The Detect Function is critical because you’ll never be able to stop 100% of cybersecurity attacks
K-12 cybersecurity is a critical issue for every school district. This is the third installment of a series based on our interview with Neal Richardson, the Director of IT at Hillsboro-Deering School District in New Hampshire. We talked with Neal about his team’s approach to applying the NIST Cybersecurity Framework in a K-12 school district.
The series started with an overview of a K-12 NIST Cybersecurity Framework. Now, we’re working our way through the five functions in the Framework to help you understand the potential for your district and provide some tips from Neal. This post will describe how the Detect Function, will bring you closer to your goal. We’ve also published posts on each of the Five Functions of the framework, including information, insights, and advice from our discussion with Neal.
- The NIST Cybersecurity Identify Function
- The NIST Cybersecurity Protect Function
- The NIST Cybersecurity Respond Function
- The NIST Cybersecurity Recover Function
About the NIST Cybersecurity Detect Function
The Detect Function is critical because it doesn’t matter how you implemented the technology in the Protect Function, cybercriminals will always find a way to get into your systems.
Most often, hackers get in due to human error. It’s inevitable that one of your users will click on a phishing link, or set insecure passwords, and hackers will discover an easy way into your system. They can also find a way in using a malicious OAuth app or by attacking a third-party vendor that has permission to access your domain.
Setting up effective detection technology and processes will allow your team to identify when a breach has and/or is occurring quickly so you can take appropriate action to mitigate the damage. The primary goal of the Detect Function is to ensure that you discover a cybersecurity event on a timely basis. After working through the Detect Function, you can expect to see the following types of results.
- You’ll know that you’re able to detect anomalies and events and understand their potential impact
- You’ll implement continuous security monitoring and you’ll be able to verify how effective your protective measures are
- You’ll plan to maintain detection processes to ensure that you’re aware of anomalous events
Getting Started with the NIST Cybersecurity Detect Function
“Detection is really where all the fun happens,” says Neal. “We’ve identified all the components and we’ve put protections in place, but we know we’ll never be 100% protected. We can’t control what users click on. We can’t control what vulnerabilities hackers have discovered on our web servers, firewalls, or VPNs. So, it’s about having the ability to collect the logs and get alerts to let us know when something abnormal is happening.”
Today, particularly with most districts using cloud applications like Google Workspace and Microsoft 365, detection must focus on detecting abnormal behavior within cloud applications. For example, it would be abnormal behavior to see someone login from another country if you don’t have students or staff abroad. Another example is if someone logs into an account from the U.S. and then logs in a half-hour later from China, you know there’s an anomaly because there’s no possible way that could physically happen.
Lateral phishing detection is also critical for recognizing compromised accounts. Lateral phishing can happen when a hacker is able to gain access to one of your user’s email account. They can then send phishing emails to anyone in your domain using an email that is, technically, coming from a trusted source. Most email protection technologies and phishing filters will not detect lateral phishing emails, since it’s coming from within your domain. It makes it likely that one or more people will click on a link in the phishing email and compound the problem.
Your detection plans need to include looking for abnormal email behavior. For example, if a student suddenly starts sending emails to a large number of staff, teachers, or other students, it’s a sure sign that something might be wrong and you need to investigate.
Pro Tip: Neal recommends paying particular attention to your “low talkers.” He uses that term to identify accounts that usually have the lowest amount of activity. When those “low talkers” start showing a lot of activity and using higher amounts of bandwidth, Neal takes that change very seriously. He knows he needs to take a closer look at that account and potentially take action to respond to a breach.
Today’s environment is forcing K-12 districts to change their approach to cybersecurity. You now need to use a zero-trust cybersecurity strategy and think beyond your firewall concerns and content filter. The NIST Cybersecurity Framework helps your district focus and prioritize your cybersecurity plans effectively. Stay tuned for new entries in our series where we will address the last two Functions in the Framework.