--- name: endpoint-security-management description: Manage endpoint security across all corporate devices including EDR (Endpoint Detection and Response), antivirus, device compliance, patch management, application whitelisting, and endpoint forensics. Use when deploying EDR solutions, managing endpoint compliance, responding to endpoint threats, configuring device security policies, conducting endpoint forensics, managing mobile device security, or enforcing endpoint security baselines. Triggers on phrases like "endpoint security", "EDR", "endpoint detection", "antivirus management", "device compliance", "endpoint forensics", "application whitelisting", "device lockdown", "endpoint hardening", "MDM security". --- # Endpoint Security Management Secure all corporate endpoints (laptops, desktops, mobile devices, servers) with EDR, compliance, and threat response. ## Workflow 1. Inventory all endpoints: devices, operating systems, users, locations, risk classification. 2. Deploy endpoint security agents: EDR, antivirus, firewall, DLP on all managed devices. 3. Define and enforce security baselines: CIS benchmarks, patch levels, application allow/deny lists. 4. Monitor endpoint threats in real-time: malware, ransomware, lateral movement, data exfiltration. 5. Automate threat response: isolate devices, quarantine files, kill processes, block indicators. 6. Manage device compliance: OS version, encryption status, password policy, MDM enrollment. 7. Conduct endpoint forensics: memory dumps, disk imaging, process trees, network connections. 8. Report endpoint security posture: compliance scores, threat detection rates, response times. 9. Patch and harden endpoints: automated patch deployment, configuration enforcement, vulnerability remediation. 10. Review and improve: monthly security review, baseline updates, policy refinement, incident lessons learned. ## Endpoint Security Architecture ``` ENDPOINT SECURITY LAYERS ========================== Layer 1: Prevention (block threats before execution) Antivirus / Anti-malware: - Signature-based detection (known malware patterns) - Heuristic analysis (suspicious behavior patterns) - Cloud-based scanning (threat intelligence from millions of endpoints) - Scheduled scans: full scan weekly, quick scan daily - On-access scanning: real-time file access monitoring - Coverage target: 100% of managed endpoints - False positive rate target: < 0.1% Application Allowlisting / Control: - Only approved applications can execute - Approve by: file hash, path, publisher certificate, file signature - Block: unsigned scripts, portable executables, unknown publishers - Exemptions: approved developer tools, testing environments - Audit log: all blocked execution attempts logged - Enforcement mode: audit (monitor only) → enforce (block) over 30-day transition Email Security (endpoint component): - Attachment sandboxing (open in isolated VM before delivery) - URL rewriting (click-time verification against threat feeds) - Anti-phishing: impersonation detection, BEC protection - Integration with EDR: quarantine files flagged by email security Browser Security: - Browser isolation (render pages in cloud sandbox) - Extension management (only approved browser extensions) - Auto-update enforcement (always latest browser version) - Cookie and tracking protection - Enterprise content filtering (block malicious/unsafe websites) Layer 2: Detection (identify threats that bypass prevention) Endpoint Detection and Response (EDR): - Continuous monitoring of: processes, files, registry, network, memory - Behavioral analysis: detect anomalous behavior vs. baseline - Machine learning: identify unknown threats (zero-day) - Threat hunting: proactive search for indicators of compromise - Investigation: timeline reconstruction, process tree analysis - Top vendors: CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Carbon Black Endpoint telemetry collection: Process monitoring: - Process creation/termination (executable, command line, parent process) - Process injection (code injection into running processes) - Token manipulation (privilege escalation) - Suspicious processes: PowerShell, cmd.exe, wmic, certutil (living off the land) File monitoring: - File creation/modification/deletion - File type changes (extension change, polyglot files) - Mass file encryption (ransomware indicator) - Sensitive file access (PII, financial data, source code) Network monitoring: - Outbound connections (destination IP, port, protocol) - DNS queries (suspicious domains, DGA detection) - Network shares access (lateral movement indicator) - Data transfer volume (exfiltration detection) Registry monitoring (Windows): - Persistence mechanisms (run keys, services, scheduled tasks) - Security policy changes (disable antivirus, modify firewall) - User account changes (new admin, disabled accounts) User and Entity Behavior Analytics (UEBA): - Baseline normal user behavior (login times, accessed resources, data patterns) - Detect anomalies: unusual login location, after-hours access, data volume spike - Risk scoring: assign risk score to each user session - Integration with SIEM: correlate endpoint events with network and identity events Layer 3: Response (contain and remediate threats) Automated response actions: - Isolate device from network (block all traffic except management channel) - Kill malicious process and child processes - Quarantine malicious file (move to isolated container) - Block malicious IP/domain at endpoint firewall - Disable compromised user account - Capture forensic data (memory dump, disk snapshot) Manual response workflows: - Triage alert: verify true positive vs. false positive - Investigate scope: affected files, processes, network connections - Contain: isolate affected systems, block IoCs - Eradicate: remove malware, close backdoors, reset credentials - Recover: restore from clean backup, verify system health - Document: incident report, timeline, lessons learned Response time targets: - Detection to alert: < 60 seconds - Alert to acknowledgment: < 5 minutes - Acknowledgment to containment: < 30 minutes - Containment to eradication: < 4 hours - Total mean time to respond (MTTR): < 8 hours for P1 endpoint incidents ``` ## Endpoint Compliance Management ``` ENDPOINT COMPLIANCE FRAMEWORK =============================== Compliance checks (continuous monitoring): Operating System Compliance: - OS version: must be supported version (Windows 10 21H2+, macOS 13+, Ubuntu 22.04+) - Patch level: security patches applied within 14 days of release - Update status: automatic updates enabled and verified - Compliance: 95%+ of endpoints on supported OS versions Encryption Compliance: - Full disk encryption enabled (BitLocker, FileVault, LUKS) - Encryption key stored securely (TPM, iCloud, recovery key vault) - Recovery key access: IT helpdesk can unlock with approval - Compliance: 100% of endpoints encrypted (zero tolerance) Password Policy Compliance: - Minimum length: 12 characters - Complexity: uppercase, lowercase, numbers, special characters - Expiration: 90 days (or passwordless authentication) - History: cannot reuse last 12 passwords - Lockout: 5 failed attempts → 30-minute lockout - Multi-factor authentication: enabled for all remote access Firewall Compliance: - Host firewall enabled on all endpoints - Inbound: block all except approved services - Outbound: allow with monitoring (or restrict to approved destinations) - Exception: development/testing environments with documented approval Antivirus/EDR Compliance: - Agent installed and running on 100% of endpoints - Definitions up to date (within 4 hours of release) - Scan schedule configured and executing - Tamper protection enabled (prevent user from disabling) - Cloud connectivity active (threat intelligence feed) Application Compliance: - No unapproved software installed (software allowlist enforcement) - Required applications installed (antivirus, VPN, MDM agent) - Browsers updated to latest version - Java/Adobe Flash disabled or removed (end-of-life technologies) Browser and Plugin Compliance: - Approved browsers only (Chrome, Edge, Firefox enterprise) - Browser extensions: approved list only - NPAPI plugins blocked - JavaScript enabled (required) but with tracking protection Compliance scoring: Per-device compliance score (0-100): Category Weight Score (0-100) Weighted ────────────────────── ──────── ───────────── ───────── OS patching 25% [score] [score × 0.25] Encryption 20% [score] [score × 0.20] Antivirus/EDR 20% [score] [score × 0.20] Firewall 10% [score] [score × 0.10] Password policy 10% [score] [score × 0.10] Application compliance 10% [score] [score × 0.10] ──────────────────────────────────────────────────────────────── TOTAL [sum] Compliance levels and actions: 90-100: Compliant — standard monitoring 70-89: Warning — automated remediation attempts; alert user to take action 50-69: Non-compliant — restrict network access; require remediation within 48 hours 0-49: Critical — block network access; IT must remediate before reconnection 0 (agent offline > 7 days): Lost/Stolen — initiate device recovery or wipe Non-compliance remediation workflow: 1. Detection: compliance check fails (automated, continuous) 2. Grace period: 24 hours for user to self-remediate (notification sent) 3. Auto-remediation: IT system attempts to fix (install patch, enable encryption) 4. Network restriction: if unresolved after 48 hours, restrict to remediation VLAN 5. IT intervention: helpdesk contacts user or remotely remediates 6. Escalation: if unresolved after 72 hours, escalate to manager 7. Device wipe: if device cannot be remediated, perform factory reset and redeploy ``` ## EDR Threat Response ``` EDR THREAT RESPONSE PLAYBOOK ============================== Common endpoint threat scenarios and response: Scenario 1: Ransomware Detection Indicators: mass file encryption, .locked/.encrypted extensions, ransom note Immediate actions: 1. Isolate affected endpoint from network (block all traffic) 2. Identify ransomware variant (file extension, ransom note content) 3. Check for lateral movement (other affected endpoints) 4. Isolate all potentially affected endpoints 5. Identify entry point (phishing email, RDP, vulnerability) Eradication: 1. Do NOT pay ransom (FBI and CISA recommendation) 2. Restore from last known clean backup 3. Reset all credentials that were accessible from affected endpoint 4. Patch exploited vulnerability 5. Scan all endpoints for persistence mechanisms Recovery time: 4-24 hours (depends on backup availability and scope) Scenario 2: Phishing / Credential Theft Indicators: user reports phishing, suspicious login from new location, impossible travel Immediate actions: 1. Force password reset for affected user 2. Revoke all active sessions and tokens 3. Check for new devices/apps authorized by user 4. Review user's email for forwarded rules or suspicious sent items Eradication: 1. Enable MFA if not already active 2. Block malicious URLs and sender addresses 3. Scan user's endpoint for malware 4. Monitor for 7 days for follow-on activity Recovery time: 1-4 hours Scenario 3: Lateral Movement Detection Indicators: multiple endpoints accessed from single source, SMB/RDP to unusual targets, Pass-the-Hash Immediate actions: 1. Isolate source endpoint 2. Identify all accessed endpoints and data 3. Check for credential dumping (Mimikatz indicators) 4. Block internal SMB/RDP between non-server endpoints Eradication: 1. Reset credentials for all affected accounts 2. Enable network segmentation (micro-segmentation) 3. Deploy LAPS (Local Administrator Password Solution) 4. Enable Credential Guard / LSA protection Recovery time: 4-12 hours Scenario 4: Data Exfiltration Indicators: large outbound data transfer, connections to unusual IPs, DNS tunneling Immediate actions: 1. Block outbound connections to suspicious destinations 2. Isolate affected endpoint 3. Identify what data was accessed/transferred 4. Determine if data is sensitive (PII, IP, financial) Eradication: 1. Remove unauthorized applications 2. Block identified exfiltration channels 3. Review and restrict USB/external device access 4. Deploy DLP policies on endpoint Recovery time: 2-8 hours; legal notification if regulated data involved Scenario 5: Living-off-the-Land (LotL) Attacks Indicators: suspicious PowerShell commands, WMI abuse, certutil downloading files, mshta execution Immediate actions: 1. Block suspicious command patterns at EDR 2. Isolate affected endpoint 3. Review PowerShell execution policy and logging 4. Check AppLocker/WDAC policy enforcement Eradication: 1. Enable PowerShell constrained language mode 2. Implement Application Control (AppLocker, WDAC, or EDR allowlisting) 3. Enable PowerShell script block logging 4. Restrict WMI access via Group Policy Recovery time: 2-6 hours EDR investigation techniques: Process tree analysis: - View parent-child process relationships - Identify suspicious chains: explorer.exe → cmd.exe → powershell.exe → malware.exe - Check for process hollowing (legitimate process replaced with malicious code) - Look for unusual parent processes (outlook.exe spawning cmd.exe) File timeline: - Sort file operations by timestamp - Identify rapid file creation/modification (ransomware indicator) - Check for dropped files in temp directories - Look for persistence files (scheduled tasks, startup folder, registry run keys) Network connection analysis: - List all outbound connections from affected endpoint - Check connections to known malicious IPs/domains (threat intelligence) - Identify C2 communication patterns (beaconing — regular interval connections) - Analyze DNS queries for DGA (Domain Generation Algorithm) patterns Memory forensics: - Capture memory dump from affected endpoint (EDR feature) - Analyze for injected code, loaded modules, hidden processes - Extract network connections, passwords, encryption keys - Tools: Volatility Framework, Rekall ``` ## Mobile Device Security ``` MOBILE DEVICE SECURITY FRAMEWORK =================================== MDM (Mobile Device Management) platforms: Enterprise MDM options: Microsoft Intune: $6–$12 per user/month; deep M365 integration; Windows + mobile Jamf Pro: $49–$89 per device/year; Apple-focused; comprehensive iOS/macOS management VMware Workspace ONE: $6–$15 per user/month; cross-platform; UEM (unified endpoint management) Cisco Meraki Systems Manager: $6–$12 per device/year; cloud-based; simple deployment IBM MaaS360: $5–$15 per user/month; cross-platform; strong security features MDM enrollment types: Corporate-owned, personally unusable (COPE): full device control; company manages everything Corporate-owned, personally usable (COPE): managed apps + some personal use Personally-owned, corporate-enabled (BYOD): managed container only; personal data separate Bring-your-own-device with managed app config: app-level management only Mobile security policies: iOS: - Passcode: minimum 6-digit numeric or alphanumeric - Auto-lock: 5 minutes maximum - Data protection: enabled by default (full disk encryption) - Jailbreak detection: block or restrict jailbroken devices - App management: only approved apps from App Store or enterprise catalog - Content restriction: block camera, Siri, app installation as needed - Remote wipe: capability to erase device if lost/stolen Android: - Screen lock: minimum PIN (6-digit) or pattern (complex) - Work profile: separate managed workspace (Android Enterprise) - Root detection: block or restrict rooted devices - Play Protect: enabled for malware scanning - Kiosk mode: single-app mode for dedicated devices - Remote wipe: selective wipe (work data only) or full wipe Mobile application security: - Only approved apps (whitelist) - No sideloading (unofficial app installation) - App wrapping for additional security (encryption, jailbreak detection) - Mobile SSO (single sign-on) with MFA - Containerized apps (data separated from personal apps) Data protection: - Full device encryption (standard on modern devices) - Secure enclave/key storage for encryption keys - VPN enforcement for all corporate data access - DLP: prevent copy/paste between managed and personal apps - Screen capture blocking in managed apps - Cut and paste restrictions between containers Mobile compliance monitoring: Check every 4 hours (continuous compliance): - Device enrolled in MDM - OS version meets minimum requirement - Passcode set and meets policy - Encryption enabled - Jailbreak/root status - Antivirus/EDR agent installed (Android) - Managed browser configured - VPN configured and connected (when accessing corporate resources) ``` ## Integration Points - **CrowdStrike Falcon**: EDR platform; real-time threat detection; automated response; threat intelligence; cloud-native; < 100MB agent - **SentinelOne**: EDR/autopilot; AI-based detection; automated remediation; ransomware protection; lightweight agent - **Microsoft Defender for Endpoint**: native Windows EDR; integrates with M365; attack surface reduction; device management; included in E5 license - **Carbon Black (VMware)**: EDR; cloud workload protection; application control; threat intelligence; enterprise-scale - **Trend Micro Vision One**: XDR (extended detection and response); endpoint + cloud + email; automated investigation - **Microsoft Intune**: MDM/UEM; Windows/macOS/iOS/Android; conditional access; app management; compliance policies - **Jamf Pro**: Apple device management; MDM; application deployment; patch management; compliance reporting - **Qualys Endpoint Security**: unified agent for vulnerability management + EDR + patch management - **Tanium**: real-time endpoint visibility; patch management; vulnerability assessment; response; extremely fast query capability ## Edge Cases - **BYOD security** (personal devices accessing corporate resources): Balance security with employee privacy; use managed container/app-level controls only; never access personal data; clear acceptable use policy; remote wipe limited to corporate container; legal agreement required before enrollment - App-level MDM: manage only corporate apps; personal data untouched - Conditional access: require compliant device for corporate email/apps - Data separation: clipboard blocking, no file sharing between containers - Offboarding: corporate container wiped; personal data preserved - **IoT/OT endpoint security** (industrial control systems, medical devices, smart devices): Cannot install traditional EDR agents; use network-based monitoring instead; segment IoT devices on separate VLANs; implement micro-segmentation; monitor for anomalous network behavior; maintain IoT device inventory - Network segmentation: IoT VLAN isolated from corporate network - Allowlist-based firewall: only permit