NIST Cybersecurity Framework and Email Security

Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.

If you’re looking to improve your organization’s cybersecurity, the NIST Cybersecurity Framework provides an excellent starting point.

Compliance with the NIST Cybersecurity Framework enables you to:

• Describe your current cybersecurity posture (“Current Profile”)
• Identify your target cybersecurity state (“Target Profile”)
• Continuously identify and prioritize vulnerabilities

While email security isn’t the only component, it is a vital component of your organization’s overall cybersecurity program. So how can levelling up your email security bring you closer towards your NIST Target Profile?

First, let’s look at the overall structure of the Framework. Then we’ll consider how developing your organization’s email security is a key step towards NIST Cybersecurity Framework compliance.

NIST Cybersecurity Framework Structure

At its broadest level, the NIST Cybersecurity Framework consists of three parts: Core, Profile, and Tiers (or “Implementation Tiers”).

Core: Functions, Categories, Subcategories

Think of the Core of the NIST Framework as a three-layered structure.

At its topmost level, the Core consists of five Functions:

• Identify: Develops an organizational understanding to manage cybersecurity
• Protect: Outlines appropriate cybersecurity safeguards
• Detect: Outlines cybersecurity activities designed to detect incidents
• Respond: Outlines cybersecurity activities to take during an incident
• Recover: Outlines cybersecurity activities to take after an incident

Then, at the next level down, each Function consists of Categories focusing on business outcomes. There are 23 Categories split across the five Functions. Here are a few examples of some of the NIST Framework’s Categories:

• Risk Assessment (ID.RA)
• Data Security (PR.DS)
• Detection Processes (DE.DP)
• Mitigation (RS.MI)
• Improvements (RC.IM)

At the bottom level, each Category consists of a set of Subcategories and Informative References. Subcategories are more specific statements of an intended business outcome, while Informative References provide further technical detail available outside of the Framework.

For example, under the Data Security (PR.DS) Category sit eight Subcategories, including the following:

• PR.DS-1: Data-at-rest is protected
• PR.DS-2: Data-in-transit is protected
• PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition

And here are some of the Informative References accompanying PR.DS-1: Data-at-rest is protected:

• Center for Internet Security (CIS) Controls 13 and 14
• COBIT 5 Management Practices APO01.06, BAI02.01, and BAI06.01,
• ISO/IEC 27001:2013 A.8.2.3

Check out the full framework for reference.

Tiers

The Tiers represent different degrees to which organizations may implement the NIST Cybersecurity Framework.

There are four Tiers:

• Tier 1: Partial — Security controls are implemented on an “ad hoc” or sometimes reactive basis. External partners often assist with the cybersecurity program.
• Tier 2: Risk Informed — Implementation of controls is informed by risk objectives. Security awareness may not be standardized across the entire organization. Not all threats are proactively met.
• Tier 3: Repeatable — Risk management practices are formal organizational policy. Employees are well-informed about security in the context of their roles. The organization’s security is understood in the broader context of supply chains and partnerships.
• Tier 4: Adaptive — The organization can adapt its cybersecurity practices based on priorities and past experience. Security risks are taken seriously by senior management on par with financial risks. Formalized security processes are integrated into workflows.

You can choose the Tier most appropriate to you, depending on factors such as your resource level, organizational maturity, and compliance demands.

Profiles

Profiles allow you to adapt the Framework to meet the needs of your organization. Establishing your Current Profile and determining a Target Profile provides a systematic way for you to work through the Functions, implementing the Categories and Subcategories that are most relevant to your organization.

Your organization’s size and resource levels may help to determine an appropriate Target Profile. But you can also consider the business context in which you operate — or the cybersecurity threats that are most likely to impact you. NIST recently released a preliminary draft profile for managing the threat of ransomware, which we’ll look at later in this article.

Email security in the NIST Framework

In the current cybersecurity climate, email security is a key consideration for business leaders. In fact, email is the attack vector security leaders are most worried about. We know that email serves as a key vector for ransomware, phishing, data exfiltration, and other increasingly widespread attacks and incidents.

• Around 96% of phishing attacks start via email
• Spear phishing emails are the most common delivery method for ransomware
• Other email-based threats, such as Business Email Compromise, cost organizations billions each year.

As such, you can mitigate some of the most serious and destructive security threats by ensuring your organization operates a highly secure email system. Now we’re going to look at some of the Categories from across the NIST Cybersecurity Framework’s five Functions, and identify how maintaining robust email security can help you meet NIST Cybersecurity Framework outcomes.

Asset Management (ID.AM)

Asset Management (ID.AM): “The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.” Effective asset management means ensuring you have overall knowledge and understanding of your organization’s inventory, information flows, and personnel.

How is asset management relevant to email security? Well, understanding your organization’s communication networks and data flows is a vital part of asset management, and email is the primary means of communication for most companies. The ID.AM-3 Subcategory requires that “organizational communication and data flows are mapped.”

Mapping communication flows is the first step in detecting email cybersecurity events and creating a data loss prevention (DLP) strategy. An effective email security solution will use machine learning technology to establish employees’ communications networks.

Awareness and Training (PR.AT)

Awareness and Training: “The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity related duties and responsibilities consistent with related policies, procedures, and agreements.” Security awareness training should always feature extensive information about social engineering attacks.

Phishing, spear phishing, Business Email Compromise (BEC) — social engineering attacks that occur almost exclusively via email — rely on manipulating people into taking certain actions that expose data or compromise security. Therefore, email security training is essential to meet the outcome associated with the PR.AT-1 Subcategory: “All users are informed and trained.” But we know that, while essential, security training is not enough to tackle serious cybersecurity threats.

Data Security (PR:DS)

Data Security: “Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.”

Preventing data loss via email is a core requirement in maintaining data security. Email is at the root of most data breaches, whether due to phishing and other social engineering attacks, or “accidental” breaches involving misdirected emails or misattached files.

Preventing data loss via email is a key step towards meeting the outcome for Subcategory PR.DS 5: “Protections against data leaks are maintained.” Unless there is an operational requirement for data to leave your organization, your email security software should prevent it from doing so. Effective email security software can detect and prevent unauthorized data transfers. Learn more about how Tessian prevents data loss below.

Anomalies and Events (DE.AE)

Anomalies and Events: “Anomalous activity is detected and the potential impact on events is understood.” How does this Category tie in with email security? Well, most cyberattacks rely on email as the route through an organization’s defenses. So detecting and analyzing anomalous activity across your email activity is essential.

Within the “Anomalies and Events” Category, the following Subcategories are particularly relevant to email security:

• DE.AE-1: “A baseline of network operations and expected data flows for users and systems is established and managed” — To detect anomalous email activity, your email security solution must understand what “normal” email looks like relative to each of your users.
• DE.AE-3: “Event data are collected and correlated from multiple sources and sensors” — Email attacks can be particularly sophisticated, relying on social engineering techniques to manipulate users. Effective email security software requires a large amount of data.

Security Continuous Monitoring (DE.CM)

Security Continuous Monitoring: “The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.”Monitoring your organization’s email activity is a crucial element in your overall security continuous monitoring efforts.The following “Security Continuous Monitoring” Subcategories are of particular relevance to email security:

• DE.CM-3: “Personnel activity is monitored to detect potential cybersecurity events” — External emails are only part of your email security battle. Compromised or spoofed corporate email accounts should also be monitored as they can be used for internal phishing attacks.
• DE.CM-7: “Monitoring for unauthorized personnel, connections, devices, and software is performed” — Implementing email security software that scans email communication for suspicious text and attachments could help meet this outcome.

Detection Processes (DE:DP)

Detection Processes: “Detection processes and procedures are maintained and tested to ensure awareness of anomalous events.” This means any email security solution must be continuously monitored and improved to ensure it can defend against the latest cyberattacks.

Here are some relevant “Detection Processes” Subcategories:

• DE.DP-4: “Event detection information is communicated” — Your email security software should notify both the affected user and IT administrators when a suspicious event occurs.

• DE.DP-5: “Detection processes are continuously improved” — Email security systems should be continuously learning and updating to adapt to emerging threats.

NIST Preliminary Draft Ransomware Profile

In June 2021, NIST published Preliminary Draft NISTIR 8374 — Cybersecurity Framework Profile for Ransomware Risk Management.

Ransomware is becoming the most severe cybersecurity threat in the current threat landscape. Because many, if not most, ransomware attacks start via email, improving your organization’s email security and its ransomware defense posture go hand-in-hand.

As mentioned above, setting a Target Profile is an important step in implementing the NIST Cybersecurity Framework. To defend against the increasingly serious ransomware threat, you may choose to work towards the Ransomware Risk Management Profile.

Implementing the draft Profile means achieving numerous Category outcomes from across all five Functions. We won’t go into the full details of the Profile here, but we recommend checking it out — particularly in the current threat climate.

Learn more about Tessian Human Layer Security

Tessian is a modern email security solution driven by machine learning. As well as monitoring inbound and outbound emails for signs of phishing, malicious attachments, data exfiltration, and accidental data loss, Tessians scans your employees’ email activity to learn how they “normally” act, and flags suspicious behavior.

This intelligent, context-driven approach means Tessian will allow your employees to work uninterrupted, and access the legitimate files and links they need across devices — while being alerted to anomalous and suspicious email content.

Tessian’s in-the-moment warnings help reinforce training and nudge employees towards safer behavior over time. Tessian’s Human Layer Security platform uses machine learning (ML), anomaly detection, behavioral analysis, and natural language processing (NLP) to detect a variety of suspicious signals:

• Unusual sender characteristics: This includes anomalous geophysical locations, IP addresses, email clients, and reply-to addresses.
• Anomalous email sending patterns: Based on historical email analysis, Tessian can identity unusual recipients, unusual send times, and emails sent to an unusual number of recipients in order to detect malicious inbound emails and suspicious outbound emails.
• Malicious payloads: Tessian uses URL match patterns to spot suspicious URLs and ML to identify red flags indicative of suspicious attachments.
• Deep content inspection: Looking at the email content – for example, language that conveys suspicious intent – Tessian can detect zero-payload attacks, too.

Learn more about how Tessian can transform your organization’s cybersecurity program.