cc6-8 High priority Security / Logical and Physical Access

Controls protect against malicious software

Malware: ransomware, trojans, and spyware represent a persistent threat to systems and data. Endpoint compromise is one of the most common initial access vectors in security incidents. This criterion requires that systems are protected against malicious software through endpoint protection, regular scanning, and controls that prevent malware from being introduced into the environment.

8h estimated effort

malware endpoint-protection edr antivirus

Complete first: cc6-1

Implementation steps

1

Deploy endpoint detection and response (EDR) on all managed devices

Install EDR software on all company-issued laptops and workstations. The software should provide real-time malware detection, behavioral monitoring, and automated response to threats. Ensure all devices are enrolled and reporting. Unmanaged or personal devices should not have access to production systems or sensitive data.

crowdstrike sentinelone microsoft-defender jamf
2

Restrict software installation and execution on endpoints

Prevent users from installing unauthorized software on company devices. Use MDM policies to enforce application allowlisting or restrict admin privileges. This reduces the risk of malware being introduced through user-installed software, browser extensions, or downloads.

jamf microsoft-intune kandji
3

Scan container images and dependencies for malware and vulnerabilities

Integrate security scanning into your CI/CD pipeline to detect malicious packages and known vulnerabilities before they reach production. Scan container images with a tool like Trivy or Snyk. Enable dependency scanning on your repositories. Block deployments that include critical vulnerabilities.

snyk trivy dependabot github-advanced-security