How to Jumpstart Your NIST Cybersecurity Framework Maturity: Recover Function

In this final post of our series, we’ll discuss the fifth Function of the NIST Cybersecurity Framework, Recover. This Function requires organizations to develop and implement activities to restore capabilities or services that were impaired due to a cybersecurity event. To comply, organizations need to put a recovery plan into place to get back to their last “known good” state, be able to coordinate restoration activities with external parties and incorporate lessons learned into an updated recovery strategy.

These are some of the advanced use cases we’re seeing in the field from our customers who are using Forescout to mature their compliance with the Recover Function of NIST CSF in operational technology (OT) environments:

1. Creating Asset Baselines and Profiles for Each Device
   How do you know where your last “known good” state was? By visualizing traffic flows and understanding ports and protocols, if something bad does happen, you can understand how far back you need to go to get to where good was. For example, links between IT and OT may need to be cut during an incident, so when you’re ready to enter the recovery stage, you might need to push out new firewall rules slowly. Having that knowledge of data flows becomes key to understanding both inbound and outbound communications to get back up and running faster. Our customers are leveraging asset baselining capabilities to understand and visualize traffic flows and trends out-of-the-box. They can also validate the consistency and accuracy of device inventories and states in real time to see how many devices are back on and what they look like.
2. Historically Examining and Analyzing Device Versions & Vulnerabilities

   Having historical knowledge of your devices, including firmware and software changes, also helps you get back to your last “known good” state faster. Our customers can go back to any point in time historically to look at an asset’s information, understand what firmware and software it was running, and ensure that they are mirroring that point in time when things were working well.

3. Automating Deployments & Upgrades for OT Security Products
   When something goes wrong and you need to recover, being able to quickly and automatically deploy or upgrade security technology can be a huge advantage. In the event of a disaster, our customers aren’t tied to an expensive piece of hardware that needs to be purpose-built or purchased, a particular operating system, or a Vmware server. Our container virtualization technology lets our customers quickly push a patch, new detection software, and more at the push of a button. Our virtualization capabilities empower them to rapidly deploy software on other pieces of hardware to get back to their known good state faster.

Want more information on how industry leaders are increasing their NIST CSF maturity for OT environments? Watch our complete S4x20 talk or download our NIST eBook.