Security Control V2: Endpoint Security

Note

The most up-to-date Azure Security Benchmark is available here.

Endpoint Security covers controls in endpoint detection and response. This includes use of endpoint detection and response (EDR) and anti-malware service for endpoints in Azure environments.

To see the applicable built-in Azure Policy, see Details of the Azure Security Benchmark Regulatory Compliance built-in initiative: Endpoint Security

ES-1: Use Endpoint Detection and Response (EDR)

Azure ID CIS Controls v7.1 ID(s) NIST SP 800-53 r4 ID(s)
ES-1 8.1 SI-2, SI-3, SC-3

Enable Endpoint Detection and Response (EDR) capabilities for servers and clients and integrate with SIEM and Security Operations processes.

Microsoft Defender for Endpoint provides EDR capability as part of an enterprise endpoint security platform to prevent, detect, investigate, and respond to advanced threats.

Responsibility: Customer

Customer Security Stakeholders (Learn more):

ES-2: Use centrally managed modern anti-malware software

Azure ID CIS Controls v7.1 ID(s) NIST SP 800-53 r4 ID(s)
ES-2 8.1 SI-2, SI-3, SC-3

Use a centrally managed endpoint anti-malware solution capable of real time and periodic scanning

Azure Security Center can automatically identify the use of a number of popular anti-malware solutions for your virtual machines and report the endpoint protection running status and make recommendations.

Microsoft Antimalware for Azure Cloud Services is the default anti-malware for Windows virtual machines (VMs). For Linux VMs, use third-party antimalware solution. Also, you can use Azure Defender for Storage to detect malware uploaded to Azure Storage accounts.

Responsibility: Customer

Customer Security Stakeholders (Learn more):

ES-3: Ensure anti-malware software and signatures are updated

Azure ID CIS Controls v7.1 ID(s) NIST SP 800-53 r4 ID(s)
ES-3 8.2 SI-2, SI-3

Ensure anti-malware signatures are updated rapidly and consistently.

Follow recommendations in Azure Security Center to ensure all endpoints are up to date with the latest signatures. Microsoft Antimalware will automatically install the latest signatures and engine updates by default. For Linux, ensure the signatures are updated in the third-party antimalware solution.

Responsibility: Customer

Customer Security Stakeholders (Learn more):