Security Control: Endpoint security
Endpoint Security covers controls in endpoint detection and response, including use of endpoint detection and response (EDR) and anti-malware service for endpoints in cloud environments.
ES-1: Use Endpoint Detection and Response (EDR)
CIS Controls v8 ID(s) | NIST SP 800-53 r4 ID(s) | PCI-DSS ID(s) v3.2.1 |
---|---|---|
13.7 | SC-3, SI-2, SI-3, SI-16 | 11.5 |
Security principle: Enable Endpoint Detection and Response (EDR) capabilities for VMs and integrate with SIEM and security operations processes.
Azure guidance: Microsoft Defender for servers (with Microsoft Defender for Endpoint integrated) provides EDR capability to prevent, detect, investigate, and respond to advanced threats.
Use Microsoft Defender for Cloud to deploy Microsoft Defender for servers on your endpoints and integrate the alerts to your SIEM solution such as Microsoft Sentinel.
Azure implementation and additional context:
- Azure Defender for Servers introduction
- Microsoft Defender for Endpoint overview
- Microsoft Defender for Cloud feature coverage for machines
- Connector for Defender for Servers integration into SIEM
AWS guidance: Onboard your AWS account into Microsoft Defender for Cloud and deploy Microsoft Defender for servers (with Microsoft Defender for Endpoint integrated) on your EC2 instances to provide EDR capabilities to prevent, detect, investigate, and respond to advanced threats.
Alternatively, use Amazon GuardDuty integrated threat intelligence capability to monitor and protect your EC2 instances. Amazon GuardDuty can detect anomalous activities such as activity indicating an instance compromise, such as cryptocurrency mining, malware using domain generation algorithms (DGAs), outbound denial of service activity, unusually high volume of network traffic, unusual network protocols, outbound instance communication with a known malicious IP, temporary Amazon EC2 credentials use by an external IP address, and data exfiltration using DNS.
AWS implementation and additional context:
GCP guidance: Onboard your GCP project into Microsoft Defender for Cloud and deploy Microsoft Defender for servers (with Microsoft Defender for Endpoint integrated) on your virtual machine instances to provide EDR capabilities to prevent, detect, investigate, and respond to advanced threats.
Alternatively, use Google's Security Command Center for integrated threat intelligence to monitor and protect your virtual machine instances. Security Command Center can detect anomalous activity such as potentially leaked credentials, cryptocurrency mining, potentially malicious applications, malicious network activity, and more.
GCP implementation and additional context:
- Protect your endpoints with Defender for Cloud's integrated EDR solution:
- Security Command Center overview:
Customer security stakeholders (Learn more):
- Infrastructure and endpoint security
- Threat intelligence
- Security Compliance Management
- Posture management
ES-2: Use modern anti-malware software
CIS Controls v8 ID(s) | NIST SP 800-53 r4 ID(s) | PCI-DSS ID(s) v3.2.1 |
---|---|---|
10.1 | SC-3, SI-2, SI-3, SI-16 | 5.1 |
Security principle: Use anti-malware solutions (also known as endpoint protection) capable of real-time protection and periodic scanning.
Azure guidance: Microsoft Defender for Cloud can automatically identify the use of a number of popular anti-malware solutions for your virtual machines and on-premises machines with Azure Arc configured and report the endpoint protection running status and make recommendations.
Microsoft Defender Antivirus is the default anti-malware solution for Windows server 2016 and above. For Windows server 2012 R2, use Microsoft Antimalware extension to enable SCEP (System Center Endpoint Protection). For Linux VMs, use Microsoft Defender for Endpoint on Linux for the endpoint protection feature.
For both Windows and Linux, you can use Microsoft Defender for Cloud to discover and assess the health status of the anti-malware solution.
Note: You can also use Microsoft Defender for Cloud's Defender for Storage to detect malware uploaded to Azure Storage accounts.
Azure implementation and additional context:
- Supported endpoint protection solutions
- How to configure Microsoft Antimalware for Cloud Services and virtual machines
AWS guidance: Onboard your AWS account into Microsoft Defender for Cloud to allow Microsoft Defender for Cloud to automatically identify the use some popular anti-malware solutions for EC2 instances with Azure Arc configured and report the endpoint protection running status and make recommendations.
Deploy Microsoft Defender Antivirus which is the default anti-malware solution for Windows server 2016 and above. For EC2 instances running Windows server 2012 R2, use Microsoft Antimalware extension to enable SCEP (System Center Endpoint Protection). For EC2 instances running Linux, use Microsoft Defender for Endpoint on Linux for the endpoint protection feature.
For both Windows and Linux, you can use Microsoft Defender for Cloud to discover and assess the health status of the anti-malware solution.
Note: Microsoft Defender Cloud also supports certain third-party endpoint protection products for the discovery and health status assessment.
AWS implementation and additional context:
- GuardDuty EC2 finding
- Microsoft Defender supported endpoint protection solutions
- Endpoint protection recommendations in Microsoft Defender for Clouds
GCP guidance: Onboard your GCP projects into Microsoft Defender for Cloud to allow Microsoft Defender for Cloud to automatically identify the use of popular anti-malware solutions for virtual machine instances with Azure Arc configured and report the endpoint protection status and make recommendations.
Deploy Microsoft Defender Antivirus which is the default anti-malware solution for Windows server 2016 and above. For virtual machine instances running Windows server 2012 R2, use Microsoft Antimalware extension to enable SCEP (System Center Endpoint Protection). For virtual machine instances running Linux, use Microsoft Defender for Endpoint on Linux for the endpoint protection feature.
For both Windows and Linux, you can use Microsoft Defender for Cloud to discover and assess the health status of the anti-malware solution.
Note: Microsoft Defender Cloud also supports certain third-party endpoint protection products for the discovery and health status assessment.
GCP implementation and additional context:
- Microsoft Defender supported endpoint protection solutions:
- Endpoint protection recommendations in Microsoft Defender for Clouds:
Customer security stakeholders (Learn more):
- Infrastructure and endpoint security
- Threat intelligence
- Security Compliance Management
- Posture management
ES-3: Ensure anti-malware software and signatures are updated
CIS Controls v8 ID(s) | NIST SP 800-53 r4 ID(s) | PCI-DSS ID(s) v3.2.1 |
---|---|---|
10.2 | SI-2, SI-3 | 5.2 |
Security principle: Ensure anti-malware signatures are updated rapidly and consistently for the anti-malware solution.
Azure guidance: Follow recommendations in Microsoft Defender for Cloud to keep all endpoints up to date with the latest signatures. Microsoft Antimalware (for Windows) and Microsoft Defender for Endpoint (for Linux) will automatically install the latest signatures and engine updates by default.
For third-party solutions, ensure the signatures are updated in the third-party anti-malware solution.
Azure implementation and additional context:
- How to deploy Microsoft Antimalware for Cloud Services and virtual machine
- Endpoint protection assessment and recommendations in Microsoft Defender for Cloud
AWS guidance: With your AWS account onboarded into Microsoft Defender for Cloud, follow recommendations in Microsoft Defender for Cloud to keep all endpoints up to date with the latest signatures. Microsoft Antimalware (for Windows) and Microsoft Defender for Endpoint (for Linux) will automatically install the latest signatures and engine updates by default.
For third-party solutions, ensure the signatures are updated in the third-party anti-malware solution.
AWS implementation and additional context:
GCP guidance: With your GCP projects onboarded into Microsoft Defender for Cloud, follow recommendations in Microsoft Defender for Cloud to keep all EDR solutions up to date with the latest signatures. Microsoft Antimalware (for Windows) and Microsoft Defender for Endpoint (for Linux) will automatically install the latest signatures and engine updates by default.
For third-party solutions, ensure the signatures are updated in the third-party anti-malware solution.
GCP implementation and additional context:
Customer security stakeholders (Learn more):