NEW VIDEO: Security Weekly - How to protect AWS metadata services (used in Capital One breach). Watch now!

Aligning Edgewise with the NIST CSF (Part 3 of 5: Detect)

For some security and operations professionals, detecting anomalous and/or malicious activity is the most important aspect of a cybersecurity program. This is because, in today’s cybersecurity threatscape, companies should assume cyber criminals are already on their networks and because preventing unauthorized access is nearly impossible when fighting a motivated attacker. It’s much harder to secure the entirety of an organization’s on-premises, cloud, and containerized networks than it is for attackers to find one vulnerability—perhaps in the architecture, perhaps in the users of the network—and gain unauthorized access.

 The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is an authoritative source for companies that want to model their network architecture and cybersecurity program on a set of proven best practices and recommendations. As such, we at Edgewise are frequently asked how our technology aligns with the published guidance and/or how Edgewise can help them achieve the NIST recommendations. 




Detection, by any estimate, is a mandatory capability companies’ security and operations teams must possess. Today’s conventional wisdom says that cybersecurity compromises are a matter of, “not ‘if’ but ‘when,’” and as such, the NIST CSF third Core Function focuses on how companies can quickly detect anomalous activity before a cyber attack spreads, affecting widespread organizational damage and loss.

Per the published guidance, elements of the Core Function “Detect” include:

“Anomalies and Events: Anomalous activity is detected and the potential impact of events is understood.

Security Continuous Monitoring: The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.

Detection Processes: Detection processes and procedures are maintained and tested to ensure awareness of anomalous events.”

Within Detect, these categories can be mapped to Edgewise in the following ways:

Stay on the cutting edge. Subscribe to our blog.

Anomalies and Events: To detect when anomalous and potentially suspicious activity is occurring, NIST recommends building a baseline of network operations and expected data flows for users and systems. Edgewise automatically discovers, maps, and analyzes all communicating applications and services and communication pathways on your networks in real time, then applies machine learning to baseline statistically normal versus abnormal behavior.  Doing so helps organizations understand:

  • What connections are possible within the network versus what is required by the business (in other words, the level of overexposure presented by the network);
  • When communications that fall outside of the established baselines occur.

This assessment also provides the necessary information to establish when a security event may be happening, such as port scanning, lateral movement, or data exfiltration. Unlike traditional IDS or network security, which may only provide basic IP address information which requires further investigation to decipher, Edgewise provides the exact resources involved in any anomalous activity, including the host(s) and application(s) involved in the incident.

While anomalous behavior might not necessarily indicate a security event, when suspicious activity is detected Edgewise alerts administrators and provides the capability to immediately block access or quarantine a system in one click, thereby lowering the possibility of malware propagation or unauthorized access to applications or services.

As a kernel-level agent, Edgewise collects and processes data from the entire network in which it is installed. This system-wide view provides unprecedented visibility into what’s happening on the network at any point in time, which means that when unauthorized access is requested, when malware attempts to communicate, or if other unusual activity is detected, it is instantly highlighted. To detect when malware is communicating on the network, Edgewise uses identity fingerprinting and symmetric identity verification.

Additionally, Edgewise checks all customers’ communicating applications and services against more than 40 industry-leading virus scanners to detect the presence of known malware. If known malware is found in any applications or services, Edgewise alerts the user and ensures that communication policies are not built, preventing unapproved software from communicating.

Security Continuous Monitoring: Edgewise monitors every network communication attempt to detect potentially harmful cybersecurity activity, whether that means looking for malware or an application that is trying to connect to a host to which it has never connected before. As a zero trust platform, all applications and services are verified by their identity fingerprint before they are allowed to send or receive communication, which means that Edgewise is able to automatically identify malicious code, attempted unauthorized access, and even new software deployed into the environment in real time — because unapproved applications and services trigger an alert. Using machine learning to understand normal communications patterns, Edgewise constantly evolves its algorithms that help detect (and ultimately prevent) cybersecurity events which occur as a result of an intrusion.

Detection Processes: Under the CSF, this category focuses on how organizations define, enforce, test, and communicate processes around event detection. While this category does not map directly to the Edgewise platform, Edgewise’s mapping technology, visualization tool, and risk assessment functionality provide reliable insight into what’s happening uniformly across any network environment, which is a key element of detecting anomalous events. As a routine practice, Edgewise also test our own technology before any new release to ensure it’s working as intended.

The wrap up

Using Edgewise, network, security, and operations teams always have a current view into application and service communications happening on and across their organization’s networks. This unprecedented level of visibility coupled with baseline monitoring allows companies to quickly and easily detect potential attacks and attacks in progress.

In the next post we’ll cover how Edgewise capabilities align with the NIST CSF “Respond” Core Function to help companies respond to network compromise before affecting significant damage.

Katherine Teitler, Director of Content

Written by Katherine Teitler, Director of Content

Katherine Teitler leads content strategy and development for Edgewise Networks. In her role as Director of Content she is a storyteller; a translator; and liaison between sales, marketing, and the customer. Prior to Edgewise, Katherine was the Director of Content for MISTI, a global training and events company, where she was in charge of digital content strategy and programming for the company's cybersecurity events, and the Director of Content at IANS, where she built, managed, and contributed to the company's research portal.