Data Security

Protect: The Active Defense NIST Pillar

rectangle Written by: Anne Gotay rectangle 2 5 min read

Cybercriminals are not going away. The threat landscape for organizations has only increased with the recent increases in ransomware and the rapid adoption of cloud technologies and remote work. Letting attackers come and deal with the cleanup after is untenable, with IBM estimating that the average cost of a breach is $3.86 million. The only practical solution is to make it as challenging as possible for attackers to get at your data.

According to the NIST cybersecurity framework, the second data protection phase is the Protect phase. This phase implements the controls that stop cyberattacks or lessen the impact of an attack occurring. Implementing the Protect phase helps your organization create an effective defense against likely threats.


Building a Cybersecurity Shield

The Protect pillar of the framework involves the creation of controls that act as an active defense against threats. It utilizes data security controls that focus on preventing inappropriate access, modification, or deletion of data. While the controls are focused on data, the actual controls may be focused on defending the ecosystem, which ultimately protects the data. For example, firewall controls do not directly affect the data. Still, the policies on the firewall limit access to the data and internal resources, making it harder for outside attackers to access the data.

Increasing the Challenge

No defense is ever 100%, as there is always the possibility that some novel attack or zero-day will render a defense useless. Instead, the goal is to make attacks more challenging for cybercriminals, making your organization a less tempting target and increasing the likelihood of an attack being detected and thwarted.

Doing this requires creating layers of defense to protect your data. With this approach, even if a singular control is rendered useless, additional controls that provide similar functionality preserve your assets. Building on the firewall example, an attacker may bypass a firewall to access internal data, but having a Zero Trust architecture ensures limited access to the information.

Defending Your Assets

Effectively executing the Protect functionality is challenging. It takes more than just creating security controls in your organization to stop attackers from breaking in and stealing data. Building a solid defense requires an understanding of what requires defending so that the protections can be tailored to the need. With the Protect functionality, controls are crafted with three goals, stopping misuse, tracking utilization, and facilitating recovery.

Controlling Access

One of the most important ways to defend your data is to limit its access. Using access controls, your organization can scope who can access data, how long they can access it, from where, and when. Adding access controls prevents unauthorized individuals from touching information they should not and limits the damage in a breach where a user’s credentials are compromised. Rather than having access to all information in the organization, attackers only get to see what the user would have.

Creating effective access controls requires implementing the Identify portion of the NIST core functions to understand what data you have and where it resides. This information is crucial for implementing controls that still allow those who require access to use the data while limiting those who do not.

Organizations can start with role-based access control (RBAC) to create easily maintainable access controls across groups of people rather than individuals. With RBAC, data can have fine-grained access controls that can be set once, with changes only in maintaining group membership over time. By adding encryption to this scheme, access controls are augmented by ensuring that if someone circumvents the access control and can see the data, it still remains unreadable without the encryption key. The most advanced organizations will leverage a Zero Trust architecture to defend their assets, creating a complete infrastructure built on least privilege access controls and in-depth monitoring.

Gathering Evidence

The Protect portion of the NIST framework also involves the creation of evidence to feed into the Detect and Respond parts of the framework. While this may not appear to be a direct protection, it falls in the Protect functionality as this information helps derive responsive capabilities that stop attackers.

Organizations use comprehensive logging and dashboarding to create the intelligence that drives many security program functions. Logging information helps to identify usage patterns over time, leading to the identification of abnormal behavior of an attack. With dashboarding, administrators get log information analyzed and presented so that it becomes actionable intelligence. With actionable intelligence, the noise of massive quantities of data is filtered out, placing helpful information in the hands of staff.

Preparing For The Worst

Much like the creation of evidence, developing a recovery program seems like it would not be a part of Protect. Having robust recovery creates a safety net for the organization if a catastrophic event happens, allowing restoration of functionality.

The restoration capabilities may come as full backups of data or transactional backups to create a buffer against attack. This capability allows behavioral-based malware detection time to identify a malicious process. By the time the process has met the threshold of flagging as malicious, data might have been altered or damaged in the process. Using a backup capability, data can be buffered between changes and automatically restored after removing the malware.


The Right Solutions To Defend Your Data

Sotero is an advanced data security platform that helps your organization implement functions across the entire NIST Cybersecurity Framework. With Sotero, your organization can create a multi-layered cyber-defense designed to protect your data first, no matter where your data resides.

Read our white paper to learn more about the NIST Cybersecurity Framework and how Sotero can help your organization meet every phase to create a whole data protection lifecycle.

Contact Sotero today for a demo on how the Sotero Data Security Platform can help your organization get and maintain complete data security coverage across all five NIST lifecycle stages.


data protection,

data regulations,

data security

Subscribe to our Blog

Take a look at a truly encrypted future, with no data left unsecure.

Request a Live Demo.

Schedule a live one-on-one
demo of Sotero.

Book Demo