NIST Cyber Security Framework

NIST CSF core functions: Detect

Greg Belding
January 20, 2020 by
Greg Belding

The National Institute of Standards and Technology’s Cybersecurity Framework, or NIST CSF, was first published in 2014 to provide guidance for organizational cybersecurity defenses and risk management. This framework is renowned for its inherent flexibility and open-endedness to account for different organizational needs. 

At its center, NIST CSF is comprised of five core functions. This article will detail the third of these functions, Detect, and explore the Framework’s five core functions, what the Detect function is and the outcome categories and subcategory activities of this function.

Get NIST CSF training

Get NIST CSF training

Build your understanding of the NIST Cyber Security Framework with seven courses taught by Ross Casanova.

What is the NIST CSF framework core?

The Framework core is a set of recommended activities designed to achieve certain cybersecurity outcomes and serves as guidance, not intended to serve as a checklist.

The Framework core is composed of five functions that work together to achieve the outcomes mentioned above. These elements are:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

What is the detect function?

Just as many experts have made the analogy of the previous functions being the foundation and frame for the CSF core framework functions, the Detect function has been affectionately compared to a homeowner stocking their house with items to detect or warn of danger within the house, such as smoke detectors and home alarm systems.

NIST defines the Detect Function as “(to) develop and implement appropriate activities to identify the occurrence of a cybersecurity event.” The focus of the Detect function is the organization’s ability to discover cybersecurity events in a timely manner. The heightened emphasis on timeliness is due to the fact that the longer an attack carries on, the more likely it is that data loss and other types of damage will be inflicted upon an organization’s systems, information and overall environment.

Outcome categories and subcategory activities

Each Framework function is composed of outcome categories that describe the kinds of processes and tasks that organizations should carry out for that Framework level. Outcome categories are in turn composed of subcategory activities. 

The Detect function contains three outcome categories: Anomalies and Events, Detection Processes and Continuous Monitoring. These outcome categories, along with their respective subcategory activities, will be explored below. 

Keeping with the spirit of NIST CSF, this article is intended to serve not as a list of draconian mandates but rather a flexible guide that works in tandem with categories and subcategory activities that are organization specific. The idea is to produce the best fit possible for the organization.

Anomalies and events

NIST defines this category as follows: “anomalous activity is detected and the potential impact of events is understood.” This means that organizations and their security teams should have the ability to detect anomalous activity in a timely manner because it may indicate dangerous activity. 

The organization’s cybersecurity leadership need to understand the potential impact of detected anomalous activity to get the most out of this function’s outcome categories and subcategory activities.

Subcategory activities

  • A baseline of expected data flows and operations for systems and users is established and managed
  • Detected cybersecurity events are analyzed to better understand attack methods and targets
  • Event data, from multiple sensors and sources, is collected and correlated
  • The impact of detected cybersecurity events is determined
  • Establishment of incident alert thresholds

Security continuous monitoring

NIST defines this outcome category as follows: “the information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.” This function demands end-to-end IT system and asset monitoring to detect security issues and measure the ability of security safeguards deployed during the Protect core function. 

Monitoring should cover physical environments, networks, service provider and user activity and vulnerability scans should be performed on systems containing sensitive information.

Subcategory activities

  • The organization’s network is monitored in order to detect potential cybersecurity events
  • The organization’s physical environment is monitored for potential cybersecurity events
  • The organization’s personnel activity is monitored for potential cybersecurity events
  • Malicious code is detected
  • Unauthorized/unwanted mobile code is detected
  • The activity of external service providers is monitored for potential cybersecurity events
  • Monitoring for connections, devices, unauthorized personnel and software is performed
  • Vulnerability scans are performed

Detection processes

NIST defines this outcome category as follows: “detection processes and procedures are maintained and tested to ensure awareness of anomalous events.” The organization must work to maintain all procedures and processes involved in detecting anomalous activity and protecting against potential cybersecurity events. This entails defining responsibilities and roles involved in detection, as well as ensuring that these detection activities meet industry compliance requirements and are continually improved.

Subcategory activities

  • Detection roles and responsibilities are well defined for accountability
  • Detection activities fulfill all applicable requirements
  • Detection processes are tested
  • Information regarding event detection is communicated
  • Detection processes are improved continuously


This core Framework function, Detection, is one of the most important of all NIST CSF core Framework functions. This function is where the organization defines important detection roles, responsibilities, and processes and where they are conscientiously implemented within the organization. Whereas the Identify and Protect functions were compared with the foundation and framing of a house, Detect has been compared installing security and detection devices in a house — and there has been no analogy more appropriate than that. 


Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.