| ES-1 |
nan |
Use Endpoint Detection and Response (EDR) |
Parent |
Cloud endpoint threat protection |
Azure Defender for servers should be enabled |
Implement comprehensive endpoint detection and response capabilities providing real-time visibility into endpoint activities, behavioral analytics, and automated threat response. Enable security organizations to detect advanced threats, investigate incidents, and respond rapidly to contain and remediate endpoint compromises across the environment. |
Organizations operating without comprehensive endpoint detection and response capabilities face significant risks from advanced threats that bypass traditional preventive controls. |
Initial Access (TA0001): phishing (T1566) and exploit public-facing application (T1190) gaining initial foothold on endpoints without detection. |
A financial services organization operating cloud-hosted trading platforms discovered advanced persistent threats during forensic investigation that had operated undetected for weeks, compromising customer account data. |
Must have |
SI-4(1), SI-4(2), SI-4(5), SI-4(12), SI-4(16), IR-4(1), IR-4(4) |
5.3.2, 5.3.4, 10.2.1, 11.5.1 |
8.5, 8.11, 13.2, 13.10 |
nan |
A.8.16, A.5.24, A.5.26 |
CC7.2, CC7.3 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Without EDR: Undetected advanced threats:Sophisticated attacks including fileless malware, living-off-the-land techniques, and zero-day exploits evade signature-based detection operating undetected for extended periods.Delayed incident response:Lack of real-time visibility into endpoint activities prevents rapid threat detection and response allowing attackers time to establish persistence and exfiltrate data.Limited threat visibility:Security teams cannot identify attack patterns, lateral movement, or command-and-control communications without comprehensive endpoint telemetry and behavioral analytics.Ineffective threat containment:Manual investigation and remediation processes allow threats to spread across endpoints during response activities creating wider organizational impact.Missing forensic capabilities:Absence of historical endpoint activity data prevents root cause analysis, attack reconstruction, and lessons learned from security incidents.Blind spots in security posture:Unmonitored endpoint ac |
Execution (TA0002): command and scripting interpreter (T1059) executing malicious code on endpoints bypassing preventive controls. |
Challenge:Traditional antivirus on cloud VMs provided only signature-based detection, missing fileless attacks and lateral movement. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Persistence (TA0003): create or modify system process (T1543) establishing persistent access mechanisms undetected by traditional anti-malware. |
Security team lacked visibility into attack timelines and struggled with manual investigation across distributed cloud infrastructure. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Defense Evasion (TA0005): impair defenses (T1562) disabling security tools and obfuscate files or information (T1027) evading detection capabilities. |
Solution approach: Comprehensive EDR deployment:EnabledMicrosoft Defender for Endpointthrough Microsoft Defender for Cloud integration with automatic provisioning across Windows/Linux VMs and Azure Virtual Desktop session hosts using Azure Policy.Automated threat response:Configured automated remediation for cryptocurrency miners, web shells, and unauthorized software. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Credential Access (TA0006): OS credential dumping (T1003) harvesting credentials from endpoint memory for privilege escalation and lateral movement. |
Deployed response playbooks isolating compromised VMs through Network Security Group updates and triggering forensic snapshots.XDR integration:DeployedMicrosoft Defender XDRcorrelating VM telemetry withMicrosoft Entra IDauthentication signals and Azure infrastructure changes, creating unified incident context.Proactive threat hunting:Established threat hunting program using advanced hunting queries focused on lateral movement patterns across Azure virtual networks. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Outcome:Dramatically reduced threat detection time from weeks to hours. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Automated response contained majority of threats without manual intervention. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Unified incident view significantly reduced investigation time. |
|
|
|
|
|
|
|
| ES-1 |
ES-1.1 |
Deploy endpoint detection and response solution |
Child |
Cloud endpoint threat protection |
Azure Defender for servers should be enabled |
Implement comprehensive endpoint detection and response capabilities providing real-time visibility into endpoint activities, behavioral analytics, and automated threat response. Enable security organizations to detect advanced threats, investigate incidents, and respond rapidly to contain and remediate endpoint compromises across the environment. |
nan |
nan |
Traditional antivirus signature detection misses modern threats that use fileless techniques, living-off-the-land binaries, and sophisticated obfuscation to evade static analysis, leaving endpoints vulnerable to zero-day exploits and advanced persistent threats. Endpoint detection and response provides behavioral monitoring and machine learning that identifies malicious activities regardless of signature availability, detecting anomalous process execution, credential access attempts, and lateral movement patterns. Comprehensive telemetry collection enables forensic investigation and threat hunting that reconstructs attack timelines and identifies compromise indicators missed during initial detection. Establish behavioral threat detection through these EDR capabilities: DeployMicrosoft Defender for EndpointonMicrosoft Defender for Cloud-protectedAzure Virtual Machines,virtual machine scale sets, and Azure Virtual Desktop instances to provide comprehensive threat detection, investigation, and response capabilities for cloud workloads. EDR configuration best practices: Enable behavioral detection:Configure behavioral analytics to monitor process execution patterns, file system changes, network connections, and registry modifications focusing on high-value Azure VMs hosting sensitive workloads.Tune detection sensitivity:Adjust threat detection sensitivity based on workload criticality balancing false positive rates with detection coverage for fileless malware, LOLBins (living-off |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| ES-1 |
ES-1.2 |
Integrate EDR with extended detection and response (XDR) |
Child |
Cloud endpoint threat protection |
Azure Defender for servers should be enabled |
Implement comprehensive endpoint detection and response capabilities providing real-time visibility into endpoint activities, behavioral analytics, and automated threat response. Enable security organizations to detect advanced threats, investigate incidents, and respond rapidly to contain and remediate endpoint compromises across the environment. |
nan |
nan |
Isolated endpoint detection generates disconnected alerts that miss sophisticated attack chains spanning identity compromise, lateral movement, and data exfiltration across multiple systems and services. Extended detection and response correlates telemetry from endpoints, identity providers, cloud infrastructure, and network traffic to reveal complete attack narratives that single-signal detection cannot identify. Unified incident context enables security teams to understand full attack scope and implement coordinated containment across all affected systems simultaneously rather than responding to each alert independently. Correlate cross-platform threats through these XDR integration capabilities: Integrate endpoint detection and response withMicrosoft Defender XDRto correlate security telemetry across identity, email, applications, and cloud infrastructure enabling unified threat detection and coordinated response across the environment. XDR integration best practices: Enable cross-signal correlation:Activate Microsoft Defender XDR integration to correlate cloud VM events withAzure Activity logs, Microsoft Entra ID authentication signals, andAzure Network Watchertraffic analysis creating unified incident context.Configure incident grouping:Define correlation rules grouping related alerts from cloud VMs, identity systems, and infrastructure changes into single incidents reducing investigation overhead and improving mean time to detect (MTTD).Design response playbooks:Create |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| ES-1 |
ES-1.3 |
Enable EDR automation and integration |
Child |
Cloud endpoint threat protection |
Azure Defender for servers should be enabled |
Implement comprehensive endpoint detection and response capabilities providing real-time visibility into endpoint activities, behavioral analytics, and automated threat response. Enable security organizations to detect advanced threats, investigate incidents, and respond rapidly to contain and remediate endpoint compromises across the environment. |
nan |
nan |
Manual investigation and response to high-volume security alerts creates unsustainable analyst workload while introducing response delays that allow threats to progress from initial compromise to data exfiltration. Automated investigation analyzes alert context, performs forensic analysis, and determines remediation actions within seconds rather than hours of manual analysis. Security orchestration integrates EDR telemetry with cloud infrastructure controls and identity management, enabling coordinated automated response that isolates compromised systems, revokes credentials, and preserves forensic evidence simultaneously. Accelerate threat response through these automation capabilities: Implement automated investigation, remediation, and security operations integration reducing mean time to respond (MTTR) and enabling unified threat detection across security platforms. Automated investigation and remediation: Enable automated investigations:Activate automatic investigation for medium and high-severity alerts on non-production VMs to build investigation baseline while requiring manual approval for production workloads.Define approval workflows:Establish approval gates for automated remediation actions on production VMs requiring security architect review for changes impacting business operations.Configure automated remediation:Enable automated malware removal, persistence elimination, VM network isolation throughAzure Network Security Groupupdates, and security configuration |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| ES-2 |
nan |
Use modern anti-malware software |
Parent |
Cloud endpoint threat protection |
Windows Defender Exploit Guard should be enabled on your machines |
Deploy modern anti-malware solutions combining signature-based detection with behavioral analytics, machine learning, cloud-delivered intelligence, and exploit prevention to protect against known and unknown threats. Ensure comprehensive malware protection across all endpoint platforms with minimal performance impact and centralized management. |
Organizations relying on outdated or signature-only anti-malware solutions face increasing risk from modern threats that evade traditional detection methods. |
Execution (TA0002): malicious file (T1204.002) executing malware payloads delivered through phishing, downloads, or removable media. |
A healthcare organization suffered ransomware attack encrypting patient records on Azure Virtual Desktop infrastructure. |
Must have |
SI-3(1), SI-3(2), SI-3(4), SI-3(7), SI-3(8) |
5.1.1, 5.2.1, 5.2.2, 5.2.3, 5.3.1, 5.3.2 |
10.1, 10.2, 10.5, 10.7 |
DE.CM-4, PR.DS-6 |
A.8.7 |
CC6.1, CC7.2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Without modern anti-malware capabilities: Zero-day exploit vulnerability:Signature-based detection cannot identify new malware variants and zero-day exploits before signatures are created and distributed.Polymorphic malware evasion:Advanced malware using polymorphic code, encryption, and obfuscation techniques bypass signature matching and static analysis.Fileless attack execution:Memory-resident attacks executing entirely in RAM without touching disk evade traditional file-based scanning mechanisms.Ransomware encryption:Modern ransomware variants execute encryption rapidly before signature-based detection can identify and block malicious processes.Script-based attack delivery:PowerShell, JavaScript, and other scripting attacks leverage trusted system tools evading application-based anti-malware controls.Performance degradation:Legacy anti-malware solutions consuming excessive system resources impact endpoint performance and user productivity. |
Defense Evasion (TA0005): obfuscated files or information (T1027) and virtualization/sandbox evasion (T1497) bypassing signature-based detection. |
Traditional antivirus failed to detect memory-resident malware delivered through weaponized medical imaging files. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Traditional signature-based anti-malware provides insufficient protection against mo |
Impact (TA0040): data encrypted for impact (T1486) deploying ransomware encrypting organizational data before detection occurs. |
Challenge:Legacy signature-based protection couldn't detect fileless attacks or script-based ransomware. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Clinicians needed uninterrupted access to medical applications while maintaining HIPAA security controls. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Ransomware encrypted patient records before detection. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Solution approach: Behavioral detection:DeployedMicrosoft Defender Antiviruswith cloud-delivered protection and behavioral analysis detecting fileless malware and script-based attacks on medical application VMs.Attack surface reduction:Configured ASR rules blocking PowerShell execution from untrusted sources and preventing credential dumping on application servers hosting electronic health records.Ransomware protection:Implemented controlled folder access on Azure Virtual Desktop protecting patient data directories from unauthorized modification, blocking ransomware encryption attempts.Exploit prevention:Enabled exploit protection for web browsers and medical imaging viewers preventing initial compromise vectors. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Outcome:Detected and blocked subsequent ransomware attempts within seconds before encryption. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Substantially reduced false positives through behavioral analytics. Maintained HIPAA compliance with comprehensive protection coverage. |
|
|
|
|
|
|
|
| ES-2 |
ES-2.1 |
Deploy next-generation anti-malware solution |
Child |
Cloud endpoint threat protection |
Windows Defender Exploit Guard should be enabled on your machines |
Deploy modern anti-malware solutions combining signature-based detection with behavioral analytics, machine learning, cloud-delivered intelligence, and exploit prevention to protect against known and unknown threats. Ensure comprehensive malware protection across all endpoint platforms with minimal performance impact and centralized management. |
nan |
nan |
Signature-based anti-malware provides essential baseline protection against known threats, but modern malware employs polymorphism, packing, and encryption to evade traditional detection requiring behavioral analysis and machine learning classification. Multi-layered protection combines static signatures for known threats with dynamic behavior monitoring and cloud-powered intelligence to detect emerging malware variants and zero-day exploits. Centralized management ensures consistent protection baselines across all endpoints while tamper protection prevents adversaries from disabling security controls after gaining initial access. Deploy comprehensive malware protection through these defense layers: ImplementMicrosoft Defender Antiviruson Azure Virtual Machines providing multi-layered protection including signature-based detection, behavioral analysis, machine learning classification, and exploit prevention capabilities for cloud workloads. Anti-malware configuration best practices: Configure protection layers:Enable all protection layers (signature-based, heuristic, behavioral, cloud-powered ML) by default allowing selective disabling only when specific workload requirements documented and approved by security team.Enable cloud-delivered protection:Activate cloud protection with automatic sample submission for unknown files except for VMs processing highly sensitive data requiring air-gapped protection models.Configure exclusion management:Establish formal exception process |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| ES-2 |
ES-2.2 |
Enable advanced threat protection features |
Child |
Cloud endpoint threat protection |
Windows Defender Exploit Guard should be enabled on your machines |
Deploy modern anti-malware solutions combining signature-based detection with behavioral analytics, machine learning, cloud-delivered intelligence, and exploit prevention to protect against known and unknown threats. Ensure comprehensive malware protection across all endpoint platforms with minimal performance impact and centralized management. |
nan |
nan |
Malware detection alone provides insufficient protection when adversaries exploit memory corruption vulnerabilities, abuse legitimate system features, and encrypt data before traditional signatures detect their presence. Exploit protection mitigations (DEP, ASLR, Control Flow Guard) block memory-based attacks regardless of malware signatures, preventing exploitation of application vulnerabilities. Attack surface reduction rules constrain adversary techniques by blocking script execution from untrusted sources, limiting credential access, and protecting critical data folders before ransomware encryption occurs. Prevent exploitation techniques through these advanced protections: Configure advanced protection features including exploit protection, attack surface reduction, controlled folder access, and network protection to prevent exploit techniques and reduce attack surface. Exploit protection configuration: Enable memory protections:ActivateData Execution Prevention (DEP),Address Space Layout Randomization (ASLR), andControl Flow Guard (CFG)on all Azure VMs testing application compatibility in development environments before production deployment.Configure application-specific protections:Apply targeted exploit protections to high-risk applications (browsers, Office apps, PDF readers) with exceptions documented and reviewed quarterly.Test mitigation effectiveness:Conduct controlled exploit simulation testing validating protection against common techniques (heap spraying, ROP, |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| ES-3 |
nan |
Ensure anti-malware software and signatures are updated |
Parent |
Cloud endpoint security configuration |
No Azure Policy available |
Maintain current anti-malware protection through automated signature updates, software version management, and update compliance monitoring. Ensure all endpoints receive timely protection updates minimizing vulnerability windows and maintaining effective threat detection capabilities. |
Outdated anti-malware signatures and software versions leave endpoints vulnerable to known threats that could be prevented with current protection. |
Defense Evasion (TA0005): impair defenses (T1562) exploiting outdated anti-malware to avoid detection. |
An organization with global operations suffered malware outbreak affecting critical business systems when outdated antivirus signatures failed to detect known malware variant, exposing sensitive data and disrupting operations. |
Must have |
SI-3(2), SI-2(2), SI-2(5) |
5.3.3, 6.3.3 |
10.3, 7.2 |
DE.CM-4, PR.IP-1 |
A.8.7, A.8.8 |
CC8.1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Without timely updates: Known malware detection failure:Outdated signatures cannot detect new malware variants, exploits, and threat campaigns identified after last update.Protection bypass:Attackers specifically target endpoints with outdated protection knowing signature gaps allow malware execution.Exploit vulnerability:Unpatched anti-malware software contains vulnerabilities that attackers exploit to disable protection or escalate privileges.Compliance violations:Regulatory frameworks require current anti-malware protection with audit failures resulting from outdated signatures or software versions.Incident response gaps:Outdated protection prevents detection during initial attack phases allowing threats to establish persistence before updates enable detection. |
Execution (TA0002): exploitation for client execution (T1203) leveraging known exploits that current signatures would detect. |
Challenge:Global operations across multiple time zones made coordinated updates difficult. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Organizations maintaining current anti-malware updates significantly reduce malware infection rates and improve overall security posture. |
|
Regional bandwidth constraints delayed signature distribution. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Manual update processes created gaps where endpoints ran outdated protection during peak operational periods. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Solution approach: Automated update cadence:Configured cloud-delivered updates checking every 2 hours ensuring rapid threat intelligence deployment. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Removed dependency on manual update processes.Compliance enforcement:Implemented Azure Policy monitoring alerting when signatures exceed 7 days old. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Integrated with network access control denying access to non-compliant endpoints.Phased rollout strategy:Configured phased deployment testing major versions with small pilot group before full rollout, preventing operational disruption while maintaining protection currency. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Outcome:Dramatically reduced average signature age from weeks to hours. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Achieved high compliance with no malware incidents related to outdated signatures in subsequent period. |
|
|
|
|
|
|
|
| ES-3 |
ES-3.1 |
Configure and enforce automated updates |
Child |
Cloud endpoint security configuration |
No Azure Policy available |
Maintain current anti-malware protection through automated signature updates, software version management, and update compliance monitoring. Ensure all endpoints receive timely protection updates minimizing vulnerability windows and maintaining effective threat detection capabilities. |
nan |
nan |
Anti-malware protection degrades rapidly as threat signatures age and detection engines become outdated, with new malware variants emerging continuously that evade older detection capabilities. Automated update mechanisms ensure endpoints maintain current threat intelligence and detection algorithms without relying on manual processes that introduce delays and coverage gaps. Compliance monitoring identifies endpoints with outdated protection that represent high-risk vulnerabilities in the security perimeter, enabling targeted remediation before adversaries exploit protection gaps. Maintain current anti-malware effectiveness through these update processes: Implement automated anti-malware signature and software update processes with compliance monitoring and enforcement ensuring endpoints maintain current protection without manual intervention. Automated update configuration: Enable automatic signature updates:Configure automatic signature update checks multiple times daily ensuring rapid deployment of new threat intelligence addressing emerging threats.Enable automatic engine updates:Configure automated detection engine and platform updates ensuring endpoints receive enhanced detection capabilities and critical security improvements.Configure reliable update sources:Establish primary cloud-delivered updates with failover mechanisms ensuring consistent update delivery protecting against update service disruptions.Validate update integrity:Enable automated validation of signatu |
nan |
nan |
nan |
nan |
nan |
nan |
nan |