It’s Time to Reevaluate Your Enterprise Remediation Strategy

In the world of cyberattack response and recovery, timing is everything. Attacks discovered quickly are likely in their early phase. That’s when the odds of recovering affected assets, undoing whatever damage has been inflicted and avoiding costly disruption are at their highest. However, early detection is often not a reality. In fact, according to CrowdStrike’s 2022 Falcon OverWatch Threat Hunting Report, the average attacker moves into the network from the first point of compromise in just one hour and 24 minutes. IBM research indicated in 2022 that identifying and containing a breach took an average of 277 days. That leaves plenty of time for bad actors to roam free and severely disrupt business operations. What comes next are two words businesses never want to hear: Enterprise remediation.

This is when an IT matter turns into a significant company-wide endeavor to restore operations. Here are five steps businesses can take to increase response effectiveness while reducing stress on their team.

1. Assemble an Incident Management Team

Effective enterprise remediation requires a team and, more specifically, an incident management team. Start by designating an incident manager who will organize the team, lead internal communications, manage key tasks and ensure the efficiency of the effort.

Next, implement a response framework that identifies the necessary operational elements, assigns owners and defines workstreams. From a structural perspective, implement a system that allows for the free flow of information (updates on specific tasks, etc.) from IT up to management and vice versa. This eliminates the need for frequent, manual updates that pull the “doers” away from executing assigned elements prolonging the time to get back to business as usual.

Remember that obstacles will emerge, even when strong communication flows and processes have been implemented. Your best bet to navigate and resolve these is to assign one individual to serve as the proxy for the executive team. Identify a company veteran who has existing relationships with teams across the business. This will serve you well when roadblocks emerge, and they must leverage these relationships to help drive quick resolutions.

2. Assign Skilled Incident Managers

One key task for incident managers will be managing the response process. Here, the help of a skilled project manager (PM) can be invaluable. PMs will help ensure that the organization can efficiently execute the plan, update stakeholders and process inevitable modifications. PMs can also help keep the “trains running on time” by working in coordination with PMs embedded within workstreams.

3. Establish Clear Measurements

Since remediation is vital to restoring business operations, stakeholders will be closely watching all efforts and expecting frequent updates. To prevent their collective blood pressure from boiling over, incident managers must provide regular updates and reassurance on all efforts.

To communicate most effectively, updates should leverage meaningful metrics that are delivered through a consistent presentation style and tie into a narrative. This last point is important because it helps explain updates in the context of the short-and longer-term milestones to restoring the business. Some measurement examples to consider:

  • Business process status: Rank processes by criticality from highest to lowest and include estimated dates of partial and complete recovery.
  • Supporting IT infrastructure components updates: Lay out all of the individual components that enable the entire environment to function (e.g., Active Directory and Microsoft 365 email) and then list the status of each.
  • Status on all infrastructure components — provide key details including:
  • What business processes the component supports, for example, which servers are necessary to run payroll?
  • The status of each (inoperable: Backup available, inoperable: No viable backups, restored from backup, etc.).

4. Communicate in Real-Time

As in any crisis scenario, urgent, prompt and seamless communications can ensure swift resolution or, in its absence, chaos. Consider collaboration technology that supports communications internally, between all workstream teams and externally, with outside vendors and consultants supporting the effort.

5. One Team, One Voice

To accurately represent progress, the team must track details at a granular level and ensure that engineers work from a “single source of truth.” The benefits of this approach include:

Reducing Errors: Here’s an example with two engineers – without a single source of truth for system status, they may assign the same network address to two different servers. While this may seem like a minor error, troubleshooting and resolving it will take time, which would otherwise be dedicated to the recovery effort.
Prioritization Drives Efficiency: Guided by a prioritized server list, the incident manager can allocate resources to recovering the systems that will rapidly eliminate the most significant business disruptions while ensuring that resources are optimally leveraged. Without a guide, it’s likely that time and effort will be put towards lower-impact items (from a business perspective) that increase downtime and further damage the business.
Effectively Communicate with Leadership: Without a foundational tracking mechanism to connect the status of current systems to specific business applications and processes, the team will struggle with one of leadership’s most pressing questions–“When will we be recovered?” With these details, the incident manager can answer these questions using the preferred language of leadership.

The best way to avoid enterprise remediation is through proactive security countermeasures and timely incident response. Should an incident significantly disrupt an organization’s IT systems, having an established incident response plan and playbook will lead to a more rapid resolution.

Paul Ashwood, senior product marketing manager of services, CrowdStrike, co-wrote this article.

Avatar photo

Jim Aldridge

Jim Aldridge, Vice President, Partnerships, MOXFIVE With two decades of experience across a variety of technology and business domains, Jim Aldridge focuses on scaling MOXFIVE’s delivery capabilities to help clients minimize the business impact of cyber intrusions. His pragmatic perspectives on cybersecurity were formed by years of in-the-trenches experience attacking networks as a penetration tester and responding to targeted security breaches as an incident responder.

jim-aldridge has 1 posts and counting.See all posts by jim-aldridge