Visibility in Incident Response: Don’t Chase Ghosts in Your IT Estate
To effectively respond to a cybersecurity incident, having complete visibility into all assets (endpoint devices, applications, user accounts) across your IT estate is a critical success factor for recovering quickly and minimizing business disruption in the wake of a cyberattack.
“Team, it feels like we’re chasing ghosts here,” said one CEO upon being presented with the daily status update. Despite an increasing number of endpoint detection and response (EDR) agents deployed, the key deployment statistic — the percentage of computer systems with the CrowdStrike Falcon® sensor successfully deployed — kept fluctuating. The CEO looked to this statistic as a measure of confidence in their investigation, with the goal of deploying to nearly 100% of the endpoints in the environment.
The “ghosts” they were referring to were the total number of systems in their environment — the “denominator” — which determines the target for complete containment and, ultimately, recovery. This unknown contributed to leadership’s lack of confidence to make reasonable risk decisions, and it hampered the engineering teams’ ability to execute a business-prioritized recovery. Unfortunately, this organization had not prioritized asset management — and therefore lacked complete visibility into all of its assets.
“Invisibility” Hampers Response and Recovery
Without a clear understanding of the “denominator,” no one can accurately communicate whether there is 10%, 50% or 99% coverage. This is critically important because the ability to quantify the coverage across an organization’s endpoints contributes to many risk-based calculations made during an incident response effort, ultimately fueling business decisions made in the moment of crisis.
Adding insult to injury, business interruption costs during an incident are felt by the hour, leaving no time for delay. Recovery cannot begin without containment, and what we often see is a business reporting “x” number of assets only to find that blind spots of unprotected devices exist and lead to reinfection, prolonging the recovery effort.
Be Prepared: Understand Your Assets
In peacetime, military leaders focus on strategic planning as a readiness tool for battle, and at the core is gaining a basic understanding of your forces. The same goes for business leaders with their assets. Understanding what assets you have (e.g., physical, virtual, applications, data) is important in the maturity of your security posture, but it becomes critical in the wake of an attack as one is trying to determine the progress of the recovery efforts.
When an organization decides to build out a capability, they may pursue a strategy of building out internally, utilizing a service or a combination of both. These same options apply to asset management. If you do not plan to utilize a third-party software solution, what does an asset discovery capability look like from the ground up?
- Team of engineers and developers
- Native or open-source scanning tools like Nmap or AssetTiger
- Database and user-interface functionality for tracking and reporting
Depending on your strategy — and budget — you can build out a solution like the one outlined above. Important to note with a ground-up approach is that a longer lead time and cost to maintain will always be a challenge. Alternatively, you can implement a solution with asset discovery through EDR capabilities. The latter prepares you, both in peace and war, through the ability to quickly discover and contain so you can seamlessly move into restoring the business. To gain the most flexibility, leverage a balanced approach through a sound solution while in parallel educating a team to mastery.
Focus on Asset Management
So, what does “good” look like? Several years ago, an incident response team received a report of a critical application vulnerability in a customer’s environment. As we convened to evaluate this vulnerability, we lacked context. While we knew that some of the data that the application stored included source code for a multi-billion-dollar product, that was the extent of our knowledge.
One of the first critical questions was how many endpoints were running the application enterprise-wide. We needed asset management quickly. In this environment — more than 15,000 employees with double that number of endpoints — this question was a tall task to tackle.
The incident response team sprang into action, establishing an asset management database for a report of all known vulnerable versions of the software in the customer’s ecosystem. Against a large set of endpoints, the report took over four hours to run before delivering the results. Armed with the information, the customer’s leaders and key stakeholders could tangibly measure risk and quantify decisions for the business. The situation was well into remediation within 48 hours — this was a mature asset management capability in action.
Asset management is more than inventory, it is the underpinning of an organization’s IT strategy and budget. As a fundamental capability, it must be practiced daily to be considered fully operational. If you are responsible for endpoints in your environment and cannot answer the question “how many systems,” “what version of O/S,” and more, then the war is lost.
Proactively safeguarding your network with improved asset management and visibility into devices, users and applications in your environment is considered an essential IT hygiene practice that will help your organization stop breaches that could disrupt your business operations.
How CrowdStrike and MOXFIVE Can Help
By chasing down the ghost systems and ensuring they are managed and protected assets on your network, you will dramatically improve your ability to respond to a cybersecurity incident quickly and effectively. Groups with too many permissions, unpatched systems, unprotected endpoint devices and excessive administrative rights are frequently exploited by today’s threat actors.
MOXFIVE and CrowdStrike work together to deliver asset management and IT hygiene services to help you proactively strengthen your cybersecurity posture. We deliver real-time and historical visibility into assets and applications running on your network and discover any user activity and hidden privileged accounts within your Active Directory. The CrowdStrike Falcon® platform delivers the protection you need across your entire IT estate, to stop breaches before they can disrupt your business.