CIO OPINION
Leverage IT technical professionals Avoid overreactions
• Delegated IT experts can help PC end users by following the published workaround .
• Use these experts to provide support without granting users direct access to recovery tools or elevated privileges .
• Doing so will ensure that scenarios where full disk encryption , FDE is in place can be dealt with , resulting in an effective , secure and compliant recovery process .
• Downtime and potential data loss will be minimised .
Establish a triage process
• Categorise assets and business processes based on the impact of the disruption and the complexity of remediations .
• Create prioritised remediation plans based on these assets . For example , embedded systems , such as point-of-sales systems , might require specific logistics .
• Identify potential side effects and unintended consequences of remediation actions .
Identify straggler machines
• These are systems that may have the offending driver but have not yet been identified in the first wave of remediations .
• Use your system management , IT asset management or attack surface assessment , such as cyber asset attack surface management , tools to identify systems with a particular file and version present . This will help provide a target list for proactive cleanup .
• Capture a list of assets that are offline for people who are out-of-office to ensure these machines can be fixed upon return .
• This could be an immediate mandate to decommission , disable or replace CrowdStrike .
• Defer to the post incident review process and the existing vendor risk management process to manage this strategic decision .
Medium term : Actions to be taken over one to two weeks
• The focus for midterm actions is to assess the impact on secondary systems .
• Look for exposed vulnerabilities and ensure you have visibility into planned systemwide updates and releases in the coming weeks .
• Review anomalies or unusual trends with the SOC teams to minimise the risks of an undetected opportunistic attack .
• Participate in the business impact analysis to provide the security viewpoint .
• Ensure balanced discussions about what to do next for potential impacts on the security posture .
• Inform senior leadership across the organisation of the current status of PCs and the continuing efforts to stabilise the environment and restore trust .
• Indicate that teams are working on long-term plans to avoid similar disruptions in the future .
Identify straggler machines which are systems that may have the offending driver but have not yet been identified in the first wave of remediations .
www . intelligentcio . com INTELLIGENTCIO AFRICA 39