IG3

Deploy a Host>Based Intrusion Prevention Solution

Control Group: 13. Network Monitoring and Defense

Asset Type: Devices

Security Function: Protect

Description

Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Develop incident response plan and playbooks

7

Define roles, escalation paths, and communication channels

8

Conduct tabletop exercise to validate plan

9

Establish post-incident review process

Tool Recommendations

Darktrace DETECT + RESPOND Gartner MQ Visionary, NDR 2024; Forrester Wave Leader, NDR 2024

AI-driven network detection and response with self-learning threat analysis and autonomous response

Darktrace · Enterprise subscription

Vectra AI Platform Gartner MQ Leader, NDR 2024

AI-driven threat detection and response for network, cloud, and identity with attack signal intelligence

Vectra AI · Enterprise subscription

ExtraHop RevealX Gartner MQ Leader, NDR 2024; Forrester Wave Leader, NDR 2024

Network detection and response platform with real-time traffic analysis, encrypted traffic inspection, and cloud visibility

ExtraHop · Per-device/bandwidth subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Ransomware Execution Despite Detection Alert

Availability

A host-based detection tool identifies ransomware behavior but can only alert, not block, allowing the malware to encrypt files before an analyst responds because no host-based prevention capability exists.

Zero-Day Exploit Execution on Endpoint

Integrity

An attacker delivers a zero-day exploit via a spear-phishing document that executes malicious code on the endpoint, and without host-based intrusion prevention, the exploit cannot be automatically blocked based on behavioral analysis.

Credential Dumping Tool Execution on Compromised Host

Confidentiality

An attacker runs Mimikatz or similar credential harvesting tools on a compromised workstation, extracting cached credentials without automated prevention because no HIPS/EDR is deployed to block known attack techniques.

Vulnerabilities (When Safeguard Absent)

Detection-Only Capability Without Automated Prevention

Without host-based intrusion prevention, malicious activity identified through detection alone cannot be automatically blocked, creating a gap between alert generation and manual incident response.

No Behavioral-Based Endpoint Blocking

Absence of HIPS or EDR with prevention capabilities means endpoints cannot automatically terminate malicious processes, quarantine suspicious files, or block exploitation techniques in real time.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Document	Incident response plan and playbooks	Reviewed bi-annually
Record	Incident reports and post-incident review documentation	Per incident
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Network Access Control Policy

Control 13

Related Safeguards in Control 13

13.1 Centralize Security Event Alerting

13.2 Deploy a Host>Based Intrusion Detection Solution

13.3 Deploy a Network Intrusion Detection Solution

13.4 Perform Traffic Filtering Between Network Segments

13.5 Manage Access Control for Remote Assets

13.6 Collect Network Traffic Flow Logs

13.8 Deploy a Network Intrusion Prevention Solution

13.9 Deploy Port>Level Access Control

13.10 Perform Application Layer Filtering

13.11 Tune Security Event Alerting Thresholds