blog-header-image
| 4 min read
| Oct 19, 2021
| by Nabeel Zafar and Patrick Duffy
| Tags:

How Expel does remediation


“If you find a problem in our environment, how do you remediate it?”

We get that question a lot. As it should be — that’s one of the most important questions to ask when you’re looking for a managed detection and response (MDR) provider.

So here’s our answer to this question.

In this blog post, we’ll share Expel’s two-step remediation process and give you a glimpse of what’s ahead on our roadmap.

Our remediation process

If we identify an incident, there are two sets of actions we’ll take – while keeping you in the loop throughout the process.

First, we’ll take approved actions on your behalf to quickly address the incident. For example, the Expel Workbench™ can automatically perform host containment when necessary during our Security Operations Center (SOC) analysts’ investigation.

If host containment remediation makes sense, we quickly take first steps to contain infected hosts.

In the image below, you’ll see an example of what this looks like in the Expel Workbench.

Expel Workbench host containment action

You can also customize the remediation process through Workbench (see image below) by identifying hosts that they’d like us to act on — and any they don’t — for future remediation actions. Analysts have access to this data in Workbench, so they can automatically take action or assign remediation steps to your team as appropriate.

They also share updates on their activity in Workbench each step of the way.

Expel Workbench containment options

Expel supports host containment for customers who have CrowdStrike, VMware Carbon Black Cloud, VMware Carbon Black EDR, Elastic Endpoint Security, Microsoft Defender for Endpoint, Palo Alto Cortex XDR Pro, SentinelOne Singularity Complete and Elastic Endpoint Security.

Second, after taking automatic actions on your behalf, our SOC analysts recommend additional remediation actions in our findings report. We always communicate in plain English, so our recommendations are easy to follow and can be implemented at any level of security expertise.

Want a 10-second overview of what our remediation process looks like? We got you covered. Check out our remediation workflow in the diagram below.

Expel remediation workflow

Me or my MDR: Who does what?

A lot of security practitioners who’ve purchased MDR services still want to maintain internal control of remediation steps. It helps reduce business risk.

We get it.

We’ve found that our process strikes a balance between what security practitioners want to handle themselves and what they’d want their MDR to do.

But that doesn’t mean they shouldn’t look to their MDR to share their expertise.

We want your team to maximize your security and minimize incidents — and not spend a ton of time trying to figure out how to remediate. So if we spot trends in vulnerabilities or incidents across your environment, we’ll tailor resilience recommendations for how your org can fix the root cause of those issues and prevent them from needing remediation time after time.

Taking steps to improve your security and keep those types of incidents from happening again helps us avoid having to call you in the middle of the night about remediation actions you need to take — right now!

Coming soon

We’ve talked you through our remediation process today. But we’re constantly improving what we can do for our customers. So we have a few new automated remediation steps in the works on our remediation roadmap for the end of 2021 into early 2022. They consist of additional actions we’ll be able to automatically take for you while responding to an incident.

By taking critical, first steps to contain an incident, we decrease your remediation time even further — lifting more weight off your shoulders.

Here’s what’s next in the pipeline, prioritized based on how often we take certain remediation actions across our customer base and the level of risk each presents for our customers.

Blocking bad hashes 

  • When our analysts identify hashes to block during an incident, we create a remediation action in Expel Workbench™. If the hash is not on your “never block” list of files, Workbench will add the hash to the appropriate block list in your EDR.
  • Available for: CrowdStrike, VMware Carbon Black Threat Hunter, VMware Carbon Black Response, Elastic Endpoint Security, Microsoft Defender for Endpoints, SentinelOne Singularity Complete, Palo Alto Cortex XDR Pro and Elastic Endpoint Security

Disabling user accounts and credential reset 

  • Similar to host containment, Workbench will automatically perform a credential reset action when that remediation action is added to an incident.
  • Available for: Microsoft Office 365, AWS, G Suite, Okta, Duo, OneLogin

Blocking command-and-control (C2) communications

  • When our SOC identifies C2 communications during an incident, we’ll automatically block them upon creation of a remediation action in Workbench.
  • Available for: Palo Alto Networks, Cisco Umbrella

Cloud turn-offs 

  • If a cloud instance is identified as compromised during an incident, we’ll automatically shut down the VM or EC2.
  • Available for: AWS EC2 turn-off, Azure VM turn-off

Disabling/modifying AWS access keys

  • If an AWS access key is identified as compromised during an incident, we’ll automatically disable/modify that key when a remediation action is created.
  • Available for: AWS

Final tips

We wanted to end this post with some parting thoughts and tips for those currently looking for an MDR provider.

When you’re evaluating MDR providers, make sure you understand how their remediation process works. Will they reduce risk quickly enough to protect your org? What will they do for you when it comes time to remediate an incident vs. what will you be asked to do?

Learn about their incident reporting and communication process to know when and how they’ll reach you during an investigation. And make sure you also know how they’ll walk you through remediation.

Have any questions? Let’s chat!


Subscribe

How should my MDR provider support my compliance goals?

So someone told you that you need to make sure your tech, privacy and security policies are “compliant.” And that you need your managed detection and response (MDR) provider to support your compliance program. But what does that mean in…
Read More