For emerging and high profile threats, Security Response should provide sample Application Control and Firewall policies to aid mitigation
Here is a suggestion from Security Response that is currently being considered, we would be very interested to get your input and thoughts on the subject:
As well as Security Response providing the usual AV/AS and IPS signatures on a regular basis, it would be good if, when appropriate, Security Response could also provide guidance on how to use Application Control and the Firewall to aid mitigation (or provide sample SEP policies which contain the needed config to achieve this).
Some examples would be:
- Firewall rule to block traffic to/from certain offending domains and/or IP address blocks.
- Application Control rule to block specific processes from being allowed to run.
Ideally then, it would be possible to also centrally report on machines which see the offending domains/IPs/processes appear.