Tool Library For Security Assessments

egrizzlyegrizzly Member Posts: 533 ■■■■■□□□□□
Hi all,

Is there somewhere where you can get a "library of tools organized according to the solution they provide for each "requirement" outlined in the NIST CSF framework?  For instance, for the controls identified below namely ID.AM-1, there would be a list of commonly available software such as LanSweeper, etc, and a control like ID.AM-2 would have names like "Asset Explorer, Asset Panda, etc as part of the library?

What problem does it solve?  Well if a comprehensive tool library such as this for security assessments was available then security practitioners would not have to go through the pains researching the available tools to meet each and every control they need.

B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+

Comments

  • SteveLavoieSteveLavoie Member Posts: 1,133 ■■■■■■■■■□
    I never saw this kind of listing.  There are so many tools and so many different company that it may be impossible to build a right list. 

    By example, ID.AM-1 and ID.AM-2 could be satisfied by an Excel spreadsheet and a few Powershell script.  It is viable if you dont have a big network. But it's not viable in larger one. 

  • egrizzlyegrizzly Member Posts: 533 ■■■■■□□□□□
    edited March 2022
    I never saw this kind of listing.  There are so many tools and so many different company that it may be impossible to build a right list. 

    By example, ID.AM-1 and ID.AM-2 could be satisfied by an Excel spreadsheet and a few Powershell script.  It is viable if you dont have a big network. But it's not viable in larger one. 


     Me neither, but having a list like this would be super convenient, instead of having to manually go through the selection process by searching google, then contact each company with the associated tool and schedule demos....then selecting a product.  Their's no "silver bullet" list....true, however a good number of organizations would typically use the same tools for the same reasons.  I know so as I've used EDR tools like CrowdStrike and Carbon Black in three completely different companies back-to-back, and they were there for the exact same NIST controls.
    B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
  • JDMurrayJDMurray Admin Posts: 13,090 Admin
    edited March 2022
    NIST CSF is a "framework" and therefore independent of vendors and organizations. Someone might tackle compiling a generalized list of CS-compliant tools, but such a list will be only a guideline and never be perfectly tailored for any organization. You would need to compare the tools listed to that listed in Gartner Magic Quadrants to see what are the "best" in function for your org and price for your budget. Also realize that there is rarely a 1-to-1 mapping of a single product to a single subcategory.
  • UnixGuyUnixGuy Mod Posts: 4,570 Mod
    That's because this is not a 'tool' issue. 

    Those are controls, you pick and choose what's relevant to your environment and you prioritise accordingly. Then, so meet the control's requirement it's not always a 'tool'. Usually it's a mix of people/process and yes a tool.


    The example you have above is Asset inventory, the solution is most definitely not a tool. You can have a spreadsheet or even RSA Archer, that alone won't solve anything. Who is going to populate the inventory? how often? who's going to review? how are you going to ensure that it is consistent and complete?  (so it;s a mix of process, procedures, testing, people, and a tool).


    Also tools change and evolve, it doesn't really matter what tool you use today vs in 20 yrs time, Asset management as a concept is not going to change.


    Data protection is data protection, whether you do it in house SAN storage, in the cloud, or in a sattelite somewhere, the principles of protecting data remain the same


    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

  • egrizzlyegrizzly Member Posts: 533 ■■■■■□□□□□
    Hi guys. Thanks for all the responses so far @UnixGuy @JDMurray, etc.  I do know that their's a People/Process/Technology trivecta.  Let's assume that their's adequate People/Process. I'm referring specifically to the Technology category.  


    B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
  • UnixGuyUnixGuy Mod Posts: 4,570 Mod
    @egrizzly I'm not aware of any mapping, but you might find something online. It's just really hard and context dependent, a spreadsheet might be sufficient for one organisation but not for another. I just am not a fan of thinking in terms of 'tools', that's when problems happen
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

  • SteveLavoieSteveLavoie Member Posts: 1,133 ■■■■■■■■■□
    egrizzly said:
    Hi guys. Thanks for all the responses so far @UnixGuy @JDMurray, etc.  I do know that their's a People/Process/Technology trivecta.  Let's assume that their's adequate People/Process. I'm referring specifically to the Technology category.  


    My new name is "etc" :)   Just kidding :) it is Friday!
Sign In or Register to comment.