Recovery Is the Pillar Nobody Plans For

Every organization has a backup strategy. Very few have a recovery strategy. The difference becomes catastrophic when an attack succeeds.

Traditional mainframe recovery means restoring entire LPARs or volumes — a process that takes days, disrupts operations across the enterprise, and offers no certainty that the restored environment is actually clean. Worse, broad restores undo every legitimate change made between the backup point and the attack, introducing regression that creates its own wave of operational problems.

Recovery Assistant, built into CSF Foundation, takes a fundamentally different approach. Because CSF knows exactly which files were compromised, when the attack began, and what changed, Recovery Assistant can restore only the affected components — surgically, precisely, and with cryptographic verification that the restored files match their trusted pre-attack state.

The Recovery Misconception

There is a widely held assumption that recovering data after a breach will save the business and can be accomplished quickly. In reality, mainframe environments depend on far more than data. System software, parameters, security exits, configuration datasets, and procedure libraries form the infrastructure that allows data to be processed. Without restoring that infrastructure, the data is useless.

Traditional recovery tools focus almost exclusively on the data layer. Recovery Assistant addresses both dimensions — data and the software infrastructure that supports it — enabling integrated recovery of the complete environment.

How Recovery Assistant Works

Scope Identification

When CSF detects an attack — whether through FIM+ integrity monitoring, Early Warning exploit detection, or NetWatch threshold analysis — the forensics browser displays exactly which datasets were affected and the precise timeline of the compromise. Recovery Assistant uses this information to scope the recovery to only what was actually damaged.

Intelligent Backup Point Selection

Not every backup is a safe backup. Sophisticated attackers often plant backdoors hours or days before launching a visible attack. This means the most recent immutable snapshot may already contain malware — restoring from it reintroduces the very threat you are trying to eliminate.

Recovery Assistant correlates the attack timeline with available backup points to identify the last truly clean state. Because CSF tracks when malware was actually introduced, not just when the visible attack started, it can determine whether the correct recovery source is an immutable snapshot or a conventional backup from before the initial compromise.

Recovery JCL Generation

Recovery Assistant auto-generates the JCL needed to restore affected datasets from the selected backup source. The JCL is tailored to your environment — customized with the specific names of compromised files and the chosen recovery point. This eliminates the manual, error-prone process of identifying what needs to be restored and writing recovery jobs under pressure.

Restoration operates at the dataset level, not the volume level. Five compromised files means five files restored — not an entire volume overwritten, and not days of downtime while unaffected systems wait.

Post-Recovery Verification

Recovery without verification is guesswork. After restoring files, FIM+ performs a cryptographic hash comparison against the CSF vault — the known-good baseline established before the compromise. If the hashes match, the file is confirmed to be in its trusted production state. If they do not match, the restoration did not produce the correct result, and further investigation is needed before the system returns to production.

This provides auditable, cryptographic proof that recovery was successful — not an assumption, not a hope, but a verified fact. For organizations subject to DORA, PCI DSS, or other frameworks that require documented recovery validation, this closes the compliance loop entirely.

Storage Platform Integration

Recovery Assistant works with the backup infrastructure already in your environment. It is designed to complement and maximize your existing storage investments, not replace them.

IBM SafeGuarded Copy

CSF connects directly to IBM DS8000 storage systems via REST API to query available SafeGuarded Copy snapshots, retrieve creation timestamps, and correlate snapshot metadata with security events. The CSF browser includes a dedicated SGC Viewer that overlays detected security events on a visual timeline of available snapshots, clearly identifying which recovery points are safe and which may be compromised. CSF also monitors SGC creation schedules and alerts if snapshots fail to create — a silent failure that could leave you without a viable recovery point when you need one most.

Dell SnapVX

Recovery Assistant integrates with Dell SnapVX and ZDP snap sets to provide the same intelligent recovery point selection. Available snapshots are displayed alongside the attack timeline, enabling precise identification of the optimal restore source.

Hitachi Snapshots

Hitachi storage array snapshots are supported with the same correlation and selection capabilities, ensuring Recovery Assistant works regardless of your storage vendor.

Conventional Backup Tools

For environments using DFDSS, FDR, or HSM — or for situations where immutable snapshots may be compromised — Recovery Assistant generates JCL targeting conventional backup sources. In cases where backdoors were installed before the most recent snapshot, a conventional backup from before the initial compromise may be the only truly clean recovery point.

Recovery in Hours, Not Weeks

The largest mainframe breaches in recent history required weeks or months of recovery effort. Equifax spent weeks determining what was affected. UnitedHealth was offline for nine days with a $3 billion write-down. These timelines reflect the reality of traditional recovery: broad restores, manual investigation, no verification, and no certainty.

Recovery Assistant compresses this process from weeks to hours. Scope identification is immediate because CSF already knows what was affected. Backup selection is intelligent because CSF already knows when the compromise began. JCL generation is automated. Verification is cryptographic. The response team focuses on decisions, not manual reconstruction.

For organizations subject to DORA's two-hour recovery mandate, this capability is not optional — it is the mechanism that makes compliance achievable.

What Recovery Assistant Restores

Recovery Assistant handles both the software infrastructure and the data layer — the complete environment, not just one dimension.

Infrastructure components include APF-authorized libraries, system parameter libraries, procedure libraries, configuration datasets, started task libraries, and security exits. Data components include user datasets, database files, and any other files tracked by FIM+.

Because FIM+ monitors all of these continuously, Recovery Assistant has the forensic precision to restore each one individually, from the correct backup point, without affecting anything that was not compromised.

Built Into CSF Foundation

Recovery Assistant is not a separate module or add-on. It is a core capability of CSF Foundation, available to every CSF deployment. It works in concert with FIM+ for scope identification and post-recovery verification, and with the forensics browser for investigation and decision support.

When combined with Foundation's real-time reaction engine and whitelisting, Recovery Assistant completes the full incident lifecycle: detect, suspend, investigate, recover, and verify — all within a single platform.

Recovery Assistant is a capability of CSF Foundation. Learn more about the full Foundation platform.