As the information security industry matures, the infrastructure needed to carry out and evaluate information security controls and strategies continues to adapt. Security practitioners are faced with an embarrassment of options — some of which should not even be properly considered as cybersecurity frameworks.
While real cybersecurity frameworks provide clear guidelines for identifying security issues and providing guidance for creating strategies to mitigate or remediate those issues, some practitioners now consider things like Metasploit, Mitre ATT&CK and even PCI DSS and GDPR as frameworks — even though they may not meet all the criteria to be considered cybersecurity frameworks.
In a recent Q&A, Jon Oltsik, analyst at Enterprise Strategy Group in Milford, Mass., and founder of the firm’s cybersecurity division, explained what makes a cybersecurity framework and how to identify the right ones to be aware of.
Editor’s note: This interview has been edited for length and clarity.
What is a cybersecurity framework, and what makes something a cybersecurity framework as opposed to something else?
Jon Oltsik: The term is loosely defined. Generally, I think of a framework as a structure that you can build around and that tries to guide you through some type of solution set.
For instance, the NIST Cybersecurity Framework is about risk assessment, and it takes another dimension in terms of maturity level. Those two things put together should give you an idea of where you have risk and how to advance on risk mitigation and preparedness.
Frameworks tend to be broad-based and suggestive of solutions — but not solutions in themselves. I would characterize the NIST Cybersecurity Framework as a framework.
The Mitre ATT&CK framework tends to be a very popular tool in the public sector — Mitre being funded by the federal government. The ATT&CK framework is multifaceted, so if you look at the Mitre ATT&CK matrix, it really spans across the whole kill chain. And, therefore, there are lots of parts to it that are linked together, so that’s the basis for the term framework there.
For other things, I think they’re taking license with it. Metasploit is a toolkit, so you can use it in lots of different ways, and I think that’s where the word framework comes in.
A framework has to be, in my mind, a broad-based, fairly comprehensive structure that you can look at different problem areas in security, the way they link together and start to put together a solutions architecture based on filling in the pieces of the framework.
Would you consider regulations, like GDPR and HIPAA, or standards, like PCI DSS, as cybersecurity frameworks since they do give defenders a structure for reviewing security issues and finding ways to solve them?
Oltsik: You can find frameworks for GDPR, but GDPR and HIPAA and other regulations, like PCI DSS, those tell you what you must comply with, what mandates you must comply with — but they don’t tell you how to comply.
A framework, to me, would be a basic structure on how to comply. Think of a general contractor building a house: They have to coordinate between plumbers and electricians and painters and all that stuff, so they create a framework for building the house.
That’s how you should look at security frameworks. You’re constructing a solution, and it’s multifaceted, and there are loosely coupled procedures, and there are tightly coupled procedures. The framework is meant to coordinate all those.