How do you secure a device according to Zero Trust principles? Part 2

Managing security and risk with respect to endpoints requires an overview and insight. Overview and insight are gained by connecting endpoints to an Identity Provider (IdP) - with the most prominent IdP being Microsoft Azure Active Directory - so that they become trusted identities. Once this required foundation is in place, mitigation measures can be established and built upon on the basis of Zero Trust principles. Moreover, this foundation is also one of the required prerequisites for using Microsoft Intune and setting up Conditional Access policies.

The combination between management and compliance status of an endpoint managed by Microsoft Intune, allows further fine-tuning of Conditional Access policies. A setup in this way ensures that endpoints must remain continuously compliant to maintain access to applications and services important to business operations. The endpoint owner retains access to, for example, the Dynamics 365 ERP application only when the device is considered 'compliant' and cannot access the application once the status is set to 'not-compliant. Thus, an endpoint retains the minimum permissions for accessing a particular application even when the device's 'health' is perfectly fine. This encourages the organization, IT department and end user to keep endpoints continuously compliant and secures access to applications.

Nowadays the question is not whether or not there will ever be an intrusion, but when it will happen and how damaging it will be. Take one's own body as an example. Occasionally getting sick is inevitable, so we need to make sure we live healthy lives, mitigate health risks, limit any damage and get fit again quickly when sick.

How is that tackled when we look at securing endpoints? First, the advice is to structurally force install Windows operating system updates via one or more Intune update ring policies and oversee this with compliance policies. Installing Windows updates ensures that security issues are fixed and threats are less likely to do damage.

This remains the best remedy for keeping endpoints secure. In addition to the operating system, it is increasingly important to update non-Microsoft applications structurally, although this requires more time and effort for both the end user and the IT department.

Microsoft Defender for Endpoint also provides insight into vulnerabilities in non-Microsoft applications residing on endpoints. The list of supported applications is growing by the day. In addition, the advice is to keep the attack surface on endpoints as small as possible. Reducing the attack surface has to do with protecting an endpoint's operating system, giving attackers fewer ways to launch attacks.

It is also important to gain insight into exactly what is happening on an endpoint. Microsoft Defender for Endpoint can be used for this. Security Information and Event Management (SIEM) and eXtended Detection and Response (XDR) help increase efficiency and effectiveness with respect to security measures, obtain new analytics and protect the overall IT environment.

The data this generates directly forms the basis for Endpoint Detection and Response (EDR). EDR is a form of endpoint security that combines real-time monitoring and collection of endpoint data with rule-based, automated response and analysis capabilities. Suspicious activity on hosts and endpoints can be detected and investigated, thus using a high degree of automation to quickly identify and respond to threats.