Cybersecurity Advisory – Endpoint Detection and Response (EDR) Vulnerability: SentinelOne and Potentially Other EDR Service Providers

Impact: All FINRA Member Firms

FINRA member firms that use SentinelOne Endpoint Detection and Response (EDR) protections—and potentially other EDR service providers—should be aware of a vulnerability which could allow threat actors to gain local administrative access to publicly accessible servers. This Cybersecurity Advisory describes the vulnerability as well as recommendations to protect your firm.

Note: FINRA previously contacted firms that indicated through FINRA’s Third-Party Vendor Questionnaire that they use SentinelOne for EDR service.

Summary

Endpoint detection and response (EDR) systems provide comprehensive protection for endpoints (e.g., computers, servers and other devices) against cybersecurity threats. They can continuously monitor for signs of a compromise, automatically isolate infected endpoints to prevent spreading, and provide detailed information about attack vectors and affected systems.

While investigating a ransomware incident for a customer, cybersecurity vendor Stroz Friedberg identified a vulnerability within the SentinelOne EDR, which allowed a threat actor—after they managed to gain administrative access to the customer’s network—to disable the EDR and then deploy ransomware. The vendor found the threat actor had circumvented SentinelOne’s “anti-tamper” feature, which is specialized programming within an EDR system that acts as a self-protection mechanism by preventing unauthorized modification, disabling or removal of the security agent installed on the endpoints.

Recommendations to Protect Your Firm

Stroz Friedberg and SentinelOne disclosed this vulnerability/attack pattern to other EDR vendors so they could assess their EDR products for similar vulnerabilities. FINRA recommends all member firms using EDR services review the SentinelOne guidance and consider contacting their EDR provider to discuss this potential vulnerability and any potential remediation steps to protect against this type of attack.

In addition, SentinelOne states it has shared directly with its customers guidance on how to enable the available protections to its EDR service. FINRA recommends member firms that are SentinelOne customers review that guidance and consider contacting SentinelOne to ensure they are enabling the available protections.

Additional Information

Questions related to this Cybersecurity Advisory or other cybersecurity-related topics can be emailed to FINRA’s Cyber and Analytics Unit (CAU).

FINRA delivers Cybersecurity Alerts and Advisories to the Chief Information Security Officer (CISO), Chief Compliance Officer (CCO) or Chief Risk Officer (CRO) contacts of FINRA member firms, as designated in FINRA Gateway. Firms should ensure their contact information is current; and if necessary, update it within FINRA Gateway.

FINRA asks member firms to please report any critical system or business operations issues to their Risk Monitoring Analyst.

In addition, both the FBI and CISA urge prompt reporting of cyber incidents to a local FBI Field Office, the FBI Internet Crime Complaint Center (IC3) at IC3.gov, or CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870).

Note: This Advisory does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve member firms of any existing obligations under federal securities laws, regulations or FINRA rules. Member firms may consider the information in this Advisory in developing new, or modifying existing, policies and procedures that are reasonably designed to achieve compliance with relevant regulatory obligations based on the member firm’s size and business model. Moreover, some information may not be relevant due to certain firms’ business models, sizes or practices.