Posture and Vulnerability Management

Posture and vulnerability management enables organizations to systematically identify, assess, prioritize, and remediate security weaknesses before exploitation. Unlike traditional periodic scanning, modern cloud environments require continuous assessment, risk-based prioritization, and automated remediation to address rapid provisioning, configuration drift, and dynamic attack surfaces spanning infrastructure-as-code, containers, and serverless functions. Organizations implementing these capabilities maintain secure-by-default environments while rapidly remediating critical exposures, while those neglecting these controls face undetected weaknesses and prolonged exposure windows.

Here are the four core pillars of the Posture and Vulnerability Management security domain.

Establish secure baselines: Define and implement security configuration baselines across all cloud resources ensuring environments are secure by default through configuration management tools, policy enforcement, and infrastructure-as-code approaches that establish consistent security configurations aligned with industry standards and organizational requirements.

Related controls:

PV-1: Define and establish secure configurations
PV-3: Define and establish secure configurations for compute resources

Monitor and enforce compliance: Continuously audit and enforce secure configurations detecting and remediating configuration drift through automated monitoring and remediation capabilities. Maintain comprehensive visibility into attack surfaces through continuous asset discovery and vulnerability assessments across infrastructure, platforms, applications, and operating systems identifying security weaknesses requiring attention.

Related controls:

PV-2: Audit and enforce secure configurations
PV-4: Audit and enforce secure configurations for compute resources
PV-5: Perform vulnerability assessments

Remediate using risk-based prioritization: Focus remediation efforts on vulnerabilities posing genuine threats through risk-based prioritization combining exploit likelihood assessment, active exploitation tracking, asset criticality, and exposure context. Implement automated patching and vulnerability remediation processes prioritizing critical exposures while minimizing operational disruption and validating security effectiveness through advanced testing techniques.

Related controls:

PV-5: Perform vulnerability assessments
PV-6: Rapidly and automatically remediate vulnerabilities
PV-7: Conduct regular red team operations

Integrate development security: Prevent vulnerabilities before production deployment through security validation integrated early in development processes and software supply chain protection. Implement pre-deployment security scanning, dependency vulnerability assessment, and supply chain risk management preventing security weaknesses from reaching production environments.

For comprehensive guidance on shift-left security practices and supply chain security controls including CI/CD pipeline integration, SBOM management, artifact signing, dependency scanning, and developer security workflows, refer to the DevOps Security (DS) section of this benchmark.

PV-1: Define and establish secure configurations

Security principle

Define security configuration baselines for different resource types in the cloud using configuration management tools to establish compliant environments by default. Leverage industry standards, vendor recommendations, and organizational requirements to create comprehensive baselines that can be automatically applied during resource deployment.

Risk to mitigate

Without standardized security configuration baselines, cloud environments suffer from inconsistent security postures that create exploitable weaknesses. Absence of secure configuration standards leads to:

Configuration drift vulnerabilities: Resources deployed without security baselines introduce misconfigurations including open firewall rules, weak authentication settings, excessive permissions, and disabled security logging-creating entry points for attackers.
Inconsistent security postures: Different teams deploying resources with varying security configurations create an unpredictable attack surface where some environments have strong protections while others remain vulnerable.
Compliance violations: Regulatory frameworks (PCI-DSS, HIPAA, SOC 2) mandate specific security configurations-absent baselines result in non-compliant deployments and audit failures.
Default configuration exploitation: Cloud services often ship with default configurations optimized for functionality rather than security-unmodified defaults frequently contain security weaknesses that attackers routinely exploit.
Manual configuration errors: Teams manually configuring security settings introduce human errors including typos, omitted settings, and misunderstood requirements that weaken overall security posture.
Scale amplification of weaknesses: In cloud environments, configuration weaknesses replicate across hundreds or thousands of resources through automation-a single baseline flaw impacts the entire environment.

Without secure configuration baselines, organizations operate reactive security where weaknesses are discovered only after exploitation rather than prevented through proactive standards.

MITRE ATT&CK

Initial Access (TA0001): exploit public-facing application (T1190) leveraging misconfigured services with default credentials or excessive network exposure.
Persistence (TA0003): create account (T1136) exploiting weak account policies or administrative access controls in baseline configurations.
Defense Evasion (TA0005): impair defenses (T1562) disabling security controls that were not properly configured or enforced in baseline deployments.
Discovery (TA0007): cloud infrastructure discovery (T1580) enumerating misconfigured resources to map attack paths and identify high-value targets.

PV-1.1: Establish security configuration baselines

Organizations lacking standardized security configurations deploy resources with inconsistent security postures, creating vulnerabilities across environments while consuming significant operational effort manually configuring each deployment. Configuration baselines establish repeatable security standards that prevent configuration drift and ensure consistent protection across all cloud resources. Standardized security configurations accelerate secure deployment while reducing configuration-related security incidents and compliance violations.

Establish consistent security configurations through standardized baselines:

Define security configuration baselines: Use Microsoft Cloud Security Benchmark and service-specific security recommendations to establish configuration standards for each Azure service.
Implement Azure landing zones: Use Azure landing zones to accelerate workload deployment with pre-configured security settings and governance controls.
Use infrastructure-as-code templates: Codify and deploy consistent security configurations using Bicep templates and Template Specs for repeatable deployments.
Reference architectural guidance: Follow Azure Well-Architected Framework security pillar for architectural configuration guidance and best practices.

Implementation example

A financial services organization established comprehensive security configuration baselines across their cloud infrastructure supporting online banking applications and customer data processing systems serving 2.5 million customers.

Challenge: Financial services organization lacked standardized security configurations across cloud infrastructure, resulting in inconsistent security postures across 500+ Azure resources with configuration-related security incidents and prolonged environment deployment times due to manual security configuration processes.

Solution approach:

Define comprehensive security baselines:

Create Template Specs containing security configuration standards for common resource types:
- Virtual networks with network security groups configured for least-privilege access
- Storage accounts with encryption at rest enabled, public access disabled, and logging configured
- Key vaults with access policies restricting secret access to authorized applications only
- App Services with HTTPS enforcement, identity integration, and security headers configured
- SQL databases with transparent data encryption, auditing enabled, and firewall rules configured
Establish compute resource baselines using Azure Machine Configuration:
- Windows Server baseline configurations using Azure Machine Configuration for CIS compliance
- Linux hardening baselines deployed through Azure Automanage machine best practices
- Container image security scanning integrated with Microsoft Defender for Containers in Azure Container Registry
- Azure Kubernetes Service security baselines enforcing Azure Policy add-on with built-in security policies

Implement infrastructure-as-code deployment:

Deploy Bicep templates with Azure Policy integration ensuring compliance at deployment:
- Bicep modules with built-in security parameters (minimumTlsVersion, supportsHttpsTrafficOnly properties)
- Azure Policy deployIfNotExists effects automatically enabling diagnostic settings and encryption
- Template specs versioned and stored in Azure for centralized baseline management
Use Azure DevOps pipelines with Azure Resource Manager deployment tasks and policy compliance checks
Implement Azure Repos branch policies requiring security team code review before merging baseline changes

Outcome: The organization achieved strong compliance with security configuration standards, establishing consistent security postures across all cloud infrastructure. Configuration-related security incidents decreased substantially, demonstrating the effectiveness of standardized security configurations in preventing common gaps and misconfigurations.

Criticality level

Must have.

Control mapping

NIST SP 800-53 Rev.5: CM-2, CM-6, CM-6(1)
PCI-DSS v4: 2.2.1, 12.3.1
CIS Controls v8.1: 4.1, 4.2
NIST CSF v2.0: PR.IP-1, PR.DS-6
ISO 27001:2022: A.8.9, A.5.37
SOC 2: CC6.1, CC6.6

PV-2: Audit and enforce secure configurations

Azure Policy: See Azure built-in policy definitions: PV-2.

Security principle

Continuously monitor and alert on deviations from defined configuration baselines. Enforce desired configurations through automated remediation that denies non-compliant configurations or automatically deploys corrective configurations to maintain security posture.

Risk to mitigate

Configuration drift from established security baselines introduces vulnerabilities that accumulate over time, creating an expanding attack surface. Without continuous monitoring and enforcement:

Silent configuration drift: Manual changes, emergency modifications, and incremental updates gradually weaken security configurations without triggering alerts-resulting in environments that appear secure but contain exploitable gaps.
Compliance degradation: Systems initially deployed with compliant configurations drift away from regulatory requirements through normal operational changes, creating audit findings and certification risks.
Inconsistent enforcement: Different teams applying security configurations manually introduce variations and omissions that create security weak points throughout the environment.
Emergency change exceptions: High-pressure situations lead to security bypasses and temporary configurations that become permanent, eroding overall security posture.
Scale amplification of drift: In cloud environments, configuration changes replicate across multiple resources through automation-a single drift event can weaken hundreds of resources simultaneously.
Undetected misconfigurations: Without automated monitoring, security misconfigurations remain undetected for extended periods, providing persistent opportunities for attacker exploitation.

Configuration drift transforms initially secure environments into vulnerable infrastructure that fails to meet security and compliance requirements.

MITRE ATT&CK

Defense Evasion (TA0005): impair defenses (T1562) exploiting configuration drift to disable or weaken security controls.
Persistence (TA0003): modify authentication process (T1556) leveraging weakened authentication configurations that drifted from secure baselines.
Discovery (TA0007): cloud infrastructure discovery (T1580) identifying misconfigured resources through systematic enumeration of configuration weaknesses.

PV-2.1: Implement continuous configuration monitoring

Configuration drift occurs gradually as manual changes, emergency fixes, and unauthorized modifications deviate resources from security baselines, creating security gaps that traditional periodic audits detect too late to prevent exploitation. Continuous configuration monitoring provides real-time visibility into configuration state and automated detection of security control degradation. Automated enforcement prevents configuration drift while maintaining security posture consistency across all cloud resources.

Maintain security baseline compliance through continuous monitoring and enforcement:

Configure continuous configuration assessment: Use Microsoft Defender for Cloud to continuously assess resource configurations against security recommendations and identify deviations from baselines.
Implement policy-based monitoring: Deploy Azure Policy with audit and enforcement effects to monitor and control resource configurations across all subscriptions.
Create configuration deviation alerts: Use Azure Monitor to create alerts when configuration deviations are detected, triggering investigation and remediation workflows.
Deploy preventive controls: Implement Azure Policy deny effects to prevent deployment of non-compliant configurations at resource creation time.
Automate configuration remediation: Use Azure Policy deployIfNotExists effects to automatically remediate configuration drift without manual intervention.

Implementation example

A healthcare technology company implemented comprehensive configuration monitoring across cloud infrastructure supporting electronic health record (EHR) systems and patient data analytics platforms serving 150+ hospitals.

Challenge: Healthcare technology company experienced configuration drift incidents that created HIPAA compliance risks, with configuration changes going undetected for weeks and manual remediation processes taking days to correct security configuration violations across 150+ hospital environments.

Solution approach:

Deploy continuous monitoring infrastructure:

Enable Microsoft Defender for Cloud across all subscriptions with security policies configured to assess:
- Storage account encryption and access configurations
- Network security group rules and network exposure
- Identity and access management configuration compliance
- Database security configurations and access controls
- Virtual machine security baseline compliance
Configure Azure Monitor Log Analytics with KQL queries detecting configuration changes:
- AzureActivity queries monitoring NetworkSecurityGroupRuleOperations for firewall rule modifications
- AzureDiagnostics queries detecting StorageAccountEncryptionDisabled events
- AuditLogs queries tracking Microsoft Entra PIM role assignments and privilege escalations
- PolicyEvents queries monitoring policy exemption requests and compliance state changes

Implement policy-driven enforcement:

Deploy Azure Policy built-in initiatives for HIPAA HITRUST 9.2 compliance:
- Audit effect policies using Microsoft.Compute, Microsoft.Storage, Microsoft.Network resource providers
- Deny effect policies enforcing allowedLocations, allowedVirtualMachineSkus, deniedResourceTypes
- DeployIfNotExists effect policies deploying Microsoft Defender for Cloud, diagnostic settings, encryption
Configure Azure Policy remediation tasks with managed identity assignments:
- Automated remediation tasks using system-assigned managed identities for policy compliance
- Azure Automation runbooks triggered by policy compliance state changes
- Azure Logic Apps workflows for complex remediation requiring multi-step orchestration

Establish alerting and response workflows:

Create Azure Monitor alert rules for critical configuration changes:
- Immediate alerts for security control disabling or policy exemptions
- Daily summaries of configuration compliance status across environments
- Weekly trend analysis identifying systemic configuration management issues
Integrate alerts with Azure DevOps for tracking and resolution:
- Automatic work item creation for critical security configuration violations
- Assignment to appropriate teams based on resource type and severity
- SLA tracking ensuring timely resolution of configuration drift

Outcome: The organization's configuration monitoring detected and remediated configuration drift incidents that could have led to HIPAA compliance violations, preventing regulatory penalties and protecting patient data. Automated enforcement prevented non-compliant resource deployments before reaching production, ensuring security configurations remained consistent throughout the resource lifecycle.

Criticality level

Must have.

Control mapping

NIST SP 800-53 Rev.5: CM-2, CM-3, CM-6, CM-7, CM-7(1)
PCI-DSS v4: 2.2.2, 2.2.7, 11.5.1
CIS Controls v8.1: 4.1, 4.2, 4.7
NIST CSF v2.0: DE.CM-7, PR.IP-1
ISO 27001:2022: A.8.9, A.8.34
SOC 2: CC6.1, CC6.6, CC7.1

PV-3: Define and establish secure configurations for compute resources

Security principle

Define secure configuration baselines for compute resources including Virtual Machines (VMs) and containers. Use configuration management tools and pre-configured images to establish compliant compute environments by default, ensuring security hardening is applied consistently across all compute deployments.

Risk to mitigate

Compute resources including virtual machines and containers often deploy with insecure default configurations that expose organizations to compromise. Without secure compute baselines:

Operating system vulnerabilities: Default OS installations contain unnecessary services, weak authentication settings, and missing security patches that provide attack vectors for privilege escalation and lateral movement.
Container security gaps: Container images built without security hardening contain vulnerable base layers, excessive privileges, and insecure runtime configurations that enable container escape and host compromise.
Service configuration weaknesses: Applications and services deployed with default configurations often enable unnecessary features, use weak credentials, and lack proper access controls.
Persistent access opportunities: Compute resources with weak security baselines provide attackers with stable footholds for maintaining long-term access and conducting reconnaissance.
Scale amplification: Cloud auto-scaling and orchestration systems replicate insecure compute configurations across hundreds of instances, amplifying the impact of baseline security weaknesses.
Compliance violations: Regulatory standards require specific security configurations for compute resources-insecure baselines create demonstrable compliance gaps.

Insecure compute configurations provide attackers with numerous pathways for initial access, privilege escalation, and persistent presence within cloud environments.

MITRE ATT&CK

Initial Access (TA0001): exploit public-facing application (T1190) targeting services running on insecurely configured compute resources.
Execution (TA0002): command and scripting interpreter (T1059) leveraging weak compute security to execute malicious code.
Persistence (TA0003): create or modify system process (T1543) exploiting weak compute baselines to establish persistent access.
Defense Evasion (TA0005): impair defenses (T1562) disabling security controls on weakly configured compute resources.

PV-3.1: Establish compute security baselines

Compute resources deployed with default configurations contain known security weaknesses and unnecessary services that attackers exploit for initial access and privilege escalation, with operating system vulnerabilities remaining primary attack vectors in cloud environments. Security hardening reduces attack surface by disabling unnecessary services, applying security configurations, and enforcing least-privilege principles at the operating system level. Hardened compute baselines prevent common exploitation techniques while ensuring consistent security posture across all compute resources.

Implement compute security hardening through standardized baselines:

Apply operating system security baselines: Use Azure security baselines for Windows and Linux operating systems to enforce CIS benchmarks and Microsoft security recommendations.
Create hardened virtual machine images: Use Azure Image Builder to create hardened VM images with security configurations pre-applied before deployment.
Establish container security baselines: Apply container security standards using Microsoft Defender for Containers recommendations for image hardening and runtime protection.

Implementation example

A manufacturing company established secure compute baselines across industrial IoT infrastructure and enterprise applications supporting 50+ production facilities and supply chain management systems.

Challenge: Manufacturing company faced security incidents involving compute resources with critical vulnerabilities, lengthy compliance audit preparation due to inconsistent security configurations, and slow VM deployment processes that delayed production facility expansions across 50+ locations.

Solution approach:

Establish VM security baselines:

Create hardened VM images using Azure Image Builder with Azure Compute Gallery:
- Windows Server 2022 images with Azure Image Builder customizations applying CIS benchmarks
- Ubuntu 22.04 LTS images using Azure Image Builder runScripts for security hardening
- Microsoft Defender for Endpoint onboarding automated through Image Builder build scripts
- Azure Compute Gallery versioning with replication across regions for baseline distribution
Configure Azure Machine Configuration for OS-level compliance:
- Azure Machine Configuration packages deploying DSC configurations to Windows VMs
- Azure Machine Configuration custom policies enforcing Linux security baselines
- Azure Disk Encryption enablement enforced through Azure Policy deployIfNotExists
- Secure Boot and vTPM requirements enforced through VM creation policies

Deploy container security baselines:

Configure Azure Container Registry with Microsoft Defender for Containers:
- Microsoft Defender for Containers vulnerability scanning using integrated Trivy scanner for ACR images
- ACR quarantine pattern using repository permissions blocking vulnerable image pulls
- Container build optimization using minimal base images and multi-stage builds
- Azure DevOps pipeline gates failing builds on critical/high CVEs detected by Defender
Implement Azure Kubernetes Service security baselines:
- Azure Policy for AKS enforcing pod security baseline using built-in policy definitions
- Azure CNI with Calico network policies for namespace-level network isolation
- Azure Kubernetes Fleet Manager distributing secure configurations across clusters
- AKS Image Cleaner automatically removing old images based on retention policies

Establish image governance with Azure Policy:

Deploy Azure Policy for container image compliance:
- Azure Policy ensuring only ACR-sourced images deploy to AKS clusters
- Container image tagging requirements enforced through Azure Policy audit effects
- Automated image refresh workflows using Azure Container Registry Tasks scheduled runs
- Azure Compute Gallery integration for approved VM and container base image distribution

Outcome: The organization's secure compute baselines substantially reduced security incidents involving compute resources, demonstrating the effectiveness of standardized security configurations. Vulnerability assessment results showed significant reduction in critical and high-severity findings, reducing attack surface and compliance risks across production facilities.

Criticality level

Must have.

Control mapping

NIST SP 800-53 Rev.5: CM-2, CM-6, SC-28, SC-28(1)
PCI-DSS v4: 2.2.1, 2.2.4, 2.2.5
CIS Controls v8.1: 4.1, 4.8, 18.3
NIST CSF v2.0: PR.IP-1, PR.DS-6, PR.PT-3
ISO 27001:2022: A.8.1, A.8.9, A.8.19
SOC 2: CC6.1, CC6.6, CC6.7

PV-4: Audit and enforce secure configurations for compute resources

Azure Policy: See Azure built-in policy definitions: PV-4.

Security principle

Continuously monitor and alert on configuration deviations from defined baselines in compute resources. Enforce desired configurations through automated remediation that prevents non-compliant configurations or automatically applies corrective measures to maintain security posture.

Risk to mitigate

Compute resource configurations drift from security baselines through normal operations, creating vulnerabilities that accumulate over time. Without continuous monitoring and enforcement:

Configuration drift on critical systems: Production systems gradually deviate from secure baselines through legitimate changes, emergency modifications, and incremental updates-weakening security posture without triggering alerts.
Patch management gaps: Missing security updates leave compute resources vulnerable to known exploits while organizations believe systems are current.
Service sprawl vulnerabilities: New services and applications installed on compute resources introduce security weaknesses that bypass baseline security controls.
Container runtime security drift: Container orchestration platforms allow runtime modifications that can weaken security policies and expose underlying infrastructure.
Compliance verification gaps: Without continuous monitoring, compute resources fall out of compliance with regulatory requirements between periodic audits.

Configuration drift in compute resources provides attackers with evolving opportunities for exploitation as security controls weaken over time.

MITRE ATT&CK

Privilege Escalation (TA0004): exploitation for privilege escalation (T1068) targeting systems with configuration drift allowing elevated access.
Defense Evasion (TA0005): impair defenses (T1562) leveraging configuration changes that weakened security controls.
Persistence (TA0003): modify authentication process (T1556) exploiting authentication configuration drift to maintain persistent access.
Discovery (TA0007): system information discovery (T1082) gathering information from misconfigured systems to identify attack opportunities.

PV-4.1: Implement compute configuration monitoring

Compute resource configurations change frequently through patch installations, application updates, and administrative modifications, creating opportunities for security control degradation that attackers exploit to establish footholds in cloud environments. Continuous compute configuration monitoring detects security weaknesses and unauthorized changes before adversaries can exploit misconfigurations for privilege escalation or lateral movement. Automated configuration assessment and remediation maintains compute security posture while preventing configuration drift across virtual machine and container deployments.

Maintain compute security through continuous configuration assessment and enforcement:

Continuously assess compute security configurations: Use Microsoft Defender for Cloud to continuously assess compute resource security configurations against industry benchmarks and best practices.
Implement ongoing compliance monitoring: Deploy Azure Machine Configuration for ongoing compliance monitoring and automated remediation of configuration drift.
Maintain desired configuration state: Use Azure Automation State Configuration to maintain desired configuration state across compute resources with automated correction capabilities.
Monitor configuration changes: Implement Change Tracking and Inventory to monitor configuration changes across compute resources and detect unauthorized modifications.
Enable container security posture monitoring: Deploy Microsoft Defender for Containers for container security posture monitoring across AKS clusters and container registries.

Implementation example

A financial technology company implemented comprehensive compute configuration monitoring across trading systems and customer-facing applications supporting real-time financial transactions and sensitive financial data processing.

Challenge: Financial technology company experienced configuration drift incidents affecting trading systems, with detection taking days and manual remediation taking hours, creating compliance risks and potential security compromises in systems processing real-time financial transactions for millions of customers.

Solution approach:

Deploy comprehensive configuration monitoring:

Enable Microsoft Defender for Cloud across all compute resources:
- Continuous assessment of VM security configurations against CIS benchmarks
- Container security posture evaluation for Kubernetes clusters
- Security recommendation prioritization based on risk assessment
- Integration with Microsoft Sentinel for centralized security monitoring
Implement Azure Machine Configuration:
- Windows and Linux baseline compliance monitoring for 500+ VMs
- Custom policies enforcing financial services security requirements
- Automated remediation of common configuration drift scenarios
- Compliance reporting for regulatory audit preparation

Establish automated remediation workflows:

Configure Azure Automation State Configuration:
- PowerShell DSC configurations maintaining trading system security requirements
- Automated correction of security-related configuration drift within 5 minutes
- Exception handling for legitimate configuration variations during maintenance
- Compliance validation ensuring remediation actions complete successfully
Deploy Change Tracking and Inventory monitoring:
- Real-time detection of unauthorized software installations
- Monitoring of security-critical file and registry changes
- Alert generation for configuration changes outside maintenance windows
- Integration with change management processes for approved modifications

Implement container security monitoring:

Enable Microsoft Defender for Containers across AKS clusters:
- Runtime security monitoring detecting suspicious container behavior
- Image vulnerability assessment for all deployed container images
- Kubernetes cluster configuration assessment against security best practices
- Network traffic analysis identifying unusual communication patterns
Enforce AKS security policies through Azure Policy for Kubernetes:
- Azure Policy built-in definitions enforcing pod security baseline (no privileged containers)
- Azure Policy add-on for AKS using Gatekeeper v3 OPA constraint framework
- Azure CNI with Calico network policies for namespace-level network isolation
- Azure Policy initiative deploying container CPU/memory limits via LimitRange objects

Establish governance and reporting:

Create compliance dashboards and reporting:
- Real-time visibility into compute resource compliance status
- Trend analysis identifying systematic configuration management issues
- Executive reporting on security posture and improvement metrics
- Integration with risk management frameworks for risk quantification
Implement automated incident response:
- Immediate alerts for critical security configuration violations
- Automated isolation of non-compliant resources pending remediation
- Integration with Azure DevOps for work item tracking and resolution
- Post-incident analysis and baseline improvement recommendations

Outcome: The organization's configuration monitoring detected and remediated configuration drift incidents that could have led to security compromises, preventing financial losses and data breaches. Automated enforcement prevented dangerous configuration changes before impacting production systems, ensuring trading platform stability throughout business growth.

Criticality level

Must have.

Control mapping

NIST SP 800-53 Rev.5: CM-3, CM-6, CM-6(1), SI-2, SI-2(2)
PCI-DSS v4: 2.2.2, 2.2.7, 11.3.1, 11.3.2
CIS Controls v8.1: 4.1, 4.2, 4.7, 18.5
NIST CSF v2.0: DE.CM-7, DE.CM-8, PR.IP-1
ISO 27001:2022: A.8.9, A.8.19, A.8.34
SOC 2: CC6.1, CC6.6, CC7.1, CC7.2

PV-5: Perform vulnerability assessments

Azure Policy: See Azure built-in policy definitions: PV-5.

Security principle

Perform comprehensive vulnerability assessments across all cloud resources on a scheduled basis and on-demand. Track and compare scan results to verify remediation effectiveness. Include assessment of infrastructure vulnerabilities, application weaknesses, configuration issues, and network exposures while securing administrative access used for scanning activities.

Risk to mitigate

Unidentified vulnerabilities across cloud infrastructure provide attackers with numerous exploitation opportunities. Without comprehensive vulnerability assessment:

Unknown vulnerability exposure: Systems contain security weaknesses that remain undetected until exploited-providing attackers with established footholds that bypass security controls.
Outdated vulnerability databases: Security teams lack current knowledge of emerging threats and newly discovered vulnerabilities affecting their infrastructure.
Multi-layer blind spots: Traditional network-focused scanning misses vulnerabilities in cloud services, container images, serverless functions, and managed services.
Configuration-based vulnerabilities: Misconfigurations and policy weaknesses escape detection by traditional vulnerability scanners focused on software flaws.
Privileged access risks: Administrative accounts used for vulnerability scanning create additional attack vectors if not properly secured and monitored.
Assessment coverage gaps: Incomplete scanning leaves portions of infrastructure unassessed, creating safe havens for attacker operations.
Remediation tracking failures: Without systematic vulnerability tracking, organizations lose visibility into which vulnerabilities have been addressed and which remain outstanding.

Inadequate vulnerability assessment transforms unknown weaknesses into successful attack vectors that enable initial access, privilege escalation, and lateral movement.

MITRE ATT&CK

Initial Access (TA0001): exploit public-facing application (T1190) leveraging unpatched vulnerabilities in web applications and services.
Privilege Escalation (TA0004): exploitation for privilege escalation (T1068) targeting known vulnerabilities in operating systems and applications.
Lateral Movement (TA0008): exploitation of remote services (T1021) using vulnerabilities to move between systems and networks.
Defense Evasion (TA0005): exploitation for defense evasion (T1562) leveraging vulnerabilities to disable or bypass security controls.

PV-5.1: Implement comprehensive vulnerability assessment

Organizations lacking comprehensive vulnerability visibility operate with unknown security weaknesses that attackers identify and exploit before security teams discover them, with critical vulnerabilities remaining undetected across compute resources, containers, and databases. Continuous vulnerability assessment provides complete visibility into security weaknesses across all cloud resources, enabling proactive remediation before adversaries exploit vulnerabilities for initial access or privilege escalation. Multi-layered scanning combined with exposure management delivers risk-based prioritization that focuses remediation efforts on vulnerabilities most likely to enable successful attacks.

Identify and prioritize security weaknesses through comprehensive vulnerability assessment:

Enable comprehensive vulnerability assessment: Deploy Microsoft Defender for Cloud vulnerability assessment for virtual machines, containers, and SQL databases to identify security weaknesses across all resource types.
Use integrated vulnerability scanning: Implement built-in vulnerability scanner for comprehensive VM assessment without requiring additional agent deployment or licensing.
Integrate exposure management: Use Microsoft Security Exposure Management to identify attack paths and prioritize vulnerabilities based on asset criticality and potential blast radius for risk-based remediation.
Implement database vulnerability assessment: Deploy SQL vulnerability assessment for database security evaluation and configuration weakness identification.
Configure vulnerability tracking: Enable continuous export for tracking and trending analysis to measure remediation progress over time.

Implementation example

A healthcare services company implemented comprehensive vulnerability assessment across cloud infrastructure supporting patient care systems, medical device integration, and health information exchanges serving 500+ healthcare facilities.

Challenge: Healthcare services company lacked comprehensive vulnerability assessment capabilities, with critical vulnerabilities remaining undetected for weeks and manual vulnerability management processes resulting in low remediation rates that created compliance risks across 500+ healthcare facilities processing sensitive patient data.

Solution approach:

Deploy integrated vulnerability scanning:

Enable Microsoft Defender for Cloud integrated vulnerability scanning:
- Agentless scanning for Azure VMs using Microsoft Defender for Cloud with integrated Qualys scanner
- Microsoft Defender for Containers vulnerability scanning using Trivy for 300+ Azure Container Registry images
- Microsoft Defender for SQL vulnerability assessment with automatic baseline creation
- Azure Monitor Log Analytics integration exporting SecurityAssessment table to Microsoft Sentinel

Implement Microsoft Defender for Cloud continuous assessment:

Configure automated vulnerability detection and prioritization:
- Risk-based vulnerability prioritization considering asset criticality and exposure
- Integration with Exploit Prediction Scoring System (EPSS) natively available in Microsoft Defender Vulnerability Management for exploit likelihood data
- Correlation with threat intelligence feeds to identify actively exploited vulnerabilities (using Microsoft Defender Threat Intelligence priority scoring and exploit tracking)
- Integration with asset inventory for context-aware vulnerability assessment
- Real-time attack campaign context through Microsoft Defender Threat Intelligence articles and breach insights
- Business impact assessment for vulnerabilities affecting patient care systems

Establish vulnerability management workflows:

Automate vulnerability remediation workflows with Azure Logic Apps:
- Azure DevOps REST API integration creating work items from SecurityAssessment KQL queries
- Azure Automation runbooks triggering Azure Update Manager patch deployments for critical CVEs
- Microsoft Defender for Cloud workflow automation sending vulnerability data to Azure DevOps
- Azure Policy remediation tasks deploying security configurations addressing misconfigurations
Implement governance with Microsoft Defender for Cloud secure score:
- Azure Monitor workbooks visualizing vulnerability trends from SecurityAssessment table
- Power BI dashboards displaying secure score metrics and vulnerability remediation KPIs
- Microsoft Defender for Cloud regulatory compliance dashboard for HIPAA/HITRUST tracking
- Microsoft Sentinel workbook templates for vulnerability management program analytics

Outcome: The organization's comprehensive vulnerability assessment identified and facilitated remediation of vulnerabilities that could have compromised patient data systems, preventing HIPAA breaches. Critical vulnerability detection time improved substantially through automated continuous scanning and integrated threat intelligence, enabling rapid response to emerging threats.

Criticality level

Should have.

Control mapping

NIST SP 800-53 Rev.5: RA-3, RA-5, RA-5(1), RA-5(2), RA-5(5)
PCI-DSS v4: 6.3.1, 6.3.2, 11.3.1, 11.3.2
CIS Controls v8.1: 7.1, 7.2, 7.5, 7.7
NIST CSF v2.0: DE.CM-8, ID.RA-1
ISO 27001:2022: A.5.14, A.8.8
SOC 2: CC7.1, CC7.2

PV-6: Rapidly and automatically remediate vulnerabilities

Azure Policy: See Azure built-in policy definitions: PV-6.

Security principle

Rapidly and automatically deploy patches and updates to remediate vulnerabilities using risk-based prioritization that addresses the most severe vulnerabilities in highest-value assets first. Implement automated patching capabilities that balance security requirements with operational stability.

Risk to mitigate

Slow vulnerability remediation extends the window of exposure, allowing attackers to exploit known weaknesses before patches are applied. Without rapid remediation capabilities:

Extended exposure windows: Critical vulnerabilities remain exploitable for days or weeks while manual patching processes progress-providing ample time for attackers to develop and deploy exploits.
Patch management delays: Complex approval workflows and testing requirements delay security updates, leaving systems vulnerable during extended remediation cycles.
Scale amplification: Cloud environments with hundreds or thousands of resources require automated patching to achieve timely remediation-manual processes cannot scale effectively.
Business disruption risks: Fear of system downtime delays patching decisions, leaving vulnerabilities unaddressed while organizations debate operational impact.
Third-party software gaps: Applications and middleware not covered by operating system patching remain vulnerable longer due to complex update procedures.
Inconsistent prioritization: Without risk-based remediation prioritization, critical vulnerabilities affecting high-value assets may not receive appropriate attention.
Remediation verification gaps: Lack of post-patch validation leaves uncertainty about whether vulnerabilities were successfully addressed.

Delayed vulnerability remediation transforms discovered weaknesses into successful attack vectors before organizations can apply necessary fixes.

MITRE ATT&CK

Initial Access (TA0001): exploit public-facing application (T1190) targeting known vulnerabilities during extended remediation windows.
Privilege Escalation (TA0004): exploitation for privilege escalation (T1068) leveraging unpatched local vulnerabilities.
Lateral Movement (TA0008): exploitation of remote services (T1021) using known vulnerabilities to spread between systems.

PV-6.1: Implement automated vulnerability remediation

Manual patch management creates lengthy vulnerability exposure windows during which attackers exploit known vulnerabilities before security teams complete remediation processes across large-scale environments. Automated vulnerability remediation reduces mean time to patch from weeks to hours, preventing adversaries from exploiting publicly disclosed vulnerabilities during extended exposure periods. Risk-based prioritization ensures critical vulnerabilities receive immediate attention while automated patching maintains consistent security hygiene across all compute resources.

Accelerate vulnerability remediation through automation and risk-based prioritization:

Implement automated patch management: Deploy Azure Update Manager for automated patching of Windows and Linux virtual machines across Azure VMs and Arc-enabled servers with centralized management capabilities.
Configure maintenance windows: Set up update settings with maintenance windows aligned to business requirements to minimize impact on production workloads.
Enable zero-downtime patching: Use Hotpatching for Windows Server 2025 to install security updates without requiring system reboots, reducing downtime and exposure windows.
Establish risk-based prioritization: Prioritize vulnerability remediation considering vulnerability severity, asset criticality, and exposure level to focus on highest-risk issues first.

Implementation example

A global e-commerce platform implemented automated vulnerability remediation across cloud infrastructure supporting online retail operations and customer data processing serving 10+ million customers worldwide.

Challenge: Global e-commerce platform experienced lengthy mean time to patch (14 days for critical vulnerabilities), high security incident volume related to unpatched vulnerabilities, and compliance audit findings related to inadequate patch management processes across 2,000+ VMs supporting online retail operations.

Solution approach:

Deploy automated patch management infrastructure:

Deploy Azure Update Manager with automatic VM assessment and patching:
- Azure Update Manager periodic assessment enabled on 2,000+ Azure VMs and Arc-enabled servers
- Maintenance configurations with dynamic scoping using Azure Resource Graph queries
- Pre/post-patching Azure Automation runbooks for application stop/start orchestration
- Azure Policy deployIfNotExists enforcing update assessments across all subscriptions
Configure EPSS-based prioritization using Microsoft Defender Vulnerability Management:
- KQL queries joining SecurityAssessment and SecurityRecommendation tables for vulnerability-to-patch correlation
- Azure Monitor alert rules triggering on critical CVEs with EPSS scores > 0.7
- Azure Update Manager scheduled patching with priority classifications (Critical/Important/Moderate)
- Azure Resource Graph queries identifying internet-facing VMs for expedited patching

Establish automated remediation workflows:

Automate remediation with Azure Logic Apps and Microsoft Defender integration:
- Azure Logic Apps workflows triggered by Microsoft Defender for Cloud vulnerability alerts
- Microsoft Graph Security API queries correlating CVEs with Azure Update Manager KB articles
- Azure Automation runbooks invoking Install-AzUpdateManagerUpdate for emergency patching
- Microsoft Defender Vulnerability Management threat and vulnerability management API for exposure scoring

Implement compensating controls for delayed patching:

Deploy temporary protective measures for systems requiring extended patching timelines:
- Azure Application Gateway WAF custom rules blocking known exploit attempts for specific vulnerabilities
- Network Security Group restrictions limiting network access to vulnerable systems until patched
- Enhanced monitoring and alerting through Microsoft Defender for Endpoint detecting suspicious behavior on unpatched assets
- Just-in-time (JIT) VM access controls reducing exposure window for vulnerable administrative interfaces
- Microsoft Defender for Endpoint attack surface reduction rules mitigating exploitation techniques
Track compensating controls in Microsoft Defender for Cloud:
- Azure Policy exemptions with structured exemption metadata documenting compensating controls
- Microsoft Defender for Cloud secure score custom recommendations for exempted vulnerabilities
- Azure Monitor workbooks visualizing active compensating controls with expiration tracking
- Microsoft Sentinel watchlists maintaining compensating control inventory with automatic alerts

Implement governance with Azure Monitor and Power BI:

Deploy comprehensive monitoring and reporting dashboards:
- Azure Monitor workbooks querying Update table for patch compliance across all VMs
- Power BI reports using Azure Resource Graph REST API for real-time vulnerability exposure
- Microsoft Defender for Cloud secure score API integration for executive reporting
- Azure DevOps Boards integration tracking patch exceptions with automatic SLA escalation
Automate emergency patching with Microsoft Defender Vulnerability Management:
- Microsoft Defender Vulnerability Management CISA KEV catalog integration for zero-day prioritization
- Azure Automation runbooks with Azure Update Manager InstallUpdates operation for emergency deployments
- Azure Monitor action groups triggering SMS/email alerts for exploited vulnerabilities
- Microsoft Defender for Cloud workflow automation creating high-priority incidents for active exploits

Outcome: The organization's automated vulnerability remediation substantially reduced time to patch critical vulnerabilities, reducing exposure windows and preventing security compromises. Security incident volume related to unpatched vulnerabilities decreased significantly through systematic patch management and EPSS-based prioritization.

Criticality level

Should have.

Control mapping

NIST SP 800-53 Rev.5: SI-2, SI-2(1), SI-2(2), SI-2(5), RA-5
PCI-DSS v4: 6.3.3, 6.4.3, 11.3.1
CIS Controls v8.1: 7.2, 7.3, 7.4, 7.5, 7.7
NIST CSF v2.0: PR.IP-12, RS.MI-3
ISO 27001:2022: A.8.8, A.5.14
SOC 2: CC7.1, CC7.2, CC8.1

PV-7: Conduct regular red team operations

Security principle

Simulate real-world attacks through red team operations and penetration testing to provide comprehensive security validation. Follow industry best practices to design, prepare, and conduct testing safely while ensuring comprehensive scope and stakeholder coordination.

Risk to mitigate

Traditional vulnerability assessment and penetration testing may miss sophisticated attack techniques and complex attack chains that real adversaries employ. Without comprehensive adversarial testing:

Blind spots in security controls: Automated security tools and standard penetration tests fail to identify weaknesses that skilled attackers exploit through creative combinations of legitimate features and minor vulnerabilities.
False security confidence: Organizations believing their security posture is strong based on compliance checkboxes and standard testing may be vulnerable to advanced persistent threats and targeted attacks.
Human factor vulnerabilities: Security awareness training and technical controls may be insufficient against sophisticated social engineering and human manipulation techniques.
Complex attack chain gaps: Multi-stage attacks combining physical access, social engineering, technical exploitation, and persistence techniques escape detection by siloed security testing.
Incident response weaknesses: Security teams may lack experience detecting and responding to sophisticated attacks, leading to delayed discovery and inadequate containment.
Purple team collaboration gaps: Disconnection between offensive (red team) and defensive (blue team) security operations limits knowledge transfer and improvement opportunities.

Without realistic adversarial testing, organizations operate with unvalidated security assumptions that fail when confronted with skilled, motivated attackers.

MITRE ATT&CK

Reconnaissance (TA0043): active scanning (T1595) and gathering victim information (T1589) to identify attack opportunities and plan targeted operations.
Initial Access (TA0001): phishing (T1566) and exploit public-facing application (T1190) testing organizational susceptibility to social engineering and technical exploitation.
Persistence (TA0003): valid accounts (T1078) and create account (T1136) simulating adversary establishment of long-term access.
Lateral Movement (TA0008): remote services (T1021) and internal spearphishing (T1534) testing detection of adversary movement across environment.

PV-7.1: Implement comprehensive adversarial testing

Organizations relying solely on automated vulnerability scanning and compliance assessments fail to validate whether security controls prevent sophisticated adversary techniques used in real-world attacks. Adversarial testing simulates actual attack scenarios to identify security control gaps, detection blind spots, and incident response weaknesses that automated tools cannot discover. Regular red team operations provide realistic security validation while ensuring security investments effectively prevent, detect, and respond to advanced persistent threats.

Validate security effectiveness through realistic adversarial testing:

Follow Microsoft penetration testing rules: Adhere to Microsoft Cloud Penetration Testing Rules of Engagement for cloud-based testing activities to ensure authorized and safe testing procedures.
Reference Azure testing guidance: Follow Azure penetration testing guidance for authorized testing procedures and coordination requirements with Microsoft.
Use Microsoft red teaming methodology: Apply Microsoft Cloud Red Teaming methodology for comprehensive attack simulation aligned with real-world adversary techniques.
Coordinate testing scope: Establish testing scope and constraints with relevant stakeholders and resource owners to ensure business continuity and minimize unintended impacts.

Implementation example

A financial services organization implemented comprehensive red team operations across cloud infrastructure supporting investment banking, trading systems, and customer wealth management platforms processing billions in daily transactions.

Challenge: Financial services organization lacked realistic security testing capabilities with automated tools missing critical security gaps, limited visibility into sophisticated attack detection capabilities, and difficulty demonstrating security validation effectiveness to regulators examining investment banking and wealth management security controls.

Solution approach:

Establish Microsoft-aligned red team testing program:

Implement testing following Microsoft Cloud Red Teaming methodology:
- Quarterly exercises using Microsoft Enterprise Cloud Red Teaming attack simulation framework
- Annual assessments leveraging Microsoft Entra attack simulation tools and Microsoft Sentinel analytics
- Threat intelligence from Microsoft Defender Threat Intelligence informing attack scenarios
- Purple team exercises using Microsoft Defender for Cloud attack path analysis findings
Configure testing environment with Azure safeguards:
- Azure Resource Manager locks preventing production resource deletion during testing
- Azure Policy deny effects blocking deployment of dangerous configurations in production
- Microsoft Defender for Cloud just-in-time VM access limiting red team lateral movement scope
- Azure Monitor action groups providing real-time alerts on testing activities exceeding boundaries

Execute Azure-focused attack simulation:

Simulate cloud-specific attack scenarios:
- Microsoft 365 phishing attack simulation using Microsoft Defender for Office 365 campaigns
- Azure App Service exploitation testing web application firewall effectiveness
- Azure Resource Manager API abuse testing Azure Policy and RBAC controls
- Azure DevOps pipeline compromise simulating supply chain attacks on CI/CD infrastructure
Test Microsoft Entra ID and identity security controls:
- Microsoft Entra Privileged Identity Management (PIM) elevation path exploitation
- Microsoft Entra Conditional Access policy bypass attempts using device compliance gaps
- Microsoft Entra authentication protocols testing for MFA bypass and token theft
- Azure Key Vault secret exfiltration attempts validating access policies and logging

Validate Microsoft security detection and response:

Test Microsoft Sentinel detection and response capabilities:
- Microsoft Sentinel analytics rules effectiveness measuring detection of red team MITRE ATT&CK techniques
- Microsoft Defender for Cloud alerts validation testing runtime threat protection accuracy
- Microsoft Defender for Endpoint EDR telemetry coverage measuring behavioral detection rates
- Azure Monitor Log Analytics query performance testing incident investigation workflows
Evaluate security orchestration and automation:
- Microsoft Sentinel automation rules testing automatic incident response playbook execution
- Azure Logic Apps workflows validating integration with Microsoft Teams for incident notifications
- Microsoft Defender for Cloud workflow automation testing remediation action effectiveness
- Azure Automation runbooks evaluating automated containment and isolation procedures

Leverage Microsoft tools for continuous improvement:

Document findings using Microsoft security platforms:
- Microsoft Defender for Cloud attack path analysis documenting multi-step attack chains
- Azure Resource Graph queries identifying similar attack surfaces across cloud environment
- Microsoft Sentinel workbooks visualizing attack techniques mapped to MITRE ATT&CK framework
- Azure DevOps Boards tracking remediation actions with priority based on exploitability
Enhance detection capabilities using red team findings:
- Microsoft Sentinel custom analytics rules based on red team techniques and indicators
- Microsoft Defender for Endpoint custom detection rules for identified living-off-the-land techniques
- Azure Monitor Log Analytics saved searches accelerating future incident investigations
- Microsoft Defender Threat Intelligence integration enriching alerts with red team attack context

Outcome: The organization identified and remediated critical security gaps that automated tools had missed, including authentication bypass techniques and privilege escalation paths. Enhanced monitoring and response procedures informed by realistic attack simulations enabled security teams to identify and respond to advanced persistent threats more effectively.

Criticality level

Nice to have.

Control mapping

NIST SP 800-53 Rev.5: CA-8, CA-8(1), CA-8(2)
PCI-DSS v4: 11.4.1, 11.4.2, 11.4.6
CIS Controls v8.1: 15.1, 18.1, 18.2, 18.3, 18.5
NIST CSF v2.0: DE.DP-4, ID.RA-10
ISO 27001:2022: A.5.7, A.8.29
SOC 2: CC7.3, CC7.4

Feedback

Was this page helpful?

Last updated on 2025-11-12

Share via

Posture and Vulnerability Management

PV-1: Define and establish secure configurations

Security principle

Risk to mitigate

MITRE ATT&CK

PV-1.1: Establish security configuration baselines

Implementation example

Criticality level

Control mapping

PV-2: Audit and enforce secure configurations

Security principle

Risk to mitigate

MITRE ATT&CK

PV-2.1: Implement continuous configuration monitoring

Implementation example

Criticality level

Control mapping

PV-3: Define and establish secure configurations for compute resources

Security principle

Risk to mitigate

MITRE ATT&CK

PV-3.1: Establish compute security baselines

Implementation example

Criticality level

Control mapping

PV-4: Audit and enforce secure configurations for compute resources

Security principle

Risk to mitigate

MITRE ATT&CK

PV-4.1: Implement compute configuration monitoring

Implementation example

Criticality level

Control mapping

PV-5: Perform vulnerability assessments

Security principle

Risk to mitigate

MITRE ATT&CK

PV-5.1: Implement comprehensive vulnerability assessment

Implementation example

Criticality level

Control mapping

PV-6: Rapidly and automatically remediate vulnerabilities

Security principle

Risk to mitigate

MITRE ATT&CK

PV-6.1: Implement automated vulnerability remediation

Implementation example

Criticality level

Control mapping

PV-7: Conduct regular red team operations

Security principle

Risk to mitigate

MITRE ATT&CK

PV-7.1: Implement comprehensive adversarial testing

Implementation example

Criticality level

Control mapping

Feedback

Additional resources