compliance controls are associated with this Policy definition '[Deprecated]: Monitor missing Endpoint Protection in Azure Security Center' (af6cd1bd-1635-48cb-bde7-5b15693900b9)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Azure_Security_Benchmark_v2.0 |
ES-2 |
Azure_Security_Benchmark_v2.0_ES-2 |
Azure Security Benchmark ES-2 |
Endpoint Security |
Use centrally managed modern anti-malware software |
Customer |
Use a centrally managed endpoint anti-malware solution capable of real time and periodic scanning
Azure Security Center can automatically identify the use of a number of popular anti-malware solutions for your virtual machines and report the endpoint protection running status and make recommendations.
Microsoft Antimalware for Azure Cloud Services is the default anti-malware for Windows virtual machines (VMs). For Linux VMs, use third-party antimalware solution. Also, you can use Azure Security Center's Threat detection for data services to detect malware uploaded to Azure Storage accounts.
How to configure Microsoft Antimalware for Cloud Services and Virtual Machines:
https://docs.microsoft.com/azure/security/fundamentals/antimalware
Supported endpoint protection solutions:
https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions- |
n/a |
link |
3 |
| Azure_Security_Benchmark_v2.0 |
ES-3 |
Azure_Security_Benchmark_v2.0_ES-3 |
Azure Security Benchmark ES-3 |
Endpoint Security |
Ensure anti-malware software and signatures are updated |
Customer |
Ensure anti-malware signatures are updated rapidly and consistently.
Follow recommendations in Azure Security Center: "Compute & Apps" to ensure all endpoints are up to date with the latest signatures. Microsoft Antimalware will automatically install the latest signatures and engine updates by default. For Linux, use third-party antimalware solution.
How to deploy Microsoft Antimalware for Azure Cloud Services and Virtual Machines: https://docs.microsoft.com/azure/security/fundamentals/antimalware
Endpoint
protection assessment and recommendations in Azure Security Center:https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection |
n/a |
link |
2 |
| CIS_Azure_1.3.0 |
7.6 |
CIS_Azure_1.3.0_7.6 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.6 |
7 Virtual Machines |
Ensure that the endpoint protection for all Virtual Machines is installed |
Shared |
The customer is responsible for implementing this recommendation. |
Install endpoint protection for all virtual machines. |
link |
11 |
| New_Zealand_ISM |
14.1.9.C.01 |
New_Zealand_ISM_14.1.9.C.01 |
New_Zealand_ISM_14.1.9.C.01 |
14. Software security |
14.1.9.C.01 Maintaining hardened SOEs |
|
n/a |
Agencies MUST ensure that for all servers and workstations: a technical specification is agreed for each platform with specified controls; a standard configuration created and updated for each operating system type and version; system users do not have the ability to install or disable software without approval; and installed software and operating system patching is up to date. |
|
20 |
| NL_BIO_Cloud_Theme |
C.04.3(2) |
NL_BIO_Cloud_Theme_C.04.3(2) |
NL_BIO_Cloud_Theme_C.04.3(2) |
C.04 Technical Vulnerability Management |
Technical vulnerabilities |
|
n/a |
The malware protection is carried out on various environments, such as on mail servers, (desktop) computers and when accessing the organization's network. The scan for malware includes: all files received over networks or through any form of storage medium, even before use; all attachments and downloads even before use; virtual machines; network traffic. |
|
22 |
| NL_BIO_Cloud_Theme |
C.04.6(2) |
NL_BIO_Cloud_Theme_C.04.6(2) |
NL_BIO_Cloud_Theme_C.04.6(2) |
C.04 Technical Vulnerability Management |
Technical vulnerabilities |
|
n/a |
Technical weaknesses can be remedied by performing patch management in a timely manner, which includes: identifying, registering and acquiring patches; the decision-making around the use of patches; testing patches; performing patches; registering implemented patches. |
|
22 |
| NL_BIO_Cloud_Theme |
C.04.7(2) |
NL_BIO_Cloud_Theme_C.04.7(2) |
NL_BIO_Cloud_Theme_C.04.7(2) |
C.04 Technical Vulnerability Management |
Evaluated |
|
n/a |
Evaluations of technical vulnerabilities are recorded and reported. |
|
43 |
| NL_BIO_Cloud_Theme |
C.04.8(2) |
NL_BIO_Cloud_Theme_C.04.8(2) |
NL_BIO_Cloud_Theme_C.04.8(2) |
C.04 Technical Vulnerability Management |
Evaluated |
|
n/a |
The evaluation reports contain suggestions for improvement and are communicated with managers/owners of ICT components in which vulnerabilities and weaknesses have been found. |
|
4 |
| NL_BIO_Cloud_Theme |
U.09.3(2) |
NL_BIO_Cloud_Theme_U.09.3(2) |
NL_BIO_Cloud_Theme_U.09.3(2) |
U.09 Malware Protection |
Detection, prevention and recovery |
|
n/a |
The malware protection is carried out on various environments, such as on mail servers, (desktop) computers and when accessing the organization's network. The scan for malware includes: all files received over networks or through any form of storage medium, even before use; all attachments and downloads even before use; virtual machines; network traffic. |
|
27 |