CIO OPINION as cyber asset attack surface management , tools to identify systems with a particular file and version present . This will help provide a target list for proactive cleanup .
• Capture a list of assets that are offline for people who are out-of-office to ensure these machines can be fixed upon return .
Avoid overreactions
• This could be an immediate mandate to decommission , disable or replace CrowdStrike .
• Defer to the post incident review process and the existing vendor risk management process to manage this strategic decision .
• Designate a communications team as a point of contact for internal communication with other stakeholders to minimise disruptions and ensure consistent communication .
• Involve the security operation teams to watch for new threat intelligence related to opportunistic attacks , alerts from anomaly detection systems and other unusual activities .
Leverage IT technical professionals
• Delegated IT experts can help PC end users by following the published workaround .
• Use these experts to provide support without granting users direct access to recovery tools or elevated privileges .
• Doing so will ensure that scenarios where full disk encryption , FDE is in place can be dealt with , resulting in an effective , secure and compliant recovery process .
• Downtime and potential data loss will be minimised .
Establish a triage process
• Categorise assets and business processes based on the impact of the disruption and the complexity of remediations .
• Create prioritised remediation plans based on these assets . For example , embedded systems , such as point-of-sales systems , might require specific logistics .
• Identify potential side effects and unintended consequences of remediation actions .
Identify straggler machines
• These are systems that may have the offending driver but have not yet been identified in the first wave of remediations .
• Use your system management , IT asset management or attack surface assessment , such
Medium term : Actions to be taken over one to two weeks
• The focus for midterm actions is to assess the impact on secondary systems .
• Look for exposed vulnerabilities and ensure you have visibility into planned systemwide updates and releases in the coming weeks .
• Review anomalies or unusual trends with the SOC teams to minimise the risks of an undetected opportunistic attack .
• Participate in the business impact analysis to provide the security viewpoint .
• Ensure balanced discussions about what to do next for potential impacts on the security posture .
• Inform senior leadership across the organisation of the current status of PCs and the continuing efforts to stabilise the environment and restore trust .
• Indicate that teams are working on long-term plans to avoid similar disruptions in the future .
• Check agent automatic update settings for your endpoint protection tool .
• Ensure the settings are consistent with your existing organisational change control policy and the desired state to match your organisation ’ s risk tolerance .
• Ensure any patching of vulnerabilities are thoroughly tested prior to deployment .
• As a best practice , stage updates in increments to avoid 100 % failure .
• Check with vendors to ensure all updates honour the staged update policy .
• Actively manage burnout and fatigue in your team because fatigue increases the risk of error .
• Consider rotating operational staff , and provide resources to alleviate stress in collaboration with HR .
Long-term : Actions to be taken over eight to 12 weeks
• The primary focus for long-term actions is to mitigate or reduce the risk of the same level
www . intelligentcio . com INTELLIGENTCIO MIDDLE EAST 45