LINEARSTACK
March 23, 2023

Difference between SANS & NIST IR Frameworks

NIST IR & SANS are key frameworks used in the data security industry – Do you know the similarities and differences?

An incident response framework is designed to help organisations create standardised responses for cyber events. NIST and SANS are two of the best-known examples of these types of frameworks that security teams align with.

The National Institute of Standards and Technology (NIST) is part of the United States Department of Commerce. Its primary objective is to advance measurement science, develop a national consensus for measuring systems, and provide leadership in developing international measurement system harmonisation.

Regarding cybersecurity, NIST is responsible not just for creating computer security policies but also for responding to incidents when they occur. The NIST Computer Security Incident Response Lifecycle (CSIRL) guides how to respond to cyber-attacks.

The SANS Institute was founded in 1989 and has offered educational resources related to computer security since then. 

Compare and Contrast SANS and NIST Frameworks

Both frameworks share identical processes and guidelines. Fundamentally, these frameworks are similar, with a few exceptions.

Both SANS and NIST Incident response process frameworks share the following steps:

1. Preparation Stage- Enable all baseline of security controls. Ensure the organisation has updated response plans and supporting policies to support normal operations and cybersecurity incidents.

2. Identification Stage - (Detection and Analyse) -Both frameworks have a critical component of the framework focused on identifying and detecting cyber-attacks. Both frameworks focus on deviations outside of the current incident response threshold. This stage looks strongly at incidents that do not align with recent security category reporting. Part of the analysis phase is validating whether this attack is a zero-day or recently documented attack.

The remaining steps in the incident response operation are where SANS PICERL and NIST CSF execute differently.

3. Containment Stage - SANS executes the containment step by focusing on stopping the propagation of the attack. The incident response playbook focuses on one specific stage to be performed before moving on. The containment stage ensures the cybersecurity attack has effectively been stopped both east-west lateral and north-south within the network. 

4. Eradication Stage - The next step within the SANS IR plan focuses on eradicating or removing the malware, virus, rogue device, compromised account, or connection. Once the eradication is completed and validated, the SecOps and IR teams can proceed to the next step within the SANS framework.

5. Recovery Stage - The recovery step focuses onbringing systems impacted by the cybersecurity event back to a steady state before the breach. The IR and SecOps, along with risk management, should have a pre-defined plan determining which systems are based on demand and importance. 

6. Lessons learned (Post-incident activity) Stage - Often skipped by many that consider this stage a waste of time and resources, compiling lessons learned along with a root cause analysis is one of the essential steps in the SANS/NIST model. Knowing what went wrong and why ahead with how the breach occurred directly impacts reducing the risk to the organisation. 

How is the NIST Incident Response model different?

NIST follows the same goal of incident response as the SANS model. The fundamental difference comes down to steps 3 and 5. SANS executes these steps into separate work streams. NIST consolidates these into one workflow. 

Why the difference? That decision comes down to an organisational choice based on change control processes, requirements for an executive-level communications plan, notification of asset owners, and the overall impact of the breach itself.

For many cyber threats, following the SANS model would be overly methodical in steps. NIST would be more like a faster and more consolidated approach. NIST could be used in an organisation with fewer incident response resources with a higher volume of attacks. 

The SANS framework would be ideal for organisations to leverage if they have mature and well-staffed SecOps and Incident response teams. The organisation could hire an MSSP firm if there are no qualified internal resources available to handle these tasks. 

The SANS model also would be ideal if the organisation, for compliance or cybersecurity insurance purposes, needed a complete root-cause analysis and lessons learned formal incident report to the CEO and board of directors.

When would a NIST or SANS Incident response make sense for an organisation?

Not every security breach required an excessive and formal incident response plan execution. SecOps and NetSeCops have the authority to execute several pre-approved response capabilities, including downing systems, spinning down Docker containers, removing virtual machines, applying ACLs to firewalls, and booting users off the network. Those specific events would most likely be handled by a trouble ticket and SOAR automation in conjunction with the SIEM platform.

What is the acceptable risk of choosing one framework over another?

NIST or SANS frameworks often become deployed as a hybrid offering. Many SecOps and IR teams will leverage both models based on the attacks' criticalness or volume. For the breaches that are low impact and not a tier 1 attack, NIST would be an Ideal workflow, including enabling a short-term containment strategy for intermittent events. For complex attacks like the risk of ransomware events, malware, confidential data exfiltration, or even an attack on the global supply chain, the SANS model would provide a more structured approach with a clear separation of steps, including a long-term containment strategy. 

The value of a managed security services partner (MSSP)

No matter which framework they align with, organisations still need qualified talent to execute the incident response steps. Knowing how to tune the appropriately tailored security controls while aligning them to the overall security objectives is critical for the organisation to implement an effective incident response successfully. Having qualified security teams and security tools to deal with a high volume of malicious attacks, including ransomware threats, is critical for the organisation. 

MSSPs like LinearStack have the expertise and resources to help organisations execute their incident response playback. LinearStack has access to global talent 24x7x365 to help organisations respond to future incidents, assist with preparation, and provide additional incident responders. 

For example, an MSSP like LinearStack would be the resource team focusing on NIST framework-level incidents. In contrast, the in-house SecOps and incident responses will respond to the more complex attacks leveraging the SANS model.

About LinearStack

Founded in 2013 with a strong focus on world-class cyber security services, LinearStack was built from the ground up in Auckland, New Zealand. Our passion for making information security simple and accessible for all organisations is the fuel that fires our engine.

We’re a growing team of certified Cyber Defence Analysts, Threat Hunters, Incident Responders, CTI specialists, Malware analysts, security architectures, and engineers with two geo-redundant operations centres across the globe.

Managed services offering to align with NIST and SANS frameworks

Our Managed Detection and Response service is designed for firms who want more capabilities and outside resource to maintain this relentless, 24/7 task in-house.

With teams in two time zones, you can be confident that your security analysts are always alert and fresh when defending your infrastructure. As your partners, you can reach out to any of our analysts 24/7to understand the journey of a threat.

Fast containment and removal

Avoid delays between threat discovery and response with our fully managed service.

Faster response times

We provide emergency help based on the NIST and SANS response framework for improved incident detection and response times.

Culture

We’re 100% privately held, grown with a family mindset. When working with clients, we’re well integrated within their teams and act as an extension of their operations. Augmenting existing teams is a transition we manage smoothly, empowering our customers to prioritise cybersecurity strategy while we protect their business from cyber threats 24x7.

We believe maintaining thriving IT systems and assuring data protection are fundamental needs that all businesses deserve.

Contact Us

Want to know more about what we have to offer?  We'd love to hear from you

Get in touch with us today:

Phone: 0800 008 795

Email: info@linearstack.co.nz

Website: https://linearstack.co.nz   

Blogs

Start Reading

Our latest blogs and news are here for you

What is Attack Surface Management?

Attack surface management (ASM) is the continuous process of identifying and addressing cybersecurity vulnerabilities.
Read More

The Zero Trust Security Model

How zero trust security protects businesses from advanced threats and how to implement it in your organisation
Read More

Zero Trust Architecture Strategy - Memorandum

US Government memorandum on moving Federal agencies and departments towards zero trust cyber security principles
Read More
Are you experiencing a security issue? Call us now.