Threat management

  • 8 minutes

It's important to manage any threats and vulnerabilities that were identified during your assessment to defend and protect against cyber incidents. With Microsoft Security solutions like Microsoft Defender, you can confidently address these identified threats and vulnerabilities, ensuring a proactive and resilient system.

Cybersecurity frameworks

A cybersecurity framework (CSF) is a guide that helps organizations manage cybersecurity risks. A CSF often lists high-level outcomes like identifying threats or protecting infrastructure along with standards that can then be used to understand, assess, prioritize, and communicate cybersecurity initiatives. Most CSFs provide guidance on how to meet standards and outcomes without prescribing specific steps to follow.

Many comprehensive threat management systems follow the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF 2.0) to proactively manage cyberthreats and lower cyber risk. It's organized around six essential cybersecurity functions that IT teams perform.

Many schools use this framework as a blueprint for increasing cybersecurity protocols and managing threats across functional areas. Although the scope of a CSF can feel overwhelming, checking for alignment or gaps in your infrastructure can dramatically reduce the risks that your school faces throughout the year.

Circle chart of the NIST Cybersecurity Framework. Inner most circle labeled Govern. Outer circle parts are Identify, Protect, Detect, Respond, and Recover.

Govern

The organization's cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.

  • Organizational Context (GV.OC): The circumstances - mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements - surrounding the organization's cybersecurity risk management decisions are understood.
  • Risk Management Strategy (GV.RM): The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions.
  • Roles, Responsibilities, and Authorities (GV.RR): Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated.
  • Oversight (GV.OV): Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy.
  • Cybersecurity Supply Chain Risk Management (GV.SC): Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders.

Identify

The organization's current cybersecurity risks are understood.

  • Asset Management (ID.AM): Assets (for example, data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy.
  • Risk Assessment (ID.RA): The cybersecurity risk to the organization, assets, and individuals is understood by the organization.
  • Improvement (ID.IM): Improvements to organizational cybersecurity risk management processes, procedures, and activities are identified across all CSF Functions.

Protect

Safeguards to manage the organization's cybersecurity risks are used.

  • Identity Management, Authentication, and Access Control (PR.AA): Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access.
  • Awareness and Training (PR.AT): The organization's personnel are provided with cybersecurity awareness and training so that they can perform their cybersecurity-related tasks.
  • Data Security (PR.DS): Data are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information.
  • Platform Security (PR.PS): The hardware, software (for example, firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization's risk strategy to protect their confidentiality, integrity, and availability.
  • Technology Infrastructure Resilience (PR.IR): Security architectures are managed with the organization's risk strategy to protect asset confidentiality, integrity, and availability, and organizational resilience.

Detect

Possible cybersecurity attacks and compromises are found and analyzed.

  • Continuous Monitoring (DE.CM): Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events.
  • Adverse Event Analysis (DE.AE): Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents.

Respond

Actions regarding a detected cybersecurity incident are taken.

  • Incident Management (RS.MA): Responses to detected cybersecurity incidents are managed.
  • Incident Analysis (RS.AN): Investigations are conducted to ensure effective response and support forensics and recovery activities.
  • Incident Response Reporting and Communication (RS.CO): Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies.
  • Incident Mitigation (RS.MI): Activities are performed to prevent expansion of an event and mitigate its effects.

Recover

Assets and operations affected by a cybersecurity incident are restored.

  • Incident Recovery Plan Execution (RC.RP): Restoration activities are performed to ensure operational availability of systems and services affected by cybersecurity incidents.
  • Incident Recovery Communication (RC.CO): Restoration activities are coordinated with internal and external parties.

Threat management tools

There are a variety of threat management solutions with different functionalities that can bolster your defenses against evolving threats.

Solution Type Description
MDR Managed detection and response (MDR) is a cybersecurity service that helps proactively protect organizations from cyberthreats using advanced detection and rapid incident response. MDR services include a combination of technology and human expertise to perform cyberthreat hunting, monitoring, and response.
XDR Extended detection and response (XDR) is a unified security incident platform that uses AI and automation. It provides organizations with a holistic, efficient way to protect against and respond to advanced cyberattacks.
SEIM Security information and event management (SIEM) is a solution that helps organizations detect, analyze, and respond to security threats before they harm organizational operations.
SOAR Security orchestration, automation, and response (SOAR) refers to a set of services and tools that automate cyberattack prevention and response. This automation is accomplished by unifying your integrations, defining how tasks should be run, and developing an incident response plan that suits your organization's needs.

Microsoft offers comprehensive threat management solutions that support these functionalities. Learn more about these solutions.

  • Microsoft Sentinel is a SEIM solution that allows you to:
    • Easily collect data using built-in data connectors—across all users, devices, apps, and infrastructure—on-premises and in multiple clouds.
    • Gain more contextual and behavioral information for cyberthreat hunting, investigation, and response using built-in entity behavioral analytics and machine learning.
    • Visualize the full scope of a cyberattack, investigate related alerts, and search historical data.
    • Triage incidents rapidly with automation rules and automate workflows with built-in playbooks to increase your efficiency.
  • Microsoft XDR is an XDR solution that allows you to:
    • Discover and secure endpoint devices across your multiplatform enterprise.
    • Protect your hybrid identities and workload scripts with cloud-based intelligence sharing.
    • Safeguard your emails, documents, and collaboration tools from advanced cyberthreats like phishing and ransomware.
    • Secure your cloud apps with unified visibility, data protection, and posture management.
  • Microsoft offers a unified security operations (SecOps) platform that unifies the full capabilities of extended detection and response (XDR) and security information and event management (SIEM).

Circle chart showing unification of Microsoft Defender XDR, Microsoft Copilot for Security, Microsoft Sentinel, and Microsoft Security Exposure Management all with Microsoft Security Experts and Microsoft Threat Intelligence to investigate and respond, prevent attacks, and detect and disrupt.

Next steps

  1. Take a moment to review the NIST CSF 2.0 online reference tool. You'll find not only specific information about core cybersecurity functions, but also implementation examples that you can use as ideas for your school's security plan. As you review the tool, save any links, notes, or screenshots.
  2. You're highly encouraged to evaluate your school's cybersecurity protocols with a CSF if you haven't this year. Doing so helps you proactively address risks and vulnerabilities that can arise during formal assessments or when incidents occur.