Remediation vs. prevention: How to place your bets

Remediation vs. prevention: How to place your bets

Building a security environment for businesses these days is a gamble: layer on too much and your programs may be canceling each other out or causing redundancy (and your leaders may be wondering why you’re spending so much). Invest too little and get breached: it’s snake eyes for you. Whether you choose remediation, proactive prevention, or both, finding the right balance is the key to a winning hand.

What is remediation?

Remediation is the process of correcting system changes, for example, removing threats off of an infected system. These threats bypassed existing security measures and likely already caused damage. The goal is to remediate threats before they cause any further damage.

In most cases, threats have made themselves known in some malicious fashion, making the need to remove them urgent. But the remediation process can potentially last anywhere from hours to days depending on the tools at hand and the resources dedicated to the process.

What is proactive prevention?

Proactive prevention is the ability to block the latest threats before they reach a system or network and cause damage. This form of protection requires technologies that detect and block unknown threats.

This is the most effective security approach in dealing with ransomware attacks. Once ransomware gets onto a system and encrypts the victim’s data, a ransom demand is presented to the victim requiring swift payment in digital currency in order to receive the files back via a decryption key. However, paying the ransom does not guarantee you’ll get your data back.

In rare cases, decryption programs or algorithms (decryptors) are available thanks to the valiant efforts of security researchers. Unfortunately, this reactive approach offers too small of a ray of hope in comparison to the sheer number of ransomware variants that continue to hit the streets every week.

Why are businesses sticking with remediation?


Remediation tools, by nature, are less expensive than full protection. In addition, some businesses are adding remediation tools to run alongside their existing security measures. Due to budget constraints, many IT/Network Administrators wait before deciding on a full protection product.

For instance, a company of any size may be running an existing tool, like antivirus, with a three-year subscription. It may be easier for the company to let the contract run out before purchasing a new, more inclusive product. In this type of situation, adding a remediation tool to the existing security stack provides an additional, incremental value to security capabilities.

SMBs playing the odds

Many businesses assess their potential risk and exposure to attack, and many businesses, especially smaller ones, tend to believe there is less chance of an attack happening to them. In a survey conducted by CNBC and SurveyMonkey on over 2,000 small businesses, only 2 percent of small business owners said they viewed a cyberattack as the most critical issue they face. However, in the last year, malware detections increased more than 165 percent among SMBs.

With limited resources or a short-handed IT staff, small to mid-size businesses also face especially tight budgets on top of risk evaluation, so they need to allocate their spending accordingly. This is what they’ve always done, and they are not alone. Dell recently released a study that stated 53 percent of IT decision makers say cost is one of the biggest constraints to taking additional security measures.

Many believe it is easier to remediate a few errant incidents than to find several security solutions to combat various strains of malware. However, security incidents are increasing in frequency not only with enterprise-level businesses but also among small to mid-size businesses. In Malwarebytes’ recent report of Analysis of Malware Trends for Small to Medium Businesses Q1 2017, it was discovered that ransomware incidents alone rose 231% within the last year among SMBs.

Worst-case scenario

Ransomware is cause for concern for those using remediation-only methods because its damage cannot be undone unless rare decryptors are available. Businesses on a tight budget could compare the cost of proactive prevention tools to the potential ransom demands from a ransomware attack and the projected downtime in productivity. But even that estimation is tricky because there’s no guarantee cybercriminals will provide you with a key, process the transaction, or deliver clean code.

However, it is important to note that even if files are restored, the system or network can still be vulnerable because ransomware can leave behind remnants or the attacker may have planted more malicious code to utilize at a later date on the system. Other options include full wiping and rebuilding of machines and restoring from back up if the files are stored somewhere else, but that takes a lot of time, especially if multiple endpoints were impacted.

If a cyberattack were to hit an unprepared business, it can be a devastating event, causing a loss in productivity, loss of revenue, and even cause damage to the company’s reputation. For malware attacks other than ransomware, remediation tools are useful to run a full scan cleaning damage after the infection. But the truth is this: The remediation-only approach will simply not protect against a major ransomware attack.

How businesses benefit from proactive prevention

Threats are continuing to evolve and traditional security solutions are almost rendered obsolete. In order to effectively block these threats, security has to evolve as well. Here’s how the proactive approach benefits businesses:

1. It avoids risk and damage to endpoints.

With a proactive prevention tool, businesses see the value from the reduction in threat exposure. The less threat exposure, the less risk to the business.

2. It reduces/eliminates manual threat removal.

Forty-five percent of SANS survey respondents say that their prevention, detection, response and remediation processes are still mostly or completely manual. With a proactive prevention security tool, businesses eliminate the need for any manual threat removal because threats are caught earlier on and there are not as many remediation demands.

3. It reduces downtime.

It was discovered in the Osterman report that more than 60 percent of attacks take organizations more than nine hours to remediate. This is because of the need to manually remove threats as well as re-image machines where necessary. Without the manual process, time to remediate, or downtime, is significantly reduced.

4. It enables expert staff to focus on critical issues.

Remediation or reactive methods often require valuable resources and create a crisis due to the complexity of each threat. The administrator who removes the threats needs to have a certain level of expertise—often requiring skills that only few have. In Frost & Sullivan’s 2015 Global Information Workforce Study, researchers predict that there will be a shortage of 1.5 million information security experts by 2020, so the pool of talent is only getting smaller.

The shortage of capable admins causes additional issues to threat removal because it isn’t always as easy as clicking one button to disinfection the entire network; it can take hours to days away from productivity. Time can be spent on more valuable projects when admins are given the ability to run periodic scans to proactively check for anomalies.

Why do I have to choose?

You don’t have to choose. Remediation alone might not muster against large-scale attacks, but it can provide great assistance if threats slip through the cracks. If you’re looking to add a layer of security to your existing tool belt, we recommend a strong remediation tool for post-incident cleanup and some peace of mind. On the other hand, proactive prevention stops an attack before an infection occurs, avoiding risk and reducing damage.

Remediation tools, like Malwarebytes Incident Response, can be deployed on top of existing traditional approaches to provide peace of mind for those “what if” instances if your existing security measures fail. Finding a product that delivers both, like Malwarebytes Endpoint Protection, ensures multiple attack vectors are covered from the start.


Sarah Enderby


I am the millennial no one's ever heard of—the exception that proves the rule.