Commissioned by HCL Software

Over the past years, various frameworks and models for defending against cyber-attacks have been published. A popular one is the NIST CSF (Cybersecurity Framework), another one is MITRE D3FENDTM. Both have overlaps and differ in other areas. But, when looking at these approaches, there also are missing elements that are required for a comprehensive approach.


While NIST consists of the five stages Identify – Protect – Detect – Respond – Recover, the MITRE approach has Harden – Detect – Isolate – Deceive – Evict as its five main stages. When comparing these in a matrix, it looks like this:

















Table 1: Mapping NIST CSF to MITRE D3FENDTM shows that the overlaps and differences between both approaches.

Also, while the MITRE approach is more a list of technical steps and technologies, NIST also focuses on continuous improvements. It details the actions by mapping the functions (such as “identify”) into categories, which are split into subcategories that then reference to established standards such as ISO/IEC 27001:2013 or COBIT 5.

When analyzing the MITRE framework, one also could argue that some essential steps such as hardening the operating system. patching applications or hardening by enforcing consistent access controls at the system and application level are lacking. In addition, Access Governance for enforcing the least privilege principle, or Privileged Access Management (PAM) should be considered along with endpoint management related capabilities, which are absent. Notably, all this could be easily added to the framework.

The even more interesting challenge becomes apparent in table 1: The bread around the sandwich is lacking, with the phases of identify and recover not (yet) being part of the MITRE framework. NIST CSF starts with Asset Management as the first category within the first stage of “Identify”. Without understanding which systems are in place, which software is running on these systems, or how these systems are configured, the knowledge of which systems to harden in which way, or analyzing the state of security becomes difficult, as well as response becomes a challenge.

You can’t protect what you don’t know

Experience from practice tells that a lot of organizations struggle in case of incidents with the simple fact that they don’t know exactly which systems, be it clients, servers, or services, they have in place that could be affected. Identifying these systems takes valuable time and the right endpoint management systems can assist in discovery and identification actions.

Asset management and software inventory are essential capabilities for every defensive approach, capturing the information about the state of IT. Such repository is the foundation for automating activities for hardening/protecting as well as for response.

Response is not enough – keep your business up and running

While protecting or hardening, detection, and responsive actions such as isolation, deception, and eviction are essentials, there also is a need for recovery. These activities also must be well-prepared, for rapid reaction in case of an incident. This, e.g., might include recovering both endpoints and data in case of a ransomware attack, to return to normal work as quickly as possible. Also, in case of many other types of attacks, the ability to recover or restore to a known state is an essential capability.

Thus, a comprehensive approach must look beyond the technical response and forward to getting back to work based on a known, safe state. A key capability therein is the ability to recover systems, including endpoints, rapidly, which is a common capability with Endpoint Management Systems solutions available today.

Operate and automate

Last not least, it also is about automation and efficient IT operations. Neither steps such as identification and hardening, nor response or recovery, can be only based on manual activities. Efficient protection across all systems and services requires a high degree of automation, where, again, Endpoint Management comes into play. Rapid reaction equally requires automation, to be fast in, e.g., restoring systems and data.

IT operations is the glue that ensures that all these activities can be executed fast, efficiently, and with a high degree of automation.

Taking the best of both worlds: Bread, mustard, cheese, and more

Both frameworks, the one from NIST as well as the one from MITRE, deliver very valuable input for organizations when implementing their cyber defense, as other references such as ISO/IEC 27001:2013 or NIST SP 800-53 Rev. 5 are doing. The analysis of these frameworks also shows that there is not a single, simple answer to all challenges. The depth MITRE delivers when it comes to technical activities is impressive, while NIST CSF takes a broader perspective.

For being well-prepared against cyber-attacks, a broad perspective is essential, from the identification of both risks and the assets to be protected, to the ability for quickly recovering from attacks. Technologies such as UEM, Asset Management, and solutions that support in recovery from both a data perspective (Backup and Restore) as a system perspective (UEM again) thus must become part of a comprehensive approach on defense against cyber-attacks.

The KuppingerCole Recommended Risk Framework:

The Sandwich

When To Use

The New Recommended Framework



Before the Attack









During the Attack



Respond: Isolate, Evict, Patch


After the Attack




At the end, it is like with a good sandwich. It is not only about ham or cheese, about mustard or other sauces, it also is about the bread and putting all this together the right way. MITRE D3FENDTM is a very valuable approach, providing depth at the technical level other models don’t deliver. Other approaches such as the established NIST CSF add another perspective and a broader coverage across the whole cycle of cyber-attack resilience.