How to Align with the

NIST Cybersecurity Framework

1
Title Table of Contents

Identify (ID) 4

Protect (PR) 5

Detect (DE) 6

Respond (RS) 7

Recover (RC) 8

2
SilentDefense Facilitates Adoption of the NIST
Cybersecurity Framework

Many organizations are embracing the NIST Cybersecurity Framework to organizations with a structure to outline their current state of
manage their cybersecurity risks. According to an adoption survey from cybersecurity and strengthen their security posture.
Dimensional Research, 84% of respondents used some type of security
framework in 2016, with the NIST framework a leader among them. The NIST Cybersecurity Framework is composed of three parts- The
NIST focuses on using business drivers to advance cybersecurity Core, Implementation Tiers and a Framework Profile. Here we will
activities and to consider cybersecurity risks as part of an organization’s explore how Forescout’s SilentDefense can facilitate adoption of the
risk management processes. Adopting the NIST framework provides NIST Cybersecurity Framework.

IDENTIFY PROTECT

DETECT
RECOVER

RESPOND

3
Identify (ID)

Develop the organizational understanding to

manage cybersecurity risk to systems, assets,
data, and capabilities

Asset Management (ID.AM)

SilentDefense automatically generates an accurate map of network

assets and communications, enabling an instant inventory of network
devices and determination of data flows. This inventory is generated
passively, without impacting the industrial network or process.

Risk Assessment (ID.RA)

SilentDefense is used by service providers to speed-up the risk

assessment process. It features dedicated libraries to identify system
vulnerabilities and detect ICS-specific threats and flaws, and enables
accurate analysis and reporting of the active devices and services ina
network.

4
Protect (PR)

Information protection processes and

procedures (PR.IP)
Develop and implement the appropriate
safeguards to ensure delivery of critical SilentDefense automatically generates the network “behavioral

infrastructure services blueprint”, an accurate and detailed view into ICS network
communications, which can be used to maintain a baseline of running
network design and configuration. It also reports any change in
the network configuration resulting in new communications and/or
network operations, keeping the baseline configuration up to date.
Access control (PR.AC)

SilentDefense provides visibility and situational awareness over Maintenance (PR.MA) & Protective
network devices and communications. It tracks and logs all successful Technology (PR.PT)
and failed authentication attempts to network resources. Access
to the information gathered by SilentDefense can be restricted to SilentDefense enables fine-grained access monitoring and validation,
authorized users. The built-in RBAC mechanism allows fine-grained reporting any unauthorized access and operation performed to/from
authorization and access to sensitive information about the network, network assets.
its devices and current security status.

Data security (PR.DS)

SilentDefense reports any undesired network communication and

activity, helping to ensure that network integrity and segregation is
preserved. It also employs state-of-the-art encryption mechanisms
to help ensure that information about the network, its devices and
current security status is protected both when at-rest and in-transit.

5
Detect (DE)

Security Continuous Monitoring (DE.CM)

Develop and implement the appropriate SilentDefense performs in-depth monitoring and analysis of network

activities to identify the occurrence of a communications, down to the values exchanged by network devices.

cybersecurity event. This enables detection of a wide range of cybersecurity events,

including:

● unauthorized connections
● unauthorized commands/operations
Anomalies and Events (DE.AE)
● unauthorized values sent/received
SilentDefense’s unique Industrial Threat Library features 1,600+ ● malware spread
ICS-specific threat indicators like protocol compliance checks,
CVEs for cyberattacks, network issues, and operational errors. All suspicious or unauthorized events are logged along with detailed
SilentDefense also automatically generates the network “behavioral intelligence. In addition to cybersecurity threats, SilentDefense
blueprint”, which can be used to whitelist legitimate network detects a wide range of networking and operational problems that
operations and alert for undesired ones. If a threat is detected, affect industrial networks. As a result, SilentDefense represents a
SilentDefense provides all intelligence required to analyze and comprehensive security and operational support platform.
understand the causes and extent of a cybersecurity event, including
assets involved and copies of the suspicious network packets. Detection processes (DE.DP)
SilentDefense integrates with most security information and event
management systems, helping to ensure that the right information
is forwarded to the appropriate recipient (e.g. user activity logs,
cybersecurity events, etc.).

6
Respond (RS)

Analysis (RS.AN)

Develop and implement the appropriate SilentDefense alerts provide rich contextual information about the

activities to take action regarding a detected source, nature and target of the threat, along with key input for its

cybersecurity event. analysis (including packet capture related to the threat). Together with
the ability to visually locate the threat and its spread on the interactive
network map, the information contained in alerts is fundamental to
initiate an effective incident response process.
Communications (RS.CO)
SilentDefense alerts the operator in real-time in the event of an Dedicated visual network analytics allow incident responders to
imminent problem or threat to the network, or because of activity that perform forensic analysis on real-time and historical network activity.
was not approved by network/security operators. The operator can Furthermore, responders can benefit from dedicated tools and API to
choose to automatically forward alerts to different recipients based on perform threat hunting and quickly search the network for advanced
the alert category and the area of expertise best suited to analyze it. threat indicators.
This capability favors a prompt and accurate incident response as well
as effective communication among teams.

7
Recover (RC)

Recovery Planning (RC.RP)

Develop and implement the appropriate In order to effectively recover from an incident or cybersecurity

activities to maintain plans for resilience and to event, responders need to have the right information at hand.

restore any capabilities or services that were The results of the analysis activity performed using the various
SilentDefense engines can provide the user with a prioritized list of
impaired due to a cybersecurity event.
action points, which can be used to undertake recovery activity.

Communications (RC.CO)

SilentDefense can provide evidence of a cybersecurity event or

produce evidence of its successful resolution and recovery, to be
used for internal and external communications.

Forescout Technologies, Inc. Learn more at Forescout.com

190 W Tasman Dr.
San Jose, CA 95134 USA © 2019 Forescout Technologies, Inc. All rights reserved. Forescout Technologies,
Inc. is a Delaware corporation. A list of our trademarks and patents can be found at
Toll-Free (US) 1-866-377-8771 https://www.forescout.com/company/legal/intellectual-property-patents-trademarks.
Tel (Intl) +1-408-213-3191 Other brands, products, or service names may be trademarks or service marks of their
Support +1-708-237-6591 respective owners.