Security Control v3: Endpoint security
Endpoint Security covers controls in endpoint detection and response, including use of endpoint detection and response (EDR) and anti-malware service for endpoints in Azure environments.
ES-1: Use Endpoint Detection and Response (EDR)
| CIS Controls v8 ID(s) | NIST SP 800-53 r4 ID(s) | PCI-DSS ID(s) v3.2.1 |
|---|---|---|
| 13.7 | SC-3, SI-2, SI-3, SI-16 | 11.5 |
Security Principle: Enable Endpoint Detection and Response (EDR) capabilities for VMs and integrate with SIEM and security operations processes.
Azure Guidance: Azure Defender for servers (with Microsoft Defender for Endpoint integrated) provides EDR capability to prevent, detect, investigate, and respond to advanced threats.
Use Microsoft Defender for Cloud to deploy Azure Defender for servers for your endpoint and integrate the alerts to your SIEM solution such as Azure Sentinel.
Implementation and additional context:
- Azure Defender for servers introduction
- Microsoft Defender for Endpoint overview
- Microsoft Defender for Cloud feature coverage for machines
- Connector for Defender for servers integration into SIEM
Customer Security Stakeholders (Learn more):
- Infrastructure and endpoint security
- Threat intelligence
- Security Compliance Management
- Posture management
ES-2: Use modern anti-malware software
| CIS Controls v8 ID(s) | NIST SP 800-53 r4 ID(s) | PCI-DSS ID(s) v3.2.1 |
|---|---|---|
| 10.1 | SC-3, SI-2, SI-3, SI-16 | 5.1 |
Security Principle: Use anti-malware solutions capable of real-time protection and periodic scanning.
Azure Guidance: Microsoft Defender for Cloud can automatically identify the use of a number of popular anti-malware solutions for your virtual machines and on-premises machines with Azure Arc configured, and report the endpoint protection running status and make recommendations.
Microsoft Defender Antivirus is the default anti-malware solution for Windows server 2016 and above. For Windows server 2012 R2, use Microsoft Antimalware extension to enable SCEP (System Center Endpoint Protection), and Microsoft Defender for Cloud to discover and assess the health status. For Linux VMs, use Microsoft Defender for Endpoint on Linux.
Note: You can also use Microsoft Defender for Cloud's Defender for Storage to detect malware uploaded to Azure Storage accounts.
Implementation and additional context:
- Supported endpoint protection solutions
- How to configure Microsoft Antimalware for Cloud Services and virtual machines
Customer Security Stakeholders (Learn more):
- Infrastructure and endpoint security
- Threat intelligence
- Security Compliance Management
- Posture management
ES-3: Ensure anti-malware software and signatures are updated
| CIS Controls v8 ID(s) | NIST SP 800-53 r4 ID(s) | PCI-DSS ID(s) v3.2.1 |
|---|---|---|
| 10.2 | SI-2, SI-3 | 5.2 |
Security Principle: Ensure anti-malware signatures are updated rapidly and consistently for the anti-malware solution.
Azure Guidance: Follow recommendations in Microsoft Defender for Cloud: "Compute & Apps" to keep all endpoints up to date with the latest signatures. Microsoft Antimalware will automatically install the latest signatures and engine updates by default. For Linux, ensure the signatures are updated in the third-party anti-malware solution.
Implementation and additional context:
- How to deploy Microsoft Antimalware for Cloud Services and virtual machine
- Endpoint protection assessment and recommendations in Microsoft Defender for Cloud
Customer Security Stakeholders (Learn more):