDR and NDR, email security, web security, among many others. By collecting more telemetry from the customer environment, we achieve better threat analysis and threat detection. XeneX cross-correlation engine provide the ability to find the “needle in the haystack” in seconds.