Hunting and Auto-Quarantining Sunburst/SolarWinds affected endpoints using EMS Zero-Trust Tags
Description
Dynamically detecting, segmenting and auto-quarantine “Sunburst”/SolarWinds” Vulnerable Endpoints from EMS
Solution
Dynamically detecting, segmenting and auto-quarantine “Sunburst”/SolarWinds” Vulnerable Endpoints from EMS
Solution
- Create Zero-Trust Access Control Rules to continuously monitor and automatically block access for compromised endpoints:
- Run the attached Script to add SolarWinds detection rules in your EMS v6.4.2. (Open CMD with administrator access and run this command in the same folder where you saved the script: sqlcmd -E -S.\fcems -d fcm_default -i add_solarwind_ZTNA_Rules.txt)
- This script will add ZTNA tagging rules as seen in the screenshot below. Edit one of the newly added rules and check to see if configured properly and click save. You can also add additional rules to detect and tag endpoints with critical vulnerabilities which includes Sunburst vulnerability:
- Under Zero Trust Tags > Tag Monitor monitor for any endpoints with “EndpointsWithSolarWinds” or “SolarWinds Suspicious” Tags. If any detected then these endpoints can be quarantined and sent for investigation/remediation.