NEW VIDEO: Security Weekly - How to protect AWS metadata services (used in Capital One breach). Watch now!

Aligning Edgewise with the NIST CSF (Part 5 of 5: Recover)

In the first 4 blog posts in this series we described how the Edgewise platform maps to the steps and recommendations of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). The NIST CSF is authoritative guidance followed by the world’s leading companies to ensure the confidentiality, integrity, and availability of critical business systems and data, allowing those companies to focus on driving revenue, increasing market share, innovating on new products, and achieve other business-focused goals. Though today’s technology is a business enabler, it presents risks which must be weighed and managed carefully.

The CSF is designed to help companies address and mitigate cyber risk, yet it is inevitable that cyber incidents will occur. How a company responds to a cyber attack impacts how many setbacks it will face; how quickly it recovers determines how quickly and easily it will be able to resume normal business operations.

 If you’ve been following our series, you will see that this blog post is different from the previous four. This is because the “Recover” function of the NIST CSF is focused on processes and procedures which allow organizations to return to a fully functioning state. Edgewise capabilities are focused on the front end of the NIST recommendations:

  • Identifying risks in companies’ networks;
  • Protecting applications, workloads, and systems from unauthorized access and use; and
  • Detecting anomalous activity through continuous network monitoring.

As such, Edgewise cannot directly help organizations recover from incidents, but we do think it’s important to evangelize the guidance in the framework.




The fifth and final Core Function of the CSF is “Recover,” a capability all organization must learn to master. After a disaster hits—whether it’s a natural disaster that wipes out physical data centers or a cyber incident that impacts the availability or integrity of digital data—organizations must be able to return IT systems to their normal state as quickly and efficiently as possible.

Per the published guidance, elements of the Core Function “Recover” include:

“Recovery Planning: Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents.

Improvements: Recovery planning and processes are improved by incorporating lessons learned into future activities.

Communications: Restoration activities are coordinated with internal and external parties (e.g. coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors).” 

Stay on the cutting edge. Subscribe to our blog.

Like the other Functions described in the CSF, the framework is not an exhaustive list of “to dos.” Recovering from an incident can be a long, tedious process that may involve assistance from outside vendors that specialize in data backup and recovery, IT and security operations, forensics, and more. With this in mind, recovering from a cyber incident in a timely fashion demands careful advance planning to understand:

  • What systems and data the company have
  • How to identify which systems have been affected
  • Who is responsible for day-to-day management of systems/data
  • How communication will be handled during and after an incident
  • What outside resources will be necessary following an incident

And much more. The ability to recover from a cyber incident relies on having an already-established, up-to-date incident response plan that has been tested for various scenarios. During and after an incident is not the time to pull together network diagrams, lists of critical assets, where log files and disk images have been stored, or who holds the public encryption keys. If the organization has not regularly backed up critical data, data cannot be restored, and that will impact the company’s ability to recover. If the company isn’t certain of all assets used for normal daily operations, it can’t expect to bring them all back online.

It is important to note that recovery planning relies heavily on work completed during the protection planning phase, which answers questions such as: What thresholds are in place? What are our resilience requirements. How and what do we prioritize? These questions and more—determined thoughtfully when an incident isn’t midstream—set the foundation for an adept recovery.

Further, the communications aspect of a recovery is just as important as technological requirements. Many times, a company’s brand and reputation are on the line after a breach has been disclosed. Organizations need a tested process led by experienced personnel to handle both internal and external breach communications. A misspoken statement read to the press, stakeholders, or regulators could result in additional and unnecessary trouble during an already high-stress, high-stakes period.

The wrap up

While the “Recover” Function of the NIST CSF is just as important as every other stage of cybersecurity preparedness and incident response handling, everything accomplished in this phase depends on organizations anticipating a cyber attack. To do so (and before an incident occurs), they must maintain a thorough, always-current plan which details everything from team selection to IT systems in use to data to communications policies. It’s only with a relevant, reliable plan that recovery strategies can be executed well and the impacted organization(s) can resume regular business operations as quickly as possible.

Katherine Teitler, Director of Content

Written by Katherine Teitler, Director of Content

Katherine Teitler leads content strategy and development for Edgewise Networks. In her role as Director of Content she is a storyteller; a translator; and liaison between sales, marketing, and the customer. Prior to Edgewise, Katherine was the Director of Content for MISTI, a global training and events company, where she was in charge of digital content strategy and programming for the company's cybersecurity events, and the Director of Content at IANS, where she built, managed, and contributed to the company's research portal.