Tool Library For Security Assessments

Hi all,

Is there somewhere where you can get a "library of tools organized according to the solution they provide for each "requirement" outlined in the NIST CSF framework? For instance, for the controls identified below namely ID.AM-1, there would be a list of commonly available software such as LanSweeper, etc, and a control like ID.AM-2 would have names like "Asset Explorer, Asset Panda, etc as part of the library?

What problem does it solve? Well if a comprehensive tool library such as this for security assessments was available then security practitioners would not have to go through the pains researching the available tools to meet each and every control they need.

Image: https://us.v-cdn.net/6030959/uploads/editor/7u/o7ob598ukfj1.png

Find more posts tagged with

nist csf

security tools

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

SteveLavoie

I never saw this kind of listing. There are so many tools and so many different company that it may be impossible to build a right list.

By example, ID.AM-1 and ID.AM-2 could be satisfied by an Excel spreadsheet and a few Powershell script. It is viable if you dont have a big network. But it's not viable in larger one.

egrizzly

SteveLavoie said:

I never saw this kind of listing. There are so many tools and so many different company that it may be impossible to build a right list.

By example, ID.AM-1 and ID.AM-2 could be satisfied by an Excel spreadsheet and a few Powershell script. It is viable if you dont have a big network. But it's not viable in larger one.

Me neither, but having a list like this would be super convenient, instead of having to manually go through the selection process by searching google, then contact each company with the associated tool and schedule demos....then selecting a product. Their's no "silver bullet" list....true, however a good number of organizations would typically use the same tools for the same reasons. I know so as I've used EDR tools like CrowdStrike and Carbon Black in three completely different companies back-to-back, and they were there for the exact same NIST controls.

JDMurray

NIST CSF is a "framework" and therefore independent of vendors and organizations. Someone might tackle compiling a generalized list of CS-compliant tools, but such a list will be only a guideline and never be perfectly tailored for any organization. You would need to compare the tools listed to that listed in Gartner Magic Quadrants to see what are the "best" in function for your org and price for your budget. Also realize that there is rarely a 1-to-1 mapping of a single product to a single subcategory.

UnixGuy

That's because this is not a 'tool' issue.

Those are controls, you pick and choose what's relevant to your environment and you prioritise accordingly. Then, so meet the control's requirement it's not always a 'tool'. Usually it's a mix of people/process and yes a tool.

The example you have above is Asset inventory, the solution is most definitely not a tool. You can have a spreadsheet or even RSA Archer, that alone won't solve anything. Who is going to populate the inventory? how often? who's going to review? how are you going to ensure that it is consistent and complete? (so it;s a mix of process, procedures, testing, people, and a tool).

Also tools change and evolve, it doesn't really matter what tool you use today vs in 20 yrs time, Asset management as a concept is not going to change.

Data protection is data protection, whether you do it in house SAN storage, in the cloud, or in a sattelite somewhere, the principles of protecting data remain the same

egrizzly

Hi guys. Thanks for all the responses so far @UnixGuy @JDMurray, etc. I do know that their's a People/Process/Technology trivecta. Let's assume that their's adequate People/Process. I'm referring specifically to the Technology category.

UnixGuy

@egrizzly I'm not aware of any mapping, but you might find something online. It's just really hard and context dependent, a spreadsheet might be sufficient for one organisation but not for another. I just am not a fan of thinking in terms of 'tools', that's when problems happen

SteveLavoie

egrizzly said:

Hi guys. Thanks for all the responses so far @UnixGuy @JDMurray, etc. I do know that their's a People/Process/Technology trivecta. Let's assume that their's adequate People/Process. I'm referring specifically to the Technology category.

My new name is "etc"

Just kidding

it is Friday!