| ES-1 |
Endpoint security |
9.4 - Apply Host-Based Firewalls or Port Filtering |
13.7 - Deploy a Host-Based Intrusion Prevention Solution |
SC-3: SECURITY FUNCTION ISOLATION |
11.5 |
Use Endpoint Detection and Response (EDR) |
Enable Endpoint Detection and Response (EDR) capabilities for VMs and integrate with SIEM and security operations processes. |
Microsoft Defender for servers (with Microsoft Defender for Endpoint integrated) provides EDR capability to prevent, detect, investigate, and respond to advanced threats. |
Microsoft Defender for servers introduction: |
Onboard your AWS account into Microsoft Defender for Cloud and deploy Microsoft Defender for servers (with Microsoft Defender for Endpoint integrated) on your EC2 instances to provide EDR capabilities to prevent, detect, investigate, and respond to advanced threats. |
Protect your endpoints with Defender for Cloud's integrated EDR solution: |
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security |
|
|
|
|
SI-2: FLAW REMEDIATION |
|
|
|
|
https://docs.microsoft.com/azure/security-center/defender-for-servers-introduction |
|
https://docs.microsoft.com/en-us/azure/defender-for-cloud/integration-defender-for-endpoint?tabs=windows |
|
|
|
|
|
SI-3: MALICIOUS CODE PROTECTION |
|
|
|
Use Microsoft Defender for Cloud to deploy Microsoft Defender for servers on your endpoints and integrate the alerts to your SIEM solution such as Microsoft Sentinel. |
|
Alternatively, use Amazon GuardDuty integrated threat intelligence capability to monitor and protect your EC2 instances. Amazon GuardDuty can detect anomalous activities such as activity indicating an instance compromise, such as cryptocurrency mining, malware using domain generation algorithms (DGAs), outbound denial of service activity, unusually high volume of network traffic, unusual network protocols, outbound instance communication with a known malicious IP, temporary Amazon EC2 credentials use by an external IP address, and data exfiltration using DNS. |
|
Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence |
|
|
|
|
SI-16 MEMORY PROTECTION |
|
|
|
|
Microsoft Defender for Endpoint overview: |
|
|
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide |
|
|
Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for Cloud feature coverage for machines: |
|
|
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management |
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Connector for Defender for servers integration into SIEM: |
|
|
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/security-center/security-center-wdatp?WT.mc_id=Portal-Microsoft_Azure_Security_CloudNativeCompute&tabs=windows |
|
|
|
| ES-2 |
Endpoint security |
8.1 - Utilize Centrally Managed Anti-malware Software |
10.1 - Deploy and Maintain Anti-Malware Software |
SC-3: SECURITY FUNCTION ISOLATION |
5.1 |
Use modern anti-malware software |
Use anti-malware solutions (also known as endpoint protection) capable of real-time protection and periodic scanning. |
Microsoft Defender for Cloud can automatically identify the use of a number of popular anti-malware solutions for your virtual machines and on-premises machines with Azure Arc configured and report the endpoint protection running status and make recommendations. |
Supported endpoint protection solutions: |
Onboard your AWS account into Microsoft Defender for Cloud to allow Microsoft Defender for Cloud to automatically identify the use some popular anti-malware solutions for EC2 instances with Azure Arc configured and report the endpoint protection running status and make recommendations. |
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html |
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security |
|
|
|
|
SI-2: FLAW REMEDIATION |
|
|
|
|
https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions- |
|
|
|
|
|
|
|
SI-3: MALICIOUS CODE PROTECTION |
|
|
|
Microsoft Defender Antivirus is the default anti-malware solution for Windows server 2016 and above. For Windows server 2012 R2, use Microsoft Antimalware extension to enable SCEP (System Center Endpoint Protection). For Linux VMs, use Microsoft Defender for Endpoint on Linux for the endpoint protection feature. |
|
Deploy Microsoft Defender Antivirus which is the default anti-malware solution for Windows server 2016 and above. For EC2 instances running Windows server 2012 R2, use Microsoft Antimalware extension to enable SCEP (System Center Endpoint Protection). For EC2 instances running Linux, use Microsoft Defender for Endpoint on Linux for the endpoint protection feature. |
Microsoft Defender supported endpoint protection solutions: |
Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence |
|
|
|
|
SI-16 MEMORY PROTECTION |
|
|
|
|
How to configure Microsoft Antimalware for Cloud Services and virtual machines: |
|
https://docs.microsoft.com/en-us/azure/defender-for-cloud/supported-machines-endpoint-solutions-clouds-servers?tabs=features-windows#supported-endpoint-protection-solutions- |
|
|
|
|
|
|
|
|
|
For both Windows and Linux, you can use Microsoft Defender for Cloud to discover and assess the health status of the anti-malware solution. |
https://docs.microsoft.com/azure/security/fundamentals/antimalware |
For both Windows and Linux, you can use Microsoft Defender for Cloud to discover and assess the health status of the anti-malware solution. |
|
Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management |
|
|
|
|
|
|
|
|
|
|
|
Endpoint protection recommendations in Microsoft Defender for Clouds: |
|
|
|
|
|
|
|
|
|
Note: You can also use Microsoft Defender for Cloud's Defender for Storage to detect malware uploaded to Azure Storage accounts. |
|
Note: Microsoft Defender Cloud also supports certain third-party endpoint protection products for the discovery and health status assessment. |
https://docs.microsoft.com/en-us/azure/defender-for-cloud/endpoint-protection-recommendations-technical |
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management |
| ES-3 |
Endpoint security |
8.2 - Ensure Anti-Malware Software and Signatures are Updated |
10.2 - Configure Automatic Anti-Malware Signature Updates |
SI-2: FLAW REMEDIATION |
5.2 |
Ensure anti-malware software and signatures are updated |
Ensure anti-malware signatures are updated rapidly and consistently for the anti-malware solution. |
Follow recommendations in Microsoft Defender for Cloud to keep all endpoints up to date with the latest signatures. Microsoft Antimalware (for Windows) and Microsoft Defender for Endpoint (for Linux) will automatically install the latest signatures and engine updates by default. |
How to deploy Microsoft Antimalware for Cloud Services and virtual machine: |
With your AWS account onboarded into Microsoft Defender for Cloud, follow recommendations in Microsoft Defender for Cloud to keep all endpoints up to date with the latest signatures. Microsoft Antimalware (for Windows) and Microsoft Defender for Endpoint (for Linux) will automatically install the latest signatures and engine updates by default. |
Connect your AWS accounts to Microsoft Defender for Cloud: |
Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security |
|
|
|
|
SI-3: MALICIOUS CODE PROTECTION |
5.3 |
|
|
|
https://docs.microsoft.com/azure/security/fundamentals/antimalware |
|
https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings |
|
|
|
|
|
|
|
|
|
For third-party solutions, ensure the signatures are updated in the third-party anti-malware solution. |
|
For third-party solutions, ensure the signatures are updated in the third-party anti-malware solution. |
|
Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence |
|
|
|
|
|
|
|
|
|
Endpoint protection assessment and recommendations in Microsoft Defender for Cloud: |
|
|
|
|
|
|
|
|
|
|
|
|
https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection |
|
|
Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management |