Lesson 14: The NIST CSF Five Functions — From Theory to Operation
This is the module's capstone lesson on layered defense. Across the previous lessons we already built, in practice, most of the controls that two of the NIST CSF's five functions rest on: PoLP, access control models, hardening, and segmentation (internal defense), and Firewall, WAF, DMZ, and IDS/IPS
In brief: NIST CSF is a five-stage cycle. Identify = what we have and what's dangerous. Protect = what we already built (permissions, hardening, firewalls). Detect = catch an attacker as fast as possible (SIEM, logs, honeytraps). Respond = contain the damage per a plan prepared in advance (response team, forensics). Recover = get back to operating within predefined time/data targets (RTO/RPO), then learn from the incident to strengthen Identify next time.
- The NIST CSF Five-Function Cycle
- The holistic framework that closes the course: Identify, Protect, Detect, Respond, and Recover operate in a closed, dynamic cycle — not a one-time list of stages. Lessons from 'Recover' (Post-Mortem) loop back and update 'Identify' ahead of the next incident.
- Identify: Governance, Threat-Based Defense & Intelligence
- Identify components beyond the risk management already covered: governance (role allocation, Risk Acceptance approvals), threat-based defense (adapting controls to specific attackers), threat actors and TTPs (their Techniques, Tactics, and Procedures), and intelligence — systematic gathering of threat information tailored to the organization's profile.
- Protect — Closing the Loop (Recap)
- This function was already built in practice across the previous lessons: access control (MFA, PoLP) and server hardening (disabling unnecessary services, closing unused ports, security patches) — lesson 13; network security (Firewall, WAF, DMZ, IDS/IPS, VPN, NACL) — lesson 12; and data protection (segmentation and Data Loss Prevention — DLP).
- Detect: Logging & SIEM
- Logging is the systematic collection of all system events — for IoC analysis and forensic investigation. SIEM unifies logs from multiple sources, performs real-time correlation, and generates alerts (using AI/ML). The shared goal: minimize an attacker's Dwell Time in the system before they're discovered.
- Detect: CCM & Honeypots/Honeytokens
- CCM (Continuous Control Monitoring) is ongoing verification that configured controls are actually working, via KPI/KRI metrics. A Honeypot is a decoy system luring attackers; a Honeytoken is a piece of fake data whose access triggers an immediate alert — both are ways to expose an attacker early, not just react after damage is already done.
- Respond: IR Plan, IRT & Forensics
- Respond's goal is to minimize damage through Containment. An IR (Incident Response) Plan defines response scenarios in advance. The IRT includes a security lead, analysts (forensic/researchers/decision-makers), and legal counsel (regulatory reporting obligations). Playbooks document tasks, notifications, and external communications in advance. Forensics (memory dumps, PCAP, logs) collects evidence. MTTD and MTTR measure how fast detection and response happen, against predefined targets (red/green thresholds).
- Recover: DRP vs BCP, and RTO vs RPO
- DRP (Disaster Recovery Plan) restores technological systems and data. BCP (Business Continuity Plan) sustains critical business processes, built on BIA (Business Impact Analysis). RTO is the maximum time window a system can be down before an unacceptable business impact occurs; RPO is the maximum acceptable data-loss amount, measured as a time-distance back to the last backup. Backup discipline (full/incremental/differential, off-site) and readiness drills validate these targets in practice. A Post-Mortem captures lessons that feed back into Identify.
- The Three Pillars of Layered Defense
- The module's summary conclusion: (1) layered defense = technology + process + people; (2) security level isn't measured by tool count but by process maturity; (3) resilience = segmentation + continuous monitoring + response speed. An organization with sophisticated technology but a governance vacuum is still vulnerable.