Understanding Advanced Security Remediation Management (ARM)By: Secureworks
When a real threat is discovered, you have several problems that occur at once. Of course, in the heat of the moment, those problems feel like just one problem: "We have to stop this attack now!" But we can break that one potentially overwhelming problem into its very solvable components, which include:
- "We need to immediately shift from normal watchdog mode into remediation mode."
- "We need to identify the exact state of the current threat as accurately as possible."
- "We need to stop that current threat from progressing as quickly as possible."
- "We need to identify any artifacts of the threat as quickly as possible."
- "We need to eliminate those artifacts as thoroughly as possible."
Most of all, to address all five of the component issues above, you need to marshal the resources necessary to quickly and confidently achieve each of those individual objectives.
What Makes Advanced Remediation Management service "Advanced?"
Technological sophistication is foundational to any successful remediation effort.
There are three primary ways to make ARM "advanced":
- Active, timely threat intelligence is critical. You’re not just shooting in the dark when it’s crunch time. You need complete, accurate, and up-to-date understanding of threat actors’ tools, techniques, tactics, and tradecraft. This is a major advantage when it comes to identifying the exact nature of the threat, the artifacts that may potentially exist in your environment as a result of the threat actor’s actions, and the root cause.
- A single, integrated view of all telemetry, enabling you to perform necessary analyses and correlate disparate telemetry with great speed and confidence. To do this, data must be ingested from multiple sources with both machine learning and human intelligence ingrained to correlate data points to identify and prioritize the most serious threats.
- Battle-tested security expertise to fill in all the gaps of knowledge and experience that typically limit the ability of in-house SecOps teams from identifying and addressing all aspects of an active attack with the requisite speed, confidence, and efficiency.
How does Advanced Remediation Management service provide "remediation?"
Because threat detection is itself such a significant technical challenge, internal SecOps teams often underestimate and/or under-resource the challenges that arise once a threat is discovered. ARM addresses this common shortfall by helping those teams address the given "sub-problems" bulleted above.
More specifically, a good solution will:
- Help to identify the specific nature and artifacts of active threats in your environment.
- Leverage threat intelligence to make high-probability assertions regarding as-yet-undetected actions and tactical intentions of active adversaries (which are critical to getting ahead of any currently present threat).
- Deliver countermeasures where appropriate, relieving pressure on limited internal SecOps staff resources.
- Deliver countermeasure guidance where appropriate, so the internal SecOps staff can optimally contribute to a fast, effective overall remediation effort.
Having this complete set of remediation capabilities at the ready at all times significantly reduces the exposure of your organization to cybersecurity risk. A robust remediation plan is also an absolutely essential complement to your threat prevention/protection efforts.
When to look at Advanced Remediation Management as a "management" service?
Effective remediation—or, more precisely, truly effective threat remediation and full recovery/restoration of the status quo ante—requires more than just great cybersecurity technology and elite cybersecurity professionals. It also requires the diligent management of multiple critical processes in real time.
A high-performing ARM as a management service will address the full set of operational, tactical, and GRC-related processes that comprise a successful remediation effort. This includes:
- 12x5 and 24x7 coverage options
- Ticketing and ticket escalation
- Coordination between ARM, the internal SecOps team, and other remediation participants (such as internal IT, cloud providers, and third-party IT contractors)
- Alignment of technical actions with business impact/priorities
- Support for compliance with regulatory reporting mandates and cybersecurity-related governance policies (i.e., reporting to customers and/or partners)
- Iterative situation assessment and resolution
- Incident closure and return to "watchdog" status
- Auditability and transparency
- Post hoc performance evaluation and recommendations
This holistic support for the end-to-end remediation process:
- Minimizes exposure to the immediate short-term risks posed by the active attack.
- Minimizes exposure to residual harms that can result from an attack after the fact.
- Helps you turn lessons learned from the attack into concrete improvements in your cybersecurity posture.
Secureworks® delivers many, if not all, of the qualities of an Advanced Remediation Management solution and we offer it as part of Secureworks Taegis™, our cloud-native platform that delivers extended threat detection and response (XDR). If you’d like to learn more about Taegis XDR and how we automate response actions based on best-of-breed threat detection, sign up for a demo today.