Mitigation controls and policies in Security Posture Control

  • Release version: Washingtondc
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Mitigation Controls and Policies in Security Posture Control

    The Security Posture Control (SPC) product includes policies and mitigation controls to help detect and manage mitigation strategies on enterprise assets. Users can access these features through the SPC workspace, provided they have the required applications installed from the ServiceNow Store.

    Show full answer Show less

    Key Features

    • Access to Policies: Users in the SPC Admin and Analyst Groups can view mitigation controls policies by navigating to Workspaces > Security Posture Control > Policies and findings > All.
    • Included Mitigation Controls Policies: The application displays various policies, including those from CrowdStrike and Microsoft Defender, among others.
    • Viewing Mitigation Controls: Users can also view mitigation controls by navigating to Workspaces > Security Posture Control > Mitigation controls, where detailed information regarding each control is available.
    • Detailed Control Information: Each mitigation control record includes the name, sources, category, applicable MITRE techniques, and associated policies.
    • Categories of Mitigation Controls: Current categories supported include Exploit Protection for both EDR and WAF.

    Key Outcomes

    By utilizing the SPC and its features, ServiceNow customers can effectively monitor and manage security controls across their enterprise assets. The integration with various security tools allows for comprehensive visibility and easier management of security postures, ensuring that organizations can quickly identify and respond to potential vulnerabilities.

    Policies and mitigation controls are included with the Security Posture Control product that can detect mitigation controls on your enterprise assets. You view these policies and controls in the Security Posture Control workspace.

    Mitigation controls policies

    The Security Posture Control and the Mitigation Controls applications are required to view the mitigation controls and mitigation controls policies in the SPC. Both applications are available from the ServiceNow Store.

    Refer to the following topics for more information about downloading and installing applications from the ServiceNow® Store.

    To view the mitigation controls policies, users in the SPC Admin Group and SPC Analyst Group can navigate to Workspaces > Security Posture Control > Policies and findings > All in the SPC Workspace navigation panel.

    The following mitigation controls policies are included with the application and are displayed along with the other SPC policies:
    • SEH Overwrite
    • Heap spray
    • CrowdStrike NULL Page Allocation
    • CrowdStrike Force DEP
    • CrowdStrike Force ASLR
    • Microsoft Defender Control Flow Guard
    • Microsoft Defender force ASLR
    • Microsoft Defender Mandatory ASLR and Bottom-up ASLR
    • SentinelOne Application Control
    • SentinelOne Data Files
    • SentinelOne Executables
    • SentinelOne Exploits
    • SentinelOne IDR
    • SentinelOne Detect Interactive Threat
    • SentinelOne Detect Lateral Movement
    • SentinelOne Static AI
    • SentinelOne Static AI - suspicious
    • SentinelOne Potentially unwanted applications
    • SentinelOne Remote shell
    • SentinelOne Reputation

    Viewing the mitigation controls in the workspace

    To view the list of mitigation controls, SPC Admin Group and SPC Analyst Group can navigate to Workspaces > Security Posture Control > Mitigations controls in the SPC Workspace navigation panel.

    The list of supported mitigation controls includes different types of mitigations that can be detected by SPC on your assets. Select a record. Each mitigation control includes the following information:

    • Name - Name of the mitigation control.
    • Sources - Sources used to import this mitigation control’s status on a given asset. Supported sources for this integration are the API-based integrations with the CrowdStrike, Microsoft SCCM, SentinelOne, and F5 BIG-IP security tools.
    • Category - Category of the mitigation control, for example, Exploit Protection (EDR).
    • MITRE™ Techniques - MITRE techniques to which this mitigation control applies.
    • Policies - SPC policies included with the product that are used to identify the presence of this mitigation control. One mitigation control might require more than one policy.

    Some mitigation controls require an evaluation using multiple policies, whereas others might require just one policy. Also, for certain mitigation controls, all policies must match, but for other controls, only one policy is required to determine that a mitigation control’s status is active on a given asset.

    Mitigation controls categories

    The following categories of mitigation controls are currently supported with the SPC.