With ransomware exploding, we’re frequently asked how to remediate after an attack.
Ransomware is becoming more common and bad guys are becoming more sophisticated, using innovative ways to evade the latest detection techniques. Can you trust your AV (gen1 or gen2 antivirus solutions) to “clean” the malicious code? How can you be sure the bad guys aren’t one step ahead of you, evading the “clean” action taken by your AV?
As a security professional, you need to ensure the endpoint is clean and the malicious code can’t spread to other machines in your network. As an IT professional, you need to be sure the “poor” user with an infected machine can get back to work as soon as possible. Or in case an infected machine runs a business application (like POS), you need to know you can get the app up and running in no time.
Today, most organizations rely on manual remediation processes, or at best use a variety of different tools to help with remediation.
Talking to our customers, we’ve found that the first thing they often do when malicious code is detected is disconnect the infected machine from the network manually, by disconnecting the network cable. This of course helps to prevent the malware from spreading. But, when a machine is disconnected from the network, IT can’t manage it remotely. Someone must physically go to the infected machine and take the actions that their organization has deemed necessary. While each company treats remediation differently, a rule of thumb is the more budget you have, the more actions you take. In most cases, the infected machine will be taken to a lab where IT will try to manually remove the malware or reimage the machine. In the meantime, the user is given a loaner laptop to work on. And we all know how hard it can be to work with a loaner.
So why does remediation have to be so time-consuming? It doesn’t.
You can build an effective strategy that will make remediation faster, more efficient, and less painful, without using several different products from a handful of different vendors. Let me show you how.
Let’s say your endpoint security solution detects malicious code running on a machine. With an automated remediation solution in place the process automatically kicks in and takes the following actions, speeding up response time:
- The infected machine is instantly isolated from the network. Malware can’t spread and infect other machines via the network (a la WannaCry).
- If deemed necessary, a third-party AV scans the machine to get a second opinion.
- IT gets a “snapshot” of the machine with information such as what apps are installed, what the user’s settings are, etc. (all stored in a central database).
- All the user’s documents are backed up. Why back up the documents if they could have been encrypted by ransomware? The documents that will be backed up are protected by the endpoint security solution and therefore cannot be encrypted by the ransomware.
- Now the admin is notified that the machine is under attack with a confirmation that remediation actions have been triggered automatically.
While the machine is isolated from the network, it can still be managed remotely from an admin’s trusted console. An admin can remote control into the isolated machine for insight into its state and the steps to take next.
An admin is likely to decide that the best next step is to reimage the infected machine. Why? Because when you reimage the machine, you don’t need to make any security assumptions about the impact of the malicious code on the endpoint. And your automated remediation solution has made it easy. Remember that the automation process backed up the user’s OS profile and documents.
With a click of a mouse the admin can reimage the machine remotely, reinstall all the user’s settings and applications, and copy back all the backed-up documents. And it’s done. The automated remediation process has the machine back in business in no time (at least compared to the manual process that most organizations currently in place).
Remediation doesn’t have to be a complex nightmare when you have an automated process in place. Our security solutions make this possible. Want to learn more? Request a demo today.