Making Sense of NIS 2: Adopt a Cybersecurity Blueprint like NIST to Set Your House in Order

In 2023, the European cybersecurity landscape painted a concerning picture. According to a report[1] from, sectors such as energy, utilities, manufacturing, and healthcare were... Read ›
Making Sense of NIS 2: Adopt a Cybersecurity Blueprint like NIST to Set Your House in Order In 2023, the European cybersecurity landscape painted a concerning picture. According to a report[1] from, sectors such as energy, utilities, manufacturing, and healthcare were the most breached, indicating a strategic targeting by cybercriminals.  Meanwhile, IBM's alarming metrics[2] in detection, response, and mitigation further emphasized that enterprise cybersecurity implementations were falling short . The European Community established the Network and Information Security Directive 2 (NIS 2) to bolster cybersecurity resilience across the EU, driven by several critical objectives: Enhanced Cybersecurity Resilience: improve the overall resilience of critical infrastructure and services against cyber threats and attacks. Uniform Security Standards: create a standardized framework for cybersecurity practices across the EU, ensuring a consistent level of security and risk management. Improved Incident Reporting: establish more stringent reporting requirements for cybersecurity incidents, allowing for quicker and more coordinated responses to threats. Broadened Scope: expand the scope of the original directive to include more sectors and services that are critical to the economy and society, reflecting the evolving nature of cyber threats. Better Cooperation: enhance cooperation and information sharing between member states, promoting a more unified and effective approach to cybersecurity. Supply Chain Security: address security concerns within supply chains, ensuring that third-party vendors and service providers meet the necessary cybersecurity standards. In a nutshell, the NIS 2 directive obligates organizations to implement appropriate and proportional technical, operational, and organizational measures to manage risks posed to the security of network and information systems. The goal is to prevent or minimize the impact of incidents on service recipients and other interconnected services. [boxlink link=""] NIS 2 is coming. Are You Ready? | Watch Now![/boxlink] Key Areas of Focus in NIS 2 Four crucial topics emerge from the directive: risk assessment and management corporate accountability reporting obligations business continuity By October 17th 2024, European member states European member states must adopt into law and publish the measures to comply with NIS2, and by April 17, 2025, they must establish a list of essential and important entities. NIS 2 is a significant enhancement over its predecessor, NIS 1, addressing its shortcomings such as insufficient cyber resilience, disparate implementations across member states, and lack of a joint crisis response team. NIS 2 expands coverage to sectors like food and beverage, digital service providers, and postal services, acknowledging the digital systemic risks associated with cybersecurity. This directive is expected to impact over 160,000 companies. Organizations Impacted and Obligations Organizations fall into two categories under NIS 2: (1) essential and (2) important entities. Essential entities, which include sectors like energy, transport, and water supply, must have at least 250 full-time employees and an annual turnover of €50 million or higher. They will undergo continuous auditing by the competent authority within the country they operate in. Important entities, on the other hand, include sectors such as digital providers and postal services , with a minimum of 50 employees and an annual turnover of €10 million. They will be subjected to audits only after an incident has occurred. Figure 1- Organization Sectors impacted by NIS 2 (courtesy of Out of the 144 preambles, 46 articles, 3 annexes and more than 270 pages, organizations should focus on these key obligations: Full accountability for outsourced services (Preamble 83) Defined competencies for supervisors (Preamble 125) Personal accountability at the C-suite level for approving cybersecurity measures and ensuring continuous training (Article 20) Adopting technical, operational, and organizational measures (Article 21). Mapping NIS 2 with the NIST Cybersecurity Framework While NIS 2 sets forth comprehensive obligations, it lacks a clear list of actionable items. This is where adopting a security blueprint like the NIST Cybersecurity Framework (CSF) can help organizations prepare effectively for NIS 2 compliance. Figure 2 - NIST cybersecurity frameworkä[3] The framework’s core is organized around five key functions: Identify, Protect, Detect, Respond and Recover, along with CSF 2.0’s newly-added Govern function. When considered together, these functions provide a comprehensive view of the life cycle for managing cybersecurity risk. Govern Function: this function provides outcomes to inform what an organization may do to achieve and prioritize the outcomes of the other five functions. It aligns with NIS 2 requirements for organizations to have appropriate management policies, in the context of its mission and stakeholder expectations. Identify Function: controls for asset management, risk assessment, aligning with NIS 2's requirements for organizations to identify assets and assess their associated risks. Protect Function: This includes controls related to identity management, access control, data and network security, zero trust, and multi-factor authentication. These controls align with the NIS 2 measures that must be taken by Member states to protect their critical infrastructure against identified risks. Detect Function: The CSF's detect function includes controls for incident and anomaly detection, network monitoring, and supply chain security, aligning with NIS 2's requirement for early warning systems to detect incidents. Respond Function: This function includes controls for incident response planning, communication, and coordination, ensuring organizations have plans to respond to incidents affecting critical infrastructure. Recover Function: The recover function includes controls for business continuity and disaster recovery planning, ensuring organizations can recover from incidents affecting their critical infrastructure. Challenges and Solutions Organizations face several challenges in achieving NIS 2 compliance. These include monitoring blind spots, managing fragmented security solutions, dealing with alert fatigue, overcoming patch management backlogs, and addressing shadow IT. Moreover, coordination between network and security teams often poses delays in incident detection and response. To address these challenges, a comprehensive approach leveraging the NIST CSF can provide detailed security controls mapping into NIS 2 requirements. These controls include using a single-pass software stack for full visibility of digital assets, automated device inventory dashboards, comprehensive risk assessment tools, and a unified management application for security and network incident detection and correlation. Investing in trusted partners with ISO 27001 certification can also help manage supply chain security and governance, ensuring a reliable approach to cybersecurity. Continuous training, adopting zero trust models, and integrating advanced threat detection and response mechanisms are critical to meeting NIS 2 obligations. In conclusion, while NIS 2 presents a complex set of requirements, adopting a cybersecurity blueprint like the NIST CSF can streamline compliance efforts and enhance the overall security posture of organizations. By focusing on comprehensive risk management, continuous monitoring, and robust incident response, organizations can set their cybersecurity house in order and mitigate the impact of potential cyber threats. The right network and security platform can help  Cato Networks offers a comprehensive solution and infrastructure that can greatly assist companies in achieving NIS 2 compliance. By leveraging Cato’s Secure Access Service Edge (SASE) platform, organizations can enhance the security and resilience of their network and information systems. If you want to know more on how Cato Networks can help achieve NIS 2 compliance, please check our Webinar “NIS 2 is coming. Are you ready?’ [1] [2] IBM report [3] Copyright of NIST

Essential steps to evaluate the Risk Profile of a Secure Services Edge (SSE) Provider

Introduction Businesses have increasingly turned to Secure Services Edge (SSE) to secure their digital assets and data, as they undergo digital transformation. SSE secures the... Read ›
Essential steps to evaluate the Risk Profile of a Secure Services Edge (SSE) Provider Introduction Businesses have increasingly turned to Secure Services Edge (SSE) to secure their digital assets and data, as they undergo digital transformation. SSE secures the network edge to ensure data privacy and protect against cyber threats, using a cloud-delivered SaaS infrastructure from a third-party cybersecurity provider. SSE has brought numerous advantages to companies who needed to strengthen their cyber security after undergoing a digital transformation.  However, it has introduced new risks that traditional risk management methods can fail to identify at the initial onboarding stage. When companies consider a third party to run their critical infrastructure, it is important to seek functionality and performance, but it is essential to identify and manage risks.  Would you let someone you barely know race your shiny Porsche along a winding clifftop road, without first assessing his driving skills and safety record? [boxlink link=""] Ensuring Success with SSE: Your Helpful SSE RFP/RFI Template | Download the Template [/boxlink] When assessing a Secure Services Edge (SSE) vendor, it is therefore essential to consider the risk profile alongside the capabilities. In this post, we will guide you through the key steps to evaluate SSE vendors, this time not based on their features, but on their risk profile. Why does this matter? Gartner defines a third-party risk “miss” as an incident resulting in at least one of the outcomes in Figure 1. Its 2022 survey of Executive Risk Committee members shows how these third-party risk “misses” are hurting organizations: 84% of respondents said that they had resulted in operations disruption at least once in the last 12 months. Courtesy of Gartner Essential steps to evaluate the Risk Profile of a potential SSE provider Step 1: Assess Reputation and Experience Start your evaluation by researching the provider’s reputation and experience in the cybersecurity industry. Look for established vendors with a proven track record of successfully securing organizations from cyber threats. Client testimonials and case studies can offer valuable insights into their effectiveness in handling diverse security challenges. Step 2: Certifications and Compliance Check if the cybersecurity vendor holds relevant certifications, such as ISO 27001, NIST Cybersecurity Framework, SOC 2, or others.  These demonstrate their commitment to maintaining high standards of information security. Compliance with industry-specific regulations (e.g., GDPR, HIPAA) is equally important, especially if your organization deals with sensitive data. Step 3: Incident Response and Support Ask about the vendor's incident response capabilities and the support they provide during and after a cyber incident. A reliable vendor should have a well-defined incident response plan and a team of skilled professionals ready to assist you in the event of a security breach. Step 4: Third-party Audits and Assessments Look for vendors who regularly undergo third-party security audits and assessments. These independent evaluations provide an objective view of the vendor's security practices and can validate their claims regarding their InfoSec capabilities. Step 5: Data Protection Measures Ensure that the vendor employs robust data protection measures, including encryption, access controls, and data backup protocols. This is vital if your organization handles sensitive customer information or intellectual property. Step 6: Transparency and Communication A trustworthy vendor will be transparent about their security practices, policies, and potential limitations. Evaluate how well they communicate their security measures and how responsive they are to your queries during the evaluation process. Step 7: Research Security Incidents and Breaches Conduct research on any past security incidents or data breaches that the vendor might have experienced. Analyze how they handled the situation, what lessons they learned, and the improvements they made to prevent similar incidents in the future. Gartner has recently released a Third Party Risk platform to help organizations navigate through the risk profiles of Third Party providers, including of course, cybersecurity vendors. The Gartner definition of Third-Party Risk is: “the risk an organization is exposed to by its external third parties such as vendors, contractors, and suppliers who may have access to company data, customer data, or other privileged information.” The information provided by vendors on Gartner's Third-Party Risk Platform is primarily self-disclosed. While Gartner relies on vendors to accurately report their details, they also offer the option for vendors to upload attestations of third-party audits as evidence to support their claims. This additional layer of validation helps increase the reliability and credibility of the information presented. However, it is ultimately the responsibility of users to perform their due diligence when evaluating vendor information. Conclusion Selecting the right SSE provider is a critical decision that can significantly impact your organization's security posture. By evaluating vendors based on their Risk profile, not just their features, and leveraging the Gartner Third Party Risk Platform, you can make an informed choice and gain a reliable cybersecurity provider. Remember: investing time and effort in the evaluation process now, can prevent potential security headaches in the future, ensuring your organization remains protected from evolving cyber threats and compliant to local regulations.

How to Solve the Cloud vs On-Premise Security Dilemma

Introduction Organizations need to protect themselves from the risks of running their business over the internet and processing sensitive data in the cloud. The growth... Read ›
How to Solve the Cloud vs On-Premise Security Dilemma Introduction Organizations need to protect themselves from the risks of running their business over the internet and processing sensitive data in the cloud. The growth of SaaS applications, Shadow IT and work from anywhere have therefore driven a rapid adoption of cloud-delivered cybersecurity services. Gartner defined SSE as a collection of cloud-delivered security functions: SWG, CASB, DLP and ZTNA. SSE solutions help to move branch security to the cloud in a flexible, cost-effective and easy-to-manage way. They protect applications, data and users from North-South (incoming and outgoing) cyber threats. Of course, organizations must also protect against East-West threats, to prevent malicious actors from moving within their networks. Organizations can face challenges moving all their security to the Cloud, particularly when dealing with internal traffic segmentation (East-West traffic protection), legacy data center applications that can’t be moved to the cloud, and regulatory issues (especially in Finance and Government sectors). They often retain a legacy data center firewall for East-West traffic protection, alongside an SSE solution for North-South traffic protection. This hybrid security architecture increases complexity and operational costs. It also creates security gaps, due to the lack of unified visibility across the cloud and on-premise components. A SIEM or XDR solution could help with troubleshooting and reducing security gaps, but it won’t solve the underlying complexity and operational cost issues. Solving the cloud vs on-premise dilemma Cato Networks’ SSE 360 solution solves the “on-premise vs cloud-delivered” security dilemma by providing complete and holistic protection across the organization’s infrastructure.  It is built on a cloud-native architecture, secures traffic to all edges and provides full network visibility and control. Cato SSE 360 delivers both the North-South protection of SSE and the East-West protection normally delivered by a data center firewall, all orchestrated from one unified cloud-based console, the Cato Management Application (CMA). Cato SSE 360 offers a modular way to implement East-West traffic protection. By default, traffic protection is enforced at the POP, including features such as TLS inspection, user/device posture checks and advanced malware protection. See Figure 1 below. This does not impact user experience because there is sub-20ms latency to the closest Cato POP, worldwide. Figure 1 - WAN Firewall Policy Using the centralized Cato Management Application (CMA), it is simple to create a policy based on a zero-trust approach.  For example, in Figure 2 below, we see that only Authorized users (e.g. Cato Fong), Connected to a corporate VLAN, Running a policy-compliant device (Windows with Windows AV active) Are allowed to access sensitive resources (in this case, the Domain Controller inside the organization). Figure 2 - An example WAN Firewall rule In some situations, it is helpful to implement East-West security at the local site: to allow or block communication without sending the traffic to the POP. For Cato services, the default way to connect a site to the network is with a zero-touch edge SD-WAN device, known as a Cato Socket.  With Cato’s LAN Firewall policy, you can configure rules for allowing or blocking LAN traffic directly on the Socket, without sending traffic to the POP. You can also enable tracking (ie. record events) for each rule. Figure 3 - LAN Firewall Policy When to use a LAN firewall policy There are several scenarios in which it could make sense to apply a LAN firewall policy. Let’s review the LAN Firewall logic: Site traffic will be matched against the LAN firewall policies If there is a match, then the traffic is enforced locally at the socket level If there is no match, then traffic will be forwarded by default to the POP the socket is connected to Since the POP implements an implicit “deny” all policy for WAN traffic, administrators will just have to define a “whitelist” of policies to allow users to access local resources. [boxlink link=""] The Business Case for Security Transformation with Cato SSE 360 | Download the White Paper [/boxlink] Some use cases: prevent users on a Guest WiFi network from accessing local corporate resources. allow users on the corporate VLAN to access printers located in the printer VLAN, over specific TCP ports. allow IOT devices (e.g. CCTV cameras), connected to an IOT-camera VLAN, to access the IOT File Server, but only over HTTPS. allow database synchronization across two VLANs located in separate datacenter rooms over a specific protocol/port. To better show the tight interaction between the LAN firewall engine in the socket and the WAN and Internet firewall engines at the POP, let’s see this use case: In Figure 5, a CCTV camera is connected to an IoT VLAN. A LAN Firewall policy, implemented in the Cato Socket, allows the camera to access an internal CCTV server. However, the Internet Firewall, implemented at the POP, blocks access by the camera to the Internet.  This will protect against command and control (C&C) communication, if the camera is ever compromised by a malicious botnet. Figure 4 - Allow CCTV camera to access CCTV internal server All policies should both be visible in the same dashboard IT Managers can use the same CMA dashboards to set policies and review events, regardless of whether the policy is enforced in the local socket or in the POP. This makes it simple to set policies and track events. We can see this in the figures below, which show a LAN firewall event and a WAN firewall event, tracked on the CMA. Figure 6 shows a LAN firewall event. It is associated with the Guest WiFi LAN firewall policy mentioned above.  Here, we blocked access to the corporate AD server for the guest user at the socket level (LAN firewall). Figure 5 - LAN Firewall tracked event Figure 7 shows a WAN firewall event. It is associated with a WAN firewall policy for the AD Server, for a user called Cato Fong.  In this case, we allowed the user to access the AD Server at the POP level (WAN firewall), using zero trust principles: Cato is an authorized user and Windows Defender AV is active on his device. Figure 6 - WAN Firewall tracked event Benefits of cloud-based East-West protection Applying East-West protection with Cato SSE 360 brings several key benefits: It allows unified cloud-based management across all edges, for both East-West and North-South protection; It provides granular firewall policy options for both local and global segmentation; It allows bandwidth savings for situations that do not require layer 7 inspection; If provides unified, cloud-based visibility of all security and networking events. With Cato SASE Cloud and Cato SSE 360, organizations can migrate their datacenter firewalls confidently to the cloud, to experience all the benefits of a true SASE solution. Cato SSE 360 is built on a cloud-native architecture. It secures traffic to all edges and provides full network visibility and control. It delivers all the functionality of a datacenter firewall, including NGFW, SWG and local segmentation, plus Advanced Threat Protection and Managed Threat Detection and Response.

Achieving NIS2 Compliance: Essential Steps for Companies 

Introduction In an increasingly digital world, cybersecurity has become a critical concern for companies. With the rise of sophisticated cyber threats, protecting critical infrastructure and... Read ›
Achieving NIS2 Compliance: Essential Steps for Companies  Introduction In an increasingly digital world, cybersecurity has become a critical concern for companies. With the rise of sophisticated cyber threats, protecting critical infrastructure and ensuring the  continuity of essential services has become a top priority. The EU’s Network and Information Security Directive (NIS2), which supersedes the previous directive from 2016, establishes a framework to enhance the security and resilience of network and information systems. In this blog post, we will explore the key steps that companies need to take to achieve NIS2 compliance.  Who needs to comply with NIS2?   The first step towards NIS2 compliance is to thoroughly understand the scope of the directive and its applicability to your organization. It is critical to assess whether your organization falls within the scope and to identify the relevant requirements.   For non-compliance with NIS regulations, companies providing essential services such as energy, healthcare, transport, or water may be fined up to £17 million in the UK and €10 million or 2% of worldwide turnover in the EU.  NIS2 will apply to any organisation with more than 50 employees whose annual turnover exceeds €10 million, and any organisation previously included in the original NIS Directive.   The updated directive now also includes the following industries:  Electronic communications  Digital services  Space  Waste management  Food  Critical product manufacturing (i.e. medicine)  Postal services  Public administration  Industries included in the original directive will remain within the remit of the updated NIS2 directive. Some smaller organizations that are critical to the functioning of a member state will also be covered by NIS2.  [boxlink link=""] Protect Your Sensitive Data and Ensure Regulatory Compliance with Cato’s DLP | Download the Whitepaper [/boxlink] Achieving Compliance  NIS2 introduces more stringent security requirements. It requires organizations to implement both organizational and technical measures to safeguard their networks and information systems. This includes measures such as risk management, incident detection and response, regular security assessments, and encryption of sensitive data.   By adopting these measures, organisations can significantly enhance their overall security posture.  Let’s have a closer look at the key steps to achieve NIS2 compliance:  Perform a Risk Assessment  Conduct a detailed risk assessment to identify potential vulnerabilities and threats to your network and information systems. This assessment should cover both internal and external risks, such as malware attacks, unauthorized access, human errors, and natural disasters. Understanding the specific risks your organization faces will help you design effective security measures.  Establish a Security Governance Framework  Develop a robust security governance framework that outlines the roles, responsibilities, and processes necessary to achieve and maintain NIS2 compliance. Assign clear accountability for cybersecurity at all levels of your organization and establish protocols for risk management, incident response, and communication.  Implement Security Measures  Implement appropriate technical and organizational security measures to protect your network and information systems. Ensure that they are regularly reviewed, updated, and tested to address evolving threats. Example measures include access controls using multi-factor authentication, encryption using services like PKI certificates to secure networks and systems, regular vulnerability assessments, intrusion detection and prevention systems, and secure software development practices..  Supply chain security   Assess suppliers, service providers, and even data storage providers for vulnerabilities. NIS2 requires that companies thoroughly understand potential risks, establish close relationships with partners, and consistently update security measures to ensure the utmost protection.  Incident Response and Reporting  Establish a well-defined incident response plan to address and mitigate cybersecurity incidents promptly. This plan should include procedures for identifying, reporting, and responding to security breaches or disruptions. Designate responsible personnel and establish communication channels to ensure swift and effective incident response.   NIS2 compliant organizations must report cybersecurity incidents to the competent national authorities. They must submit an “early warning” report within 24 hours of becoming aware of an incident, followed by an initial assessment within 72 hours, and a final report within one month.   Business Continuity   Implement secure backup and recovery procedures to ensure the availability of key services in the event of a system failure, disaster, data breaches or other cyber-attacks. Backup and recovery measures include regular backups, testing backup procedures, and ensuring the availability of backup copies.   Collaboration and Information Sharing  Establish a culture of proactive information exchange related to cyber threats, incidents, vulnerabilities, and cybersecurity practices. NIS2 recognizes the significance of sharing insights into the tools, methods, tactics, and procedures employed by malicious actors, as well as preparation for a cybersecurity crisis through exercises and training.  Foster collaboration and information sharing with relevant authorities, sector-specific CSIRTs (Computer Security Incident Response Team), and other organisations in the same industry. NIS2 encourages structured information-sharing arrangements to promote trust and cooperation among stakeholders in the cyber landscape. The aim is to enhance the collective resilience of organizations and countries against the evolving cyber threat landscape.  Compliance Documentation and Auditing  Maintain comprehensive documentation of your NIS2 compliance efforts, including policies, procedures, risk assessments, incident reports, and evidence of security measures implemented. Regularly review and update these documents to reflect changes in your organization or the threat landscape. Consider engaging independent auditors to evaluate your compliance status and provide objective assessments.  Training and Awareness  Invest in continuous training and awareness programs to educate employees about the importance of cybersecurity and their role in maintaining NIS2 compliance. Regularly update employees on emerging threats, best practices, and incident response procedures. Foster a culture of security consciousness to minimize human-related risks.  The right network and security platform can help  Cato Networks offers a comprehensive solution and infrastructure that can greatly assist companies in achieving NIS2 compliance. By leveraging Cato's Secure Access Service Edge (SASE) platform, organizations can enhance the security and resilience of their network and information systems.   Cato's integrated approach combines SD-WAN, managed security services and global backbone services into a cloud-based service offering. Its products are designed to help IT staff manage network security for distributed workforces accessing resources across the wide area network (WAN), cloud and Internet. The Cato SASE Cloud platform supports more than 80 points of presence in over 150 countries.   The company's managed detection and response (MDR) platform combines machine learning and artificial intelligence (AI) models to process network traffic data and identify threats to its customers, in a timely manner.  Cato SASE cloud offers a range of security services like Intrusion Prevention Systems (IPS), Anti Malware (AM), Next Generation Firewalls (NGFW) and Secure Web Gateway, to provide robust protection against cyber threats,   It also provides cloud access security broker (CASB) and Data Loss Prevention (DLP) capabilities to protect sensitive assets and ensure compliancy with cloud applications. The Cato SASE cloud is a zero-trust identity driven platform ensuring access-control based on popular multifactor authentication, integration with popular Identity providers like Microsoft, Google, Okta, Onelogin and OneWelcome.  With Cato's centralized management and visibility, companies can efficiently monitor and control their network traffic as well as all the security events triggered. By partnering with Cato Networks, companies can leverage a comprehensive solution that streamlines their journey towards NIS2 compliance while bolstering their overall cybersecurity posture.  Cato Networks is ISO27001, SOC1-2-3 and GDPR compliant organization. For more information, please visit our Security, Compliance and Privacy page. Conclusion  Achieving NIS2 compliance requires a comprehensive approach to cybersecurity, involving risk assessments, robust security measures, incident response planning, collaboration, and ongoing training. By prioritizing network and information security, companies can enhance the resilience of critical services and protect themselves and their customers from cyber threats.   To safeguard your organization's digital infrastructure, be proactive, adapt to evolving risks, and ensure compliance with the NIS2 directive.