Security Control V2: Endpoint Security

Note

The most up-to-date Azure Security Benchmark is available here.

Endpoint Security covers controls in endpoint detection and response. This includes use of endpoint detection and response (EDR) and anti-malware service for endpoints in Azure environments.

To see the applicable built-in Azure Policy, see Details of the Azure Security Benchmark Regulatory Compliance built-in initiative: Endpoint Security

ES-1: Use Endpoint Detection and Response (EDR)

Azure ID	CIS Controls v7.1 ID(s)	NIST SP 800-53 r4 ID(s)
ES-1	8.1	SI-2, SI-3, SC-3

Enable Endpoint Detection and Response (EDR) capabilities for servers and clients and integrate with SIEM and Security Operations processes.

Microsoft Defender for Endpoint provides EDR capability as part of an enterprise endpoint security platform to prevent, detect, investigate, and respond to advanced threats.

• Microsoft Defender for Endpoint Overview

• Microsoft Defender for Endpoint for Windows servers

• Microsoft Defender for Endpoint for non-Windows servers

Responsibility: Customer

Customer Security Stakeholders (Learn more):

• Infrastructure and endpoint security

• Threat intelligence

• Security Compliance Management

• Posture management

ES-2: Use centrally managed modern anti-malware software

Azure ID	CIS Controls v7.1 ID(s)	NIST SP 800-53 r4 ID(s)
ES-2	8.1	SI-2, SI-3, SC-3

Use a centrally managed endpoint anti-malware solution capable of real time and periodic scanning

Azure Security Center can automatically identify the use of a number of popular anti-malware solutions for your virtual machines and report the endpoint protection running status and make recommendations.

Microsoft Antimalware for Azure Cloud Services is the default anti-malware for Windows virtual machines (VMs). For Linux VMs, use third-party antimalware solution. Also, you can use Azure Defender for Storage to detect malware uploaded to Azure Storage accounts.

• How to configure Microsoft Antimalware for Cloud Services and Virtual Machines

• Supported endpoint protection solutions

Responsibility: Customer

Customer Security Stakeholders (Learn more):

• Infrastructure and endpoint security

• Threat intelligence

• Security Compliance Management

• Posture management

ES-3: Ensure anti-malware software and signatures are updated

Azure ID	CIS Controls v7.1 ID(s)	NIST SP 800-53 r4 ID(s)
ES-3	8.2	SI-2, SI-3

Ensure anti-malware signatures are updated rapidly and consistently.

Follow recommendations in Azure Security Center to ensure all endpoints are up to date with the latest signatures. Microsoft Antimalware will automatically install the latest signatures and engine updates by default. For Linux, ensure the signatures are updated in the third-party antimalware solution.

• How to deploy Microsoft Antimalware for Azure Cloud Services and Virtual Machines

Responsibility: Customer

Customer Security Stakeholders (Learn more):

• Infrastructure and endpoint security

• Threat intelligence

• Security Compliance Management

• Posture management

• Endpoint protection assessment and recommendations in Azure Security Center