PREVENTION POLICIES Flashcards
What is the default policy used for?
- The Default Policy is a fallback policy applied to hosts that don’t have an assigned policy.
What are best practices when configuring default policies?
– You should configure its policy options to be conservative “catch all” settings you’re comfortable applying to any host in your environment.
How to configure a detection- only policy?
Default Policy is detection only
- Configuration > Prevention Policies> create new policy>input platform, name, description> create policy> click a row of policy settings to manage individually or click enable all>save>confirm> enable> enable policy
What is machine learning on a “sensor” vs the “cloud”
-Sensor ML:
- Sensor Machine Learning is Online + Offline
- On sensor are detections that occur when a process runs
-Includes Sensor Anti Malware on all supported OS Platforms
-Adware/PUP on MacOS.
-Cloud ML:
- Cloud Machine Learning is online
- Cloud Based Machine Learning detections occur when a file is written to disk.
- Cloud Machine Learning – includes both Cloud Anti Malware and Adware/PUP.
**Critical Component of detection/prevention of known, emerging, and zero day malware/ransomware attacks.
-Cloud Machine Learning does NOT interfere with traditional AV tools
Explain best practice Phase 1: Initial Deployment
-Run Phase 1 for minimum time to allow most applications to execute while you triage detections/address any false positives as appropriate.
-Set ML settings to detect only so you can safely triage detections
-Enable behavior-based protections for ransomware and IOAs.
**has low probability for false positives, but give you immediate protection against dangerous exploits.
Define the NextGen AV Settings
-Cloud Based ML
-Sensor ML
-On Write (Files written to disk)
-Quarantine.
What do end user notifications do?
-Portrays message to end user when an action is in violation of policy assigned to end host.
How to assign a prevention policy to groups and hosts?
-Falcon menu> Endpoint Security>Configure> prevention policies> edit icon near policy you want config>assigned host groups tab>add groups to policy>select groups>Add groups to policy>Settings Tab>Enable
What does precedence do regarding prevention policies?
- Determines which policy’s configuration settings are applied to a host when the host is a member of one or more policies.
- Each host can belong to one or more host groups – host groups can be assigned one or more policies
- With dynamic groups, a newly installed sensor inherits relevant groups, and applies policy with highest precedence to the host. Provides host with its initial policy settings.
Explain best practice Phase 3: Optimal Protection
-Run phase 3 identical to recommended single phase settings and your ultimate policy goals.
-Some customers also like to start a representative set of non-production systems as a test
-Set ML Preventions to Aggressive if you’re confident that all needed exclusions have been applied
-Enable remaining recommended IOA based prevention policy settings
What are the 3 phases to describe policy best practices?
3 Phase Process:
-Phase 1: Initial Deployment
-Phase 2: Interim Protection
-Phase 3: Optimal Protection
Which best policy practice is used for a rapid deployment scenario & the customer has pre-existing antivirus or host intrusion prevention system (HIPS)?
-Phase 1: initial deployment
Which best policy practice is used once the customer’s AV is disabled or uninstalled?
Phase 2: Interim Protection
Explain best practice Phase 2: Interim Protection
**Disable or uninstall other 3rd party AV products now.
-Run phase 2 for minimum time required to allow most applications to execute while you continue to triage detections/address any false positives as appropriate.
-Set ML Detections to Aggressive and ML Preventions to Moderate
-Enable additional IOA – based prevention settings
Which best policy practice is used to establish a customer’s ultimate policy goals?
- Phase 3: Optimal Protection
What happens when you assign a host group to a policy?
The host group will no longer appear in list of available groups
How do end user notifications show up?
- Shows up as a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines an unauthorized action
-Messages also show up in the Windows Event Viewer under Apps and Service Logs
Where on the Falcon Console can you configure Precedence?
Hosts > Host Groups > Policies Assigned > Precedence
What features does the Cloud ML provide?
-Cloud AntiMalware/Detection
-Cloud AntiMalware/Prevention
SensorAntiMalware/Detection/Prevention
-Detect on Write, Quarantine on Write, Quarantine & Security Center Registration, Cloud Adware
-PUP Detection/Prevention, Sensor Adware & PUP Detection/Prevention,
-Enable detection at a level above set for prevention
-Triage detection data/allowlist false positives. Once confident that majority of applications have executed, increase detection/prevention sliders, repeat triage, and allowlist. Repeat until you’ve reached recommended settings.
When does a host automatically get assigned to the default policy
-If a host is not a part of any groups, or the groups it belongs to has no policies assigned
Initially what settings in the default policy are set to?
All settings in the default policy are Disabled
What features does the Sensor ML provide?
-Includes Sensor Anti Malware on all supported OS Platforms, and Adware/PUP on MacOS.
-Sensor Anti Malware – provides ML Based on-sensor AV protection for malicious files, including offline protection.
What are the Policy Settings?
- Notify End Users
-Unknown Executables
-Unknown Detection Related Executables
-Sensor Tampering Protection
What are the types of categories?
-Enhanced Visibility
-Firmware
-Cloud ML
-On Write
-Quarantine
-Execution Blocking
-Exploit Mitigation
-Ransomware
-Exploitation Behavior
-Lateral Movement and Credential Access
-Remediation
