Remediation should be automated—and customized


Here at Expel, we talk an awful lot about remediation, and with good reason: effective remediation of cybersecurity incidents is critical for our customers’ business and our own. Getting to the fix quickly is fine, but when done properly, the organization realizes a host of additional benefits.

Customer control

During an active incident, remediation reduces an organization’s risk, but customer control of that process is absolutely essential. It’s also important to understand that remediation isn’t “all-or-nothing.” Many providers in the marketplace sell a cookie-cutter, full-remediation approach, but organizations should have the option to provide context specific to their business, technology, risk tolerance, policies, and general comfort level, allowing them to dictate when to remediate and when not to. (Any number of factors can contribute to that comfort zone, including internal policies, familiarity with the vendor, lingering aches and pains from bad past experiences—we get it. For example, you don’t want a third party to isolate hosts during an incident? That’s fine. A good provider can still disable compromised user accounts without isolating hosts.)

The platform itself should know the rules and preferences of the customer; this ensures consistency and scale and ensures security operation center (SOC) analysts don’t have to pass around sticky-notes reminding them to remediate a certain way for customer A, but not customer B, for example.

A security operations platform that’s context-aware and customizable allows the client organization to:

  • Reduce risk by allowing automated remediation steps the moment an issue is detected;
  • Reduce fatigue and burnout (why wake a customer analyst at 2 am to disable an account when the system can do it for you?); and
  • Keep customer analysts focused on more important work–what does the business deem important?

Automated remediation’s breathtaking benefits

In our Quarterly Threat Report for Q2, we noted that the median time to complete a non-automated remediation action was two hours. When automated, the median time drops to seven minutes—a 1640% improvement.

Regardless of whether they opt for automated remediation, organizations should insist on comprehensive reporting that includes remediation steps as part of the investigative process. Vendors can (and should) always recommend remediation actions, even if that vendor isn’t going to take the steps themselves.

A deeper look at the numbers suggests the benefits of automated remediation may be even greater for the customer. In Q2 2022:

  • We had 3,378 remediation actions (RA) that were manual.
  • ~30% of incidents had more than one remediation action, compounding the time savings.

Let’s take a look at what autoremediation looks like in our Workbench environment.

Here’s what it looks like in Slack:

Many actions can be automated, including (but not limited to) host containment, disabling a user account, removing suspicious emails, or blocking a known bad hash. Customers can also decide what resources Expel can remediate on their behalf. As mentioned above, this is far from a cookie-cutter approach.

Raspberry Robin/Evil Corp incident: huge time savings

Raspberry Robin, a widespread USB-based worm that acts as a loader for other malware, has significant similarities to the Dridex malware loader, meaning that it can be traced back to the sanctioned Russian ransomware group Evil Corp. (Source: DarkReading)

This past June a CrowdStrike alert hit our queue that related to msiexec launching with unusual arguments on a customer host. Our team identified this as activity consistent with the installation of a variant of the Raspberry Robin Worm malware family attributed to Evil Corp.

Using CrowdStrike’s APIs, it took our analysts 5.5 minutes to progress from the alert hitting the queue to containing the host and stopping the ransomware. When the stakes are high, there’s no time to waste in remediating.

Autoremediation: it’s your call

Automated remediation should be tailored to your organization and based on the frequency of threats seen in your environment. The customer decides which users and endpoints should be immediately taken offline after a compromise is confirmed. This allows the security team to focus on other initiatives instead of spending a ton of time on remediation.

As businesses think about managed detection and response (MDR) and reducing risk, considering offloading some of this costly work to a trusted provider is hopefully front-of-mind. It’s also useful to understand the unique context of the organization, which includes business goals, existing technology, even corporate culture, and to talk with your provider about it.

Want to learn more about Expel’s approach to automated remediation? You can read more about it here.