Mitigation controls and policies required for Exploit Protection (EDR)

  • Release version: Washingtondc
  • Updated January 22, 2025
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Mitigation Controls and Policies Required for Exploit Protection (EDR)

    The Exploit Protection Endpoint Detection and Response (EDR) monitoring is a feature included with the Security Posture Control (SPC) product. It requires specific roles: SPC Admin Group and SPC Analyst Group. This monitoring leverages endpoint protection agents like CrowdStrike, Microsoft SCCM, and SentinelOne to implement various mitigation controls that enhance security across your organization’s assets.

    Show full answer Show less

    Key Features

    • Endpoint Protection Agent Configuration: Configure agents to enable exploit mitigation settings such as Force Address Space Layout Randomization (ASLR) and Force Data Execution Prevention (DEP).
    • CrowdStrike Integration: Verify activation of the CrowdStrike Service Graph Connector and API integration for effective detection. Essential policies include Force ASLR, Force DEP, Heap Spray Preallocation, NULL Page Allocation, and SEH Overwrite Protection.
    • Microsoft SCCM and Defender Integration: Requires Script Authors role for permissions; includes controls for Control Flow Guard (CFG), DEP, and ASLR.
    • SentinelOne Integration: Ensure activation of the SentinelOne Service Graph Connector and API in the SPC Workspace; review included mitigation controls like Application Control, Data Files, and Detect Interactive Threat.

    Key Outcomes

    Implementing these mitigation controls allows organizations to effectively monitor and respond to security threats, addressing various MITRE tactics such as Initial Access, Execution, Credential Access, and more. By configuring the specified policies, organizations can improve their security posture and reduce vulnerability to exploits across their endpoints.

    The mitigation controls and policies required for Exploit Protection Endpoint Detection and Response (EDR) monitoring and are included with the Security Posture Control product.

    Exploit Protection (EDR)

    Roles required: SPC Admin Group and SPC Analyst Group.

    This category of mitigation controls covers mitigations available on your assets in the form of endpoint protection agent configuration. This applies to endpoint protection agents such as CrowdStrike and Microsoft SCCM and the Microsoft Defender Mitigation Control Integration and SentineOne.

    Exploit mitigation settings such as ‘Force Address Space Layout Randomization’ and ‘Force DEP’ can be enabled in endpoint protection tools like CrowdStrike. SPC automatically detects this configuration on devices with the help of the policies included with the application and the API integration with endpoint protection tools.

    Prerequisites for Exploit Protection (EDR) detection with CrowdStrike

    1. Verify that you have activated the CrowdStrike Service Graph Connector. This application is available in the ServiceNow Store. The installation and configuration information is included on the app listing. See Install and configure the CrowdStrike integrations for mitigation control monitoring for more information.
    2. Verify that the CrowdStrike API integration is activated in the Security Posture Control Workspace.

    Mitigation controls and policies in Exploit Protection (EDR) CrowdStrike

    • CrowdStrike – Exploit Mitigation – Force ASLR
      • Sources: CrowdStrike APIs
      • MITRE tactics addressed: Initial Access, Execution, Credential Access, Defense Evasion, Privilege Escalation, Lateral Movement
      • MITRE techniques addressed by this mitigation: Drive-by Compromise (Initial Access), Exploitation for Client Execution (Execution), Exploitation for Credential Access (Credential Access), Exploitation for Defense Evasion (Defense Evasion), Exploitation for Privilege Escalation (Defense Evasion), Exploitation of Remote Services (Lateral Movement)
      • Policies - The CrowdStrike Force ASLR policy must be activated to identify this mitigation control. You can optionally activate other mitigation control policies.
    • CrowdStrike – Exploit Mitigation – Force DEP
      • Sources: CrowdStrike APIs
      • MITRE tactics addressed: Initial Access, Execution, Credential Access, Defense Evasion, Privilege Escalation, Lateral Movement
      • MITRE techniques addressed by this mitigation: Drive-by Compromise (Initial Access), Exploitation for Client Execution (Execution), Exploitation for Credential Access (Credential Access), Exploitation for Defense Evasion (Defense Evasion), Exploitation for Privilege Escalation (Defense Evasion), Exploitation of Remote Services (Lateral Movement)
      • Policies - The CrowdStrike Force DEP policy must be activated to identify this mitigation control. You can optionally activate other mitigation control policies.
    • CrowdStrike – Exploit Mitigation – Heap Spray Preallocation
      • Sources: CrowdStrike APIs
      • MITRE tactics addressed: Initial Access, Execution, Credential Access, Defense Evasion, Privilege Escalation, Lateral Movement
      • MITRE techniques addressed by this mitigation: Drive-by Compromise (Initial Access), Exploitation for Client Execution (Execution), Exploitation for Credential Access (Credential Access), Exploitation for Defense Evasion (Defense Evasion), Exploitation for Privilege Escalation (Defense Evasion), Exploitation of Remote Services (Lateral Movement)
      • Policies: The Heap Spray Preallocation policy must be activated to identify this mitigation control. You can optionally activate other mitigation control policies.
    • CrowdStrike – Exploit Mitigation – NULL page allocation
      • Sources: CrowdStrike APIs
      • MITRE tactics addressed: Initial Access, Execution, Credential Access, Defense Evasion, Privilege Escalation, Lateral Movement
      • MITRE techniques addressed by this mitigation: Drive-by Compromise (Initial Access), Exploitation for Client Execution (Execution), Exploitation for Credential Access (Credential Access), Exploitation for Defense Evasion (Defense Evasion), Exploitation for Privilege Escalation (Defense Evasion), Exploitation of Remote Services (Lateral Movement)
      • Policies: The CrowdStrike NULL Page Allocation policy must be activated to identify this mitigation control. You can optionally activate other mitigation control policies.
    • CrowdStrike – Exploit Mitigation – SEH Overwrite
      • Sources: CrowdStrike APIs
      • MITRE tactics addressed: Initial Access, Execution, Credential Access, Defense Evasion, Privilege Escalation, Lateral Movement
      • MITRE techniques addressed by this mitigation: Drive-by Compromise (Initial Access), Exploitation for Client Execution (Execution), Exploitation for Credential Access (Credential Access), Exploitation for Defense Evasion (Defense Evasion), Exploitation for Privilege Escalation (Defense Evasion), Exploitation of Remote Services (Lateral Movement)
      • Policies: At a minimum, the CrowdStrike SEH Overwrite Protection policy must be activated to identify this mitigation control. You can optionally activate other mitigation control policies.
    • CrowdStrike – Exploit Mitigation – All Settings On
      • Sources: CrowdStrike APIs
      • MITRE tactics addressed: Initial Access, Execution, Credential Access, Defense Evasion, Privilege Escalation, Lateral Movement
      • MITRE techniques addressed by this mitigation: Drive-by Compromise (Initial Access), Exploitation for Client Execution (Execution), Exploitation for Credential Access (Credential Access), Exploitation for Defense Evasion (Defense Evasion), Exploitation for Privilege Escalation (Defense Evasion), Exploitation of Remote Services (Lateral Movement)
      • Policies: All the following policies must be activated to identify this mitigation control: CrowdStrike Force ASLR, CrowdStrike Force DEP, Heap Spray Pre-allocation, CrowdStrike NULL Page Allocation, and CrowdStrike SEH Overwrite Protection.

    Prerequisites for Exploit Protection (EDR) detection with Microsoft SCCM and the Microsoft Defender Mitigation Control Integration

    Microsoft SCCM credentials that include the Script Authors role. The Script Authors role provides required permissions to create a script that is required to import mitigation information on the SCCM server.

    See Install and configure the Service Graph Connector for Microsoft SCCM and the Microsoft Defender Mitigation Control Integration for more information.

    Mitigation controls and policies in Exploit Protection (EDR) with Microsoft SCCM and the Microsoft Defender Mitigation Control Integration:

    • Defender – Exploit Mitigation – CFG

      Microsoft Defender Control Flow Guard.

    • Defender – Exploit Mitigation – DEP

      Microsoft Defender Data Execution Prevention.

    • Defender – Exploit Mitigation – Mandatory ASLR and Bottom-Up ASLR

      Microsoft Defender force ASLR.

    • MITRE tactics addressed: Initial Access, Execution, Credential Access, Defense Evasion, Privilege Escalation, Lateral Movement.
    • MITRE techniques addressed by this mitigation: Drive-by Compromise (Initial Access), Exploitation for Client Execution (Execution), Exploitation for Credential Access (Credential Access), Exploitation for Defense Evasion (Defense Evasion), Exploitation for Privilege Escalation (Defense Evasion), Exploitation of Remote Services (Lateral Movement).

    Prerequisites for Exploit Protection (EDR) detection with the SentinelOne Mitigation Control Integration

    1. Verify that you have activated the SentinelOne Service Graph Connector.

      This application is available in the ServiceNow Store. The installation and configuration information is included on the app listing. See Install and configure the Service Graph Connector for SentinelOne and the SentinelOne Mitigation Control Integration for more information.

    2. Verify that the SentinelOne API integration is activated in the Security Posture Control Workspace.
    3. Review the SentinelOne mitigation controls policies included with the application:
      • SentinelOne Application Control
      • SentinelOne Data Files
      • SentinelOne Executables
      • SentinelOne Exploits
      • SentinelOne IDR
      • SentinelOne Detect Interactive Threat
      • SentinelOne Detect Lateral Movement
      • SentinelOne Static AI
      • SentinelOne Static AI - suspicious
      • SentinelOne Potentially unwanted applications
      • SentinelOne Remote shell
      • SentinelOne Reputation