Share via

Endpoint Security

Endpoint Security ensures comprehensive protection of cloud-hosted compute endpoint resources. Effective endpoint security prevents unauthorized access, detects and responds to threats, and maintains security compliance for virtualized infrastructure running in cloud environments.

Without comprehensive endpoint security capabilities:

  • Malware and ransomware infections: Unprotected cloud virtual machines allow malware execution, ransomware encryption, and persistent threats compromising workload integrity and business operations.
  • Credential theft and lateral movement: Compromised cloud endpoints enable attackers to harvest credentials, escalate privileges, and move laterally across cloud environments and virtual networks.
  • Data exfiltration: Unmanaged cloud workloads lack data protection controls allowing unauthorized data transfer from cloud storage and databases.
  • Compliance violations: Inability to demonstrate endpoint security controls for cloud infrastructure creates regulatory audit failures and potential sanctions.
  • Unmanaged cloud resources: Provisioned virtual machines without security agents bypass protection controls creating security gaps and visibility blind spots.
  • Configuration drift: Cloud virtual machines operating with inconsistent security configurations create vulnerabilities and reduce overall security posture.

Here are the two core pillars of the Endpoint Security security domain.

Cloud endpoint threat protection: Deploy comprehensive threat detection and response capabilities for cloud virtual machines including anti-malware, behavioral analysis, and automated remediation. Implement real-time threat intelligence correlation and integrated extended detection and response (XDR) to identify and neutralize threats targeting cloud workloads before they cause damage.

Related controls:

Cloud endpoint security configuration: Enforce security baselines and hardening standards across all cloud virtual machines including operating system configurations, application controls, and security feature enablement. Maintain consistent security posture through automated configuration management and drift detection for cloud-hosted compute resources.

Related controls:

ES-1: Use Endpoint Detection and Response (EDR)

Azure Policy: See Azure built-in policy definitions: ES-1.

Security principle

Implement comprehensive endpoint detection and response capabilities providing real-time visibility into endpoint activities, behavioral analytics, and automated threat response. Enable security organizations to detect advanced threats, investigate incidents, and respond rapidly to contain and remediate endpoint compromises across the environment.

Risk to mitigate

Organizations operating without comprehensive endpoint detection and response capabilities face significant risks from advanced threats that bypass traditional preventive controls. Without EDR:

  • Undetected advanced threats: Sophisticated attacks including fileless malware, living-off-the-land techniques, and zero-day exploits evade signature-based detection operating undetected for extended periods.
  • Delayed incident response: Lack of real-time visibility into endpoint activities prevents rapid threat detection and response allowing attackers time to establish persistence and exfiltrate data.
  • Limited threat visibility: Security teams cannot identify attack patterns, lateral movement, or command-and-control communications without comprehensive endpoint telemetry and behavioral analytics.
  • Ineffective threat containment: Manual investigation and remediation processes allow threats to spread across endpoints during response activities creating wider organizational impact.
  • Missing forensic capabilities: Absence of historical endpoint activity data prevents root cause analysis, attack reconstruction, and lessons learned from security incidents.
  • Blind spots in security posture: Unmonitored endpoint activities create visibility gaps preventing detection of insider threats, privilege escalation, and data exfiltration attempts.

Without EDR capabilities, organizations detect threats only after significant damage occurs rather than during attack execution phases.

MITRE ATT&CK

  • Initial Access (TA0001): phishing (T1566) and exploit public-facing application (T1190) gaining initial foothold on endpoints without detection.
  • Execution (TA0002): command and scripting interpreter (T1059) executing malicious code on endpoints bypassing preventive controls.
  • Persistence (TA0003): create or modify system process (T1543) establishing persistent access mechanisms undetected by traditional anti-malware.
  • Defense Evasion (TA0005): impair defenses (T1562) disabling security tools and obfuscate files or information (T1027) evading detection capabilities.
  • Credential Access (TA0006): OS credential dumping (T1003) harvesting credentials from endpoint memory for privilege escalation and lateral movement.

ES-1.1: Deploy endpoint detection and response solution

Traditional antivirus signature detection misses modern threats that use fileless techniques, living-off-the-land binaries, and sophisticated obfuscation to evade static analysis, leaving endpoints vulnerable to zero-day exploits and advanced persistent threats. Endpoint detection and response provides behavioral monitoring and machine learning that identifies malicious activities regardless of signature availability, detecting anomalous process execution, credential access attempts, and lateral movement patterns. Comprehensive telemetry collection enables forensic investigation and threat hunting that reconstructs attack timelines and identifies compromise indicators missed during initial detection.

Establish behavioral threat detection through these EDR capabilities:

EDR configuration best practices:

  • Enable behavioral detection: Configure behavioral analytics to monitor process execution patterns, file system changes, network connections, and registry modifications focusing on high-value Azure VMs hosting sensitive workloads.
  • Tune detection sensitivity: Adjust threat detection sensitivity based on workload criticality balancing false positive rates with detection coverage for fileless malware, LOLBins (living-off-the-land binaries - legitimate system tools used maliciously), and credential access attempts.
  • Configure automated response: Define automated response actions appropriate for workload types including process termination for non-critical VMs and alerting-only for production systems requiring manual review.
  • Establish investigation procedures: Document investigation workflows leveraging process tree analysis, timeline reconstruction, and network connection tracking ensuring security teams can rapidly assess incident scope.
  • Define alert escalation: Configure alert severity thresholds and escalation paths routing critical threats to on-call security personnel within defined response time objectives.

EDR deployment strategy:

  • Universal cloud endpoint coverage: Deploy Microsoft Defender for Endpoint agents across all Azure Windows VMs, Linux VMs, Azure Virtual Desktop session hosts, and virtual machine scale sets ensuring comprehensive visibility without coverage gaps.
  • Automatic provisioning: Enable automatic agent provisioning through Microsoft Defender for Cloud for new virtual machines ensuring immediate protection upon resource creation.
  • Sensor health monitoring: Continuous monitoring of EDR sensor health, version compliance, and telemetry flow with automated alerting for offline or misconfigured cloud virtual machines.
  • Cloud-native architecture: Cloud-delivered EDR platform with native Azure integration providing automatic updates and scalability for cloud workloads.
  • Performance optimization: Lightweight sensor design minimizing virtual machine resource consumption while maintaining comprehensive monitoring capabilities for cloud workloads.

ES-1.2: Integrate EDR with extended detection and response (XDR)

Isolated endpoint detection generates disconnected alerts that miss sophisticated attack chains spanning identity compromise, lateral movement, and data exfiltration across multiple systems and services. Extended detection and response correlates telemetry from endpoints, identity providers, cloud infrastructure, and network traffic to reveal complete attack narratives that single-signal detection cannot identify. Unified incident context enables security teams to understand full attack scope and implement coordinated containment across all affected systems simultaneously rather than responding to each alert independently.

Correlate cross-platform threats through these XDR integration capabilities:

  • Integrate endpoint detection and response with Microsoft Defender XDR to correlate security telemetry across identity, email, applications, and cloud infrastructure enabling unified threat detection and coordinated response across the environment.

XDR integration best practices:

  • Enable cross-signal correlation: Activate Microsoft Defender XDR integration to correlate cloud VM events with Azure Activity logs, Microsoft Entra ID authentication signals, and Azure Network Watcher traffic analysis creating unified incident context.
  • Configure incident grouping: Define correlation rules grouping related alerts from cloud VMs, identity systems, and infrastructure changes into single incidents reducing investigation overhead and improving mean time to detect (MTTD).
  • Design response playbooks: Create coordinated response workflows automating VM isolation through Network Security Group updates, service account suspension through Microsoft Entra ID, and snapshot creation for forensics.
  • Establish priority scoring: Configure incident severity scoring incorporating VM criticality tags, data classification, and attack progression stage to prioritize security operations team response.
  • Review attack path visualization: Regularly analyze XDR-generated attack paths identifying lateral movement opportunities and privileged access risks requiring architectural remediation.

XDR architecture components:

  • Identity signals: Integration with Microsoft Entra ID Protection correlating cloud VM activities with authentication anomalies, impossible travel, and credential compromise indicators for cloud-based identities.
  • Cloud infrastructure integration: Correlation of virtual machine malware detection with Azure Activity logs, resource deployment events, and infrastructure changes identifying supply chain and configuration-based attacks.
  • Cloud workload protection: Unified visibility across Azure Virtual Machines, container instances, and Microsoft Defender for Cloud protected resources detecting threats spanning cloud subscriptions and regions.
  • Network detection integration: Correlation of VM communications with Azure Network Watcher and virtual network traffic analysis identifying command-and-control traffic and lateral movement across cloud networks.

ES-1.3: Enable EDR automation and integration

Manual investigation and response to high-volume security alerts creates unsustainable analyst workload while introducing response delays that allow threats to progress from initial compromise to data exfiltration. Automated investigation analyzes alert context, performs forensic analysis, and determines remediation actions within seconds rather than hours of manual analysis. Security orchestration integrates EDR telemetry with cloud infrastructure controls and identity management, enabling coordinated automated response that isolates compromised systems, revokes credentials, and preserves forensic evidence simultaneously.

Accelerate threat response through these automation capabilities:

  • Implement automated investigation, remediation, and security operations integration reducing mean time to respond (MTTR) and enabling unified threat detection across security platforms.

Automated investigation and remediation:

  • Enable automated investigations: Activate automatic investigation for medium and high-severity alerts on non-production VMs to build investigation baseline while requiring manual approval for production workloads.
  • Define approval workflows: Establish approval gates for automated remediation actions on production VMs requiring security architect review for changes impacting business operations.
  • Configure automated remediation: Enable automated malware removal, persistence elimination, VM network isolation through Azure Network Security Group updates, and security configuration restoration.
  • Document escalation criteria: Define criteria for escalating automated investigations to human analysts when similarity analysis identifies coordinated campaigns or advanced persistent threats.

Security operations integration:

  • Integrate with SIEM: Stream EDR telemetry to Microsoft Sentinel enabling unified security monitoring and develop correlation rules combining EDR alerts with Azure Activity logs, resource changes, and identity signals.
  • Enable SOAR automation: Configure automated response playbooks coordinating EDR containment with Azure resource isolation, identity management, and virtual network security updates.
  • Retain historical data: Maintain historical EDR data for compliance requirements, threat hunting, and retrospective analysis enabling investigation of sophisticated threats.
  • Enrich threat intelligence: Implement automated threat intelligence lookups, file hash analysis, and Azure resource metadata gathering accelerating investigation and response decisions.

Implementation example

A financial services organization operating cloud-hosted trading platforms discovered advanced persistent threats during forensic investigation that had operated undetected for weeks, compromising customer account data.

Challenge: Traditional antivirus on cloud VMs provided only signature-based detection, missing fileless attacks and lateral movement. Security team lacked visibility into attack timelines and struggled with manual investigation across distributed cloud infrastructure.

Solution approach:

  • Comprehensive EDR deployment: Enabled Microsoft Defender for Endpoint through Microsoft Defender for Cloud integration with automatic provisioning across Windows/Linux VMs and Azure Virtual Desktop session hosts using Azure Policy.
  • Automated threat response: Configured automated remediation for cryptocurrency miners, web shells, and unauthorized software. Deployed response playbooks isolating compromised VMs through Network Security Group updates and triggering forensic snapshots.
  • XDR integration: Deployed Microsoft Defender XDR correlating VM telemetry with Microsoft Entra ID authentication signals and Azure infrastructure changes, creating unified incident context.
  • Proactive threat hunting: Established threat hunting program using advanced hunting queries focused on lateral movement patterns across Azure virtual networks.

Outcome: Dramatically reduced threat detection time from weeks to hours. Automated response contained majority of threats without manual intervention. Unified incident view significantly reduced investigation time.

Criticality level

Must have.

Control mapping

  • NIST SP 800-53 Rev.5: SI-4(1), SI-4(2), SI-4(5), SI-4(12), SI-4(16), IR-4(1), IR-4(4)
  • PCI-DSS v4: 5.3.2, 5.3.4, 10.2.1, 11.5.1
  • CIS Controls v8.1: 8.5, 8.11, 13.2, 13.10
  • NIST CSF v2.0: DE.CM-1, DE.CM-4, DE.CM-7, RS.AN-1
  • ISO 27001:2022: A.8.16, A.5.24, A.5.26
  • SOC 2: CC7.2, CC7.3

ES-2: Use modern anti-malware software

Azure Policy: See Azure built-in policy definitions: ES-2.

Security principle

Deploy modern anti-malware solutions combining signature-based detection with behavioral analytics, machine learning, cloud-delivered intelligence, and exploit prevention to protect against known and unknown threats. Ensure comprehensive malware protection across all endpoint platforms with minimal performance impact and centralized management.

Risk to mitigate

Organizations relying on outdated or signature-only anti-malware solutions face increasing risk from modern threats that evade traditional detection methods. Without modern anti-malware capabilities:

  • Zero-day exploit vulnerability: Signature-based detection cannot identify new malware variants and zero-day exploits before signatures are created and distributed.
  • Polymorphic malware evasion: Advanced malware using polymorphic code, encryption, and obfuscation techniques bypass signature matching and static analysis.
  • Fileless attack execution: Memory-resident attacks executing entirely in RAM without touching disk evade traditional file-based scanning mechanisms.
  • Ransomware encryption: Modern ransomware variants execute encryption rapidly before signature-based detection can identify and block malicious processes.
  • Script-based attack delivery: PowerShell, JavaScript, and other scripting attacks leverage trusted system tools evading application-based anti-malware controls.
  • Performance degradation: Legacy anti-malware solutions consuming excessive system resources impact endpoint performance and user productivity.

Traditional signature-based anti-malware provides insufficient protection against modern threat landscape requiring advanced behavioral detection and machine learning capabilities.

MITRE ATT&CK

  • Execution (TA0002): malicious file (T1204.002) executing malware payloads delivered through phishing, downloads, or removable media.
  • Defense Evasion (TA0005): obfuscated files or information (T1027) and virtualization/sandbox evasion (T1497) bypassing signature-based detection.
  • Impact (TA0040): data encrypted for impact (T1486) deploying ransomware encrypting organizational data before detection occurs.

ES-2.1: Deploy next-generation anti-malware solution

Signature-based anti-malware provides essential baseline protection against known threats, but modern malware employs polymorphism, packing, and encryption to evade traditional detection requiring behavioral analysis and machine learning classification. Multi-layered protection combines static signatures for known threats with dynamic behavior monitoring and cloud-powered intelligence to detect emerging malware variants and zero-day exploits. Centralized management ensures consistent protection baselines across all endpoints while tamper protection prevents adversaries from disabling security controls after gaining initial access.

Deploy comprehensive malware protection through these defense layers:

  • Implement Microsoft Defender Antivirus on Azure Virtual Machines providing multi-layered protection including signature-based detection, behavioral analysis, machine learning classification, and exploit prevention capabilities for cloud workloads.

Anti-malware configuration best practices:

  • Configure protection layers: Enable all protection layers (signature-based, heuristic, behavioral, cloud-powered ML) by default allowing selective disabling only when specific workload requirements documented and approved by security team.
  • Enable cloud-delivered protection: Activate cloud protection with automatic sample submission for unknown files except for VMs processing highly sensitive data requiring air-gapped protection models.
  • Configure exclusion management: Establish formal exception process requiring business justification, security review, and time-limited approvals for anti-malware exclusions minimizing attack surface exposure.
  • Test tamper protection: Enable tamper protection on all production VMs and validate effectiveness through controlled testing ensuring anti-malware remains operational during simulated attacks.
  • Establish centralized management: Implement centralized anti-malware management through Microsoft Defender for Cloud and Azure Policy defining organizational baseline configuration and governance workflows for configuration changes.

ES-2.2: Enable advanced threat protection features

Malware detection alone provides insufficient protection when adversaries exploit memory corruption vulnerabilities, abuse legitimate system features, and encrypt data before traditional signatures detect their presence. Exploit protection mitigations (DEP, ASLR, Control Flow Guard) block memory-based attacks regardless of malware signatures, preventing exploitation of application vulnerabilities. Attack surface reduction rules constrain adversary techniques by blocking script execution from untrusted sources, limiting credential access, and protecting critical data folders before ransomware encryption occurs.

Prevent exploitation techniques through these advanced protections:

  • Configure advanced protection features including exploit protection, attack surface reduction, controlled folder access, and network protection to prevent exploit techniques and reduce attack surface.

Exploit protection configuration:

  • Enable memory protections: Activate Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG) on all Azure VMs testing application compatibility in development environments before production deployment.
  • Configure application-specific protections: Apply targeted exploit protections to high-risk applications (browsers, Office apps, PDF readers) with exceptions documented and reviewed quarterly.
  • Test mitigation effectiveness: Conduct controlled exploit simulation testing validating protection against common techniques (heap spraying, ROP, SEH overwrites) adjusting configurations based on results.
  • Establish exception process: Define formal approval workflow for exploit protection exceptions requiring security architect review, business justification, and compensating controls.

Attack surface reduction configuration:

  • Deploy ASR rules progressively: Enable attack surface reduction rules in audit mode first analyzing impact for 30 days before switching to block mode starting with low-impact rules.
  • Configure script execution controls: Block obfuscated JavaScript/VBScript/PowerShell execution from untrusted sources while maintaining documented exceptions for legitimate automation scripts.
  • Enable ransomware protection: Configure controlled folder access protecting critical data folders with approved application list reviewed monthly.
  • Implement credential protection: Enable LSASS protection blocking credential stealing from Windows Local Security Authority Subsystem monitoring for false positives affecting legitimate security tools.
  • Monitor ASR rule effectiveness: Review ASR rule block events weekly identifying attack patterns and adjusting rule configurations optimizing security coverage.

Network protection:

  • Web threat protection: Blocking connections to malicious IP addresses, domains, and URLs preventing command-and-control communications and malicious downloads.
  • SmartScreen integration: Microsoft Defender SmartScreen real-time reputation checks for downloaded files and visited websites preventing access to known phishing and malware distribution sites.
  • Network intrusion prevention: Detection and blocking of network-based exploit attempts and lateral movement activities at the endpoint level.

Implementation example

A healthcare organization suffered ransomware attack encrypting patient records on Azure Virtual Desktop infrastructure. Traditional antivirus failed to detect memory-resident malware delivered through weaponized medical imaging files.

Challenge: Legacy signature-based protection couldn't detect fileless attacks or script-based ransomware. Clinicians needed uninterrupted access to medical applications while maintaining HIPAA security controls. Ransomware encrypted patient records before detection.

Solution approach:

  • Behavioral detection: Deployed Microsoft Defender Antivirus with cloud-delivered protection and behavioral analysis detecting fileless malware and script-based attacks on medical application VMs.
  • Attack surface reduction: Configured ASR rules blocking PowerShell execution from untrusted sources and preventing credential dumping on application servers hosting electronic health records.
  • Ransomware protection: Implemented controlled folder access on Azure Virtual Desktop protecting patient data directories from unauthorized modification, blocking ransomware encryption attempts.
  • Exploit prevention: Enabled exploit protection for web browsers and medical imaging viewers preventing initial compromise vectors.

Outcome: Detected and blocked subsequent ransomware attempts within seconds before encryption. Substantially reduced false positives through behavioral analytics. Maintained HIPAA compliance with comprehensive protection coverage.

Criticality level

Must have.

Control mapping

  • NIST SP 800-53 Rev.5: SI-3(1), SI-3(2), SI-3(4), SI-3(7), SI-3(8)
  • PCI-DSS v4: 5.1.1, 5.2.1, 5.2.2, 5.2.3, 5.3.1, 5.3.2
  • CIS Controls v8.1: 10.1, 10.2, 10.5, 10.7
  • NIST CSF v2.0: DE.CM-4, PR.DS-6
  • ISO 27001:2022: A.8.7
  • SOC 2: CC6.1, CC7.2

ES-3: Ensure anti-malware software and signatures are updated

Security principle

Maintain current anti-malware protection through automated signature updates, software version management, and update compliance monitoring. Ensure all endpoints receive timely protection updates minimizing vulnerability windows and maintaining effective threat detection capabilities.

Risk to mitigate

Outdated anti-malware signatures and software versions leave endpoints vulnerable to known threats that could be prevented with current protection. Without timely updates:

  • Known malware detection failure: Outdated signatures cannot detect new malware variants, exploits, and threat campaigns identified after last update.
  • Protection bypass: Attackers specifically target endpoints with outdated protection knowing signature gaps allow malware execution.
  • Exploit vulnerability: Unpatched anti-malware software contains vulnerabilities that attackers exploit to disable protection or escalate privileges.
  • Compliance violations: Regulatory frameworks require current anti-malware protection with audit failures resulting from outdated signatures or software versions.
  • Incident response gaps: Outdated protection prevents detection during initial attack phases allowing threats to establish persistence before updates enable detection.

Organizations maintaining current anti-malware updates significantly reduce malware infection rates and improve overall security posture.

MITRE ATT&CK

  • Defense Evasion (TA0005): impair defenses (T1562) exploiting outdated anti-malware to avoid detection.
  • Execution (TA0002): exploitation for client execution (T1203) leveraging known exploits that current signatures would detect.

ES-3.1: Configure and enforce automated updates

Anti-malware protection degrades rapidly as threat signatures age and detection engines become outdated, with new malware variants emerging continuously that evade older detection capabilities. Automated update mechanisms ensure endpoints maintain current threat intelligence and detection algorithms without relying on manual processes that introduce delays and coverage gaps. Compliance monitoring identifies endpoints with outdated protection that represent high-risk vulnerabilities in the security perimeter, enabling targeted remediation before adversaries exploit protection gaps.

Maintain current anti-malware effectiveness through these update processes:

  • Implement automated anti-malware signature and software update processes with compliance monitoring and enforcement ensuring endpoints maintain current protection without manual intervention.

Automated update configuration:

  • Enable automatic signature updates: Configure automatic signature update checks multiple times daily ensuring rapid deployment of new threat intelligence addressing emerging threats.
  • Enable automatic engine updates: Configure automated detection engine and platform updates ensuring endpoints receive enhanced detection capabilities and critical security improvements.
  • Configure reliable update sources: Establish primary cloud-delivered updates with failover mechanisms ensuring consistent update delivery protecting against update service disruptions.
  • Validate update integrity: Enable automated validation of signature and software updates before deployment preventing corrupted or malicious update packages from compromising endpoint protection.
  • Test critical updates: Validate major software version updates in non-production environments confirming compatibility and effectiveness before production deployment preventing operational disruptions.

Compliance monitoring and enforcement:

  • Monitor update compliance: Track signature age and software versions across endpoints identifying devices with outdated protection exceeding security policy thresholds.
  • Enforce automated remediation: Configure automated update enforcement for non-compliant endpoints ensuring timely protection updates without manual intervention.
  • Restrict non-compliant access: Integrate with network access control restricting access for endpoints with critically outdated protection until remediation completed.
  • Manage security exceptions: Establish formal exception process for endpoints requiring delayed updates with documented compensating controls and time-limited approvals.

Implementation example

An organization with global operations suffered malware outbreak affecting critical business systems when outdated antivirus signatures failed to detect known malware variant, exposing sensitive data and disrupting operations.

Challenge: Global operations across multiple time zones made coordinated updates difficult. Regional bandwidth constraints delayed signature distribution. Manual update processes created gaps where endpoints ran outdated protection during peak operational periods.

Solution approach:

  • Automated update cadence: Configured cloud-delivered updates checking every 2 hours ensuring rapid threat intelligence deployment. Removed dependency on manual update processes.
  • Compliance enforcement: Implemented Azure Policy monitoring alerting when signatures exceed 7 days old. Integrated with network access control denying access to non-compliant endpoints.
  • Phased rollout strategy: Configured phased deployment testing major versions with small pilot group before full rollout, preventing operational disruption while maintaining protection currency.

Outcome: Dramatically reduced average signature age from weeks to hours. Achieved high compliance with no malware incidents related to outdated signatures in subsequent period.

Criticality level

Must have.

Control mapping

  • NIST SP 800-53 Rev.5: SI-3(2), SI-2(2), SI-2(5)
  • PCI-DSS v4: 5.3.3, 6.3.3
  • CIS Controls v8.1: 10.3, 7.2
  • NIST CSF v2.0: DE.CM-4, PR.IP-1
  • ISO 27001:2022: A.8.7, A.8.8
  • SOC 2: CC8.1
  • Last updated on