Mitigation Strategy
|
Essential Eight Requirement
|
ISM Control
|
How Endpoint Central helps
|
|
Patch applications
|
An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.
|
ISM-1807
|
Endpoint Central uses its agents to fetch the complete details of the inventory present in your IT.
Refer to the types of Inventory scans leveraged by Endpoint Central for monitoring your IT.
Admins can configure Inventory alerts in case of any unauthorized changes taking place inside your IT network.
Endpoint Central provides comprehensive vulnerability management in terms of constant assessment and visibility of threats from a single console.
Apart from vulnerability assessment, it also provides built-in remediation of the vulnerabilities detected.
Endpoint Central integrates with Tenable for extensive vulnerability detection.
Endpoint Central has a vulnerability age matrix and vulnerability severity summary, which can provide rich insights about the impact of patch implementation. Besides, Endpoint Central also provides comprehensive reports on vulnerable systems and missing patches in your IT.
Endpoint Central provides comprehensive patch support for Windows, Linux, and macOSs and Windows Server OS. It also can patch 1,000+ third party applications, hardware drivers, and BIOS.
Endpoint Central's SLA for patches:
- Third-party updates are supported within 6-9 hours from vendor release.
- Security updates are supported within 12-18 hours from vendor release.
- Non-security updates are supported within 24 hours from vendor release.
Endpoint Central's comprehensive patching solution helps you to achieve high patch compliance.
Endpoint Central helps monitoring your network endpoints continuously and detect end of life softwares, peer to peer softwares and remote sharing tools present in them. It also presents the admins with details on the expiry date and the number of days before software in your network becomes end of life.
|
|
A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.
|
ISM-1808
|
|
A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in online services.
|
ISM-1698
|
|
A vulnerability scanner is used at least weekly to identify missing patches or updates for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products.
|
ISM-1699
|
|
A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, and security products.
|
ISM-1700
|
|
Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
|
ISM-1876
|
|
Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
|
ISM-1690
|
|
Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
|
ISM-1692
|
|
Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
|
ISM-1901
|
|
Patches, updates or other vendor mitigations for vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within one month of release.
|
ISM-1693
|
|
Office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed.
|
ISM-1704
|
|
Applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed.
|
ISM-0304
|
|
Patch operating systems
|
An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.
|
ISM-1807
|
Endpoint Central uses its agents to fetch the complete details of the inventory present in your IT.
Refer to the types of Inventory scans leveraged by Endpoint Central for monitoring your IT.
Admins can configure Inventory Alerts in case of any unauthorized changes taking place inside your IT network.
Endpoint Central provides comprehensive vulnerability management in terms of constant assessment and visibility of threats from a single console.
Apart from vulnerability assessment, it also provides built-in remediation of the vulnerabilities detected.
Endpoint Central integrates with Tenable for extensive vulnerability detection.
Endpoint Central has a vulnerability age matrix and vulnerability severity summary, which can provide rich insights about the impact of patch implementation. Besides, Endpoint Central also provides comprehensive reports on vulnerable systems and missing patches in your IT.
For updating patches and detecting vulnerabilities in non-internet facing servers and network devices, Endpoint Central's DMZ architecture can be leveraged.
Endpoint Central provides comprehensive patch support for Windows, Linux, and macOSs and Windows Server OS. It also can patch 1,000+ third party applications, hardware drivers, and BIOS.
Endpoint Central's SLA for patches:
- Third-party updates are supported within 6-9 hours from vendor release.
- Security updates are supported within 12-18 hours from vendor release.
- Non-security updates are supported within 24 hours from vendor release.
Endpoint Central's comprehensive patching solution helps you to achieve high patch compliance.
Endpoint Central's OS Deployment feature help you upgrade your OS from older version to the latest version.
(OS Deployment Applicable for Windows and Windows Server OS)
Endpoint Central also provides a comprehensive view listing the computer hardware which are incompatible with Windows 11.
|
|
A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.
|
ISM-1808
|
|
A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices.
|
ISM-1701
|
|
A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices.
|
ISM-1702
|
|
A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in drivers.
|
ISM-1703
|
|
A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in firmware.
|
ISM-1900
|
|
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
|
ISM-1877
|
|
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
|
ISM-1694
|
|
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
|
ISM-1696
|
|
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
|
ISM-1902
|
|
Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
|
ISM-1879
|
|
Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
|
ISM-1697
|
|
Patches, updates or other vendor mitigations for vulnerabilities in firmware are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
|
ISM-1903
|
|
Patches, updates or other vendor mitigations for vulnerabilities in firmware are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
|
ISM-1904
|
|
The latest release, or the previous release, of operating systems are used.
|
ISM-1407
|
|
Operating systems that are no longer supported by vendors are replaced.
|
ISM-1501
|
|
Multi Factor Authentication
|
Multi-factor authentication is used to authenticate privileged users of systems.
|
ISM-1173
|
Endpoint Central helps in leveraging Windows' Hello for Windows devices. Admins can also configure Two- Factor authentication for Windows end- users.
Endpoint Central console can be accessed using a two-factor authentication.
|
|
Restrict administrative privileges
|
Requests for privileged access to systems, applications and data repositories are validated when first requested.
|
ISM-1507
|
In the case of blocklisted or greylisted applications, Endpoint Central can admins provide temporary, on-demand access to users. Hence the end-users requestes are validated.
Endpoint Central also has a Permission management configuration (for Windows) through which the admins can restrict the users from accessing a particular file or folder or registry key.
Endpoint Central leverages the principle of least privilege and has a robust endpoint privilege management capability, providing for application specific privilege management and just-in-time access to the end users.
The privilege management can be revisited periodically by the admins
Endpoint Central can help in removing unnecessary local admins.
Endpoint Central's Custom Group feature allows the admins to logically segregate systems of their convenience so that they can manage and secure them effectively.
Admins could create different static or dynamic groups for different operating environments based on their requirements.
Endpoint Central has Secure Gateway server preventing the exposure of Endpoint Central Server directly to the internet
|
|
Privileged access to systems, applications and data repositories is disabled after 12 months unless revalidated.
|
ISM-1647
|
|
Privileged access to systems and applications is disabled after 45 days of inactivity.
|
ISM-1648
|
|
Privileged users are assigned a dedicated privileged user account to be used solely for duties requiring privileged access.
|
ISM-0445
|
|
Privileged access to systems, applications and data repositories is limited to only what is required for users and services to undertake their duties.
|
ISM-1508
|
|
Privileged user accounts (excluding those explicitly authorised to access online services) are prevented from accessing the internet, email and web services.
|
ISM-1175
|
|
Privileged user accounts explicitly authorised to access online services are strictly limited to only what is required for users and services to undertake their duties.
|
ISM-1883
|
|
Secure Admin Workstations are used in the performance of administrative activities.
|
ISM-1898
|
|
Privileged users use separate privileged and unprivileged operating environments.
|
ISM-1380
|
|
Privileged operating environments are not virtualised within unprivileged operating environments.
|
ISM-1687
|
|
Unprivileged user accounts cannot logon to privileged operating environments.
|
ISM-1688
|
|
Privileged user accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments.
|
ISM-1689
|
|
Just-in-time administration is used for administering systems and applications.
|
ISM-1649
|
|
Administrative activities are conducted through jump servers.
|
ISM-1387
|
|
Application control
|
Application control is implemented on workstations.
|
ISM-0843
|
Endpoint Central leverages the principle of least privilege and has a robust endpoint privilege management capability, providing for application specific privilege management and just-in-time access to the end users.
It has conditional access policies to validate authorized users to access business critical systems and data.
Endpoint Central's Application Control module allows the admins to allowlist/ blocklist software applications in critical endpoints.
Endpoint Central also can block executables feature, preventing the files from automatically getting executed.
Endpoint Central also empowers admins to control the Child processes arising out of other applications.
All applications present in the allowlist and the unmanaged applications will be allowed to run smoothly in audit mode, and log collection will be enabled. The admin can monitor logs for as long as needed as a reference to know when to shift applications from the unmanaged application list to the allowlist, depending on the frequency and legitimacy of their use.
|
|
Application control is implemented on internet-facing servers.
|
ISM-1490
|
|
Application control is implemented on non-internet-facing servers.
|
ISM-1656
|
|
Application control is applied to user profiles and temporary folders used by operating systems, web browsers and email clients.
|
ISM-1870
|
|
Application control is applied to all locations other than user profiles and temporary folders used by operating systems, web browsers and email clients.
|
ISM-1871
|
|
Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set.
|
ISM-1657
|
|
Application control restricts the execution of drivers to an organisation-approved set.
|
ISM-1658
|
|
Microsoft’s recommended application blocklist is implemented.
|
ISM-1544
|
|
Microsoft’s vulnerable driver blocklist is implemented.
|
ISM-1659
|
|
Application control rulesets are validated on an annual or more frequent basis.
|
ISM-1582
|
|
Restrict Microsoft Office macros
|
Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.
|
ISM-1671
|
Endpont Central leverages custom script configuration feature to ensure that macros are disabled for users who do not have business requirement.
Endpoint Central's Custom Group feature allows the admins to logically segregate systems of their convenience so that they can deploy macros to only to a select group of computers.
After deploying the Macros as a custom script , leveraging Endpoint Central, admins could use Collection Configuration feature. This means after the script is deployed, admins could launch the antivirus application (Scheduler configuration) so that the macros are scanned thoroughly.
|
|
Only Microsoft Office macros running from within a sandboxed environment, a Trusted Location or that are digitally signed by a trusted publisher are allowed to execute.
|
ISM-1674
|
|
Microsoft Office macros are checked to ensure they are free of malicious code before being digitally signed or placed within Trusted Locations.
|
ISM-1890
|
|
Only privileged users responsible for checking that Microsoft Office macros are free of malicious code can write to and modify content within Trusted Locations.
|
ISM-1487
|
|
Microsoft Office macros digitally signed by an untrusted publisher cannot be enabled via the Message Bar or Backstage View.
|
ISM-1675
|
|
Microsoft Office macros digitally signed by signatures other than V3 signatures cannot be enabled via the Message Bar or Backstage View.
|
ISM-1891
|
|
Microsoft Office’s list of trusted publishers is validated on an annual or more frequent basis.
|
ISM-1676
|
|
Microsoft Office macros in files originating from the internet are blocked.
|
ISM-1488
|
|
Microsoft Office macro antivirus scanning is enabled.
|
ISM-1672
|
|
Microsoft Office macros are blocked from making Win32 API calls.
|
ISM-1673
|
|
Microsoft Office macro security settings cannot be changed by users.
|
ISM-1489
|
|
User application hardening
|
Internet Explorer 11 is disabled or removed.
|
ISM-1654
|
Endpoint Central's Browser Restriction policy can enable admins restrict the end-users fro using Internet Explorer.
Endpoint Central's Browser Customization Configurations can help admins prevent javascript from running in the browsers.
Using Endpoint Central, admins can block websites with excessive ads to prevent users from accessing websites that display an excessive amount of advertising.
Endpoint Central's comprehenisve Browser Security feature enables admins to harden the browsers.
Endpoint Central can ensure that the browser security settings deployed by admins cannot be tampered by the end-users.
Endpoint Central also empowers admins to control the Child processes arising out of other applications.
Endpoint Central provides patching for third party applications like Adobe.
|
|
Web browsers do not process Java from the internet.
|
ISM-1486
|
|
Web browsers do not process web advertisements from the internet.
|
ISM-1485
|
|
Web browsers are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.
|
ISM-1412
|
|
Web browser security settings cannot be changed by users.
|
ISM-1585
|
|
Microsoft Office is blocked from creating child processes.
|
ISM-1667
|
|
Microsoft Office is blocked from creating executable content.
|
ISM-1668
|
|
Microsoft Office is blocked from injecting code into other processes.
|
ISM-1669
|
|
Microsoft Office is configured to prevent activation of Object Linking and Embedding packages.
|
ISM-1542
|
|
Office productivity suites are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.
|
ISM-1859
|
|
Office productivity suite security settings cannot be changed by users.
|
ISM-1823
|
|
PDF software is blocked from creating child processes.
|
ISM-1670
|
|
PDF software is hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.
|
ISM-1860
|
|
PDF software security settings cannot be changed by users.
|
ISM-1824
|
|
.NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed.
|
ISM-1655
|
|
Windows PowerShell 2.0 is disabled or removed.
|
ISM-1621
|
|
Regular backups
|
Backups of data, applications and settings are performed and retained in accordance with business criticality and business continuity requirements.
|
ISM-1511
|
Endpoint Central also provides instant, non-erasable backup of the files in your network every three hours by leveraging Microsoft's volume shadow copy service.
If a file is infected with ransomware, it can be restored with the most recent backup copy of the file.
|
|
Backups of data, applications and settings are synchronised to enable restoration to a common point in time.
|
ISM-1810
|
|
Backups of data, applications and settings are retained in a secure and resilient manner.
|
ISM-1811
|
|
Restoration of data, applications and settings from backups to a common point in time is tested as part of disaster recovery exercises.
|
ISM-1515
|
