Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Endpoint Security

Endpoint Security

Section titled “Endpoint Security”

5 automated security scanners

Endpoint Detection Response

Section titled “Endpoint Detection Response”

Purpose: The purpose of this scanner is to analyze the endpoint detection and response (EDR) capabilities and maturity for a given domain. It identifies the presence of modern EDR solutions, evaluates legacy antivirus configurations, assesses job postings for relevant skills, documents security practices, and checks for partnerships with reputable EDR vendors. This helps in understanding the current state of endpoint protection and identifying potential vulnerabilities or gaps in the security infrastructure.

What It Detects:

  • EDR Vendors Identified: The scanner identifies if there are any modern EDR solutions deployed such as CrowdStrike, Microsoft Defender, etc.
  • Legacy AV Only: It detects if only legacy antivirus software is used without any modern endpoint detection capabilities.
  • Job Postings: It looks for job postings that indicate the presence of skilled professionals focused on threat hunting and endpoint security.
  • Security Documentation: The scanner collects evidence of practices related to advanced endpoint detection and response, as well as documentation about these practices.
  • Partnerships with EDR Vendors: It checks if there are any partnerships or collaborations with reputable EDR vendors that could indicate a stronger commitment to robust endpoint security.

Inputs Required:

  • Domain Name: The domain for which the endpoint security assessment is required.

Business Impact: This scanner helps in understanding the current state of endpoint protection and identifying potential vulnerabilities or gaps in the security infrastructure. It is crucial for organizations to ensure that they have adequate measures in place to protect their endpoints from advanced threats and attacks, such as fileless malware. Properly configured EDR solutions can significantly enhance an organization’s ability to detect and respond to cyber threats effectively.

Risk Levels:

  • Critical: If the domain is found to be using only legacy antivirus software without any modern endpoint detection capabilities and no evidence of EDR deployment, it poses a critical risk as endpoints are highly vulnerable to advanced threats and attacks.
  • High: If there is no evidence of any modern EDR solutions deployed but some form of antivirus or security measures are in place, this indicates a high risk scenario with potential vulnerabilities that could be exploited by malicious actors.
  • Medium: This risk level applies if the domain has identified EDR vendors but lacks mature SOC operations and threat hunting capabilities, suggesting an intermediate level of vulnerability and operational maturity.
  • Low: If modern EDR solutions are identified along with evidence of mature security operations and threat hunting, this indicates a low risk scenario with strong endpoint detection and response capabilities.
  • Info: This is for informational findings that do not necessarily indicate vulnerabilities but provide insights into the current state of endpoint protection practices.

Example Findings:

  1. Critical Finding: “Legacy AV-only deployment detected: McAfee” - Indicates a critical risk as only legacy antivirus software is used without any modern endpoint detection capabilities, making endpoints highly vulnerable to advanced threats and attacks.
  2. High Finding: “No endpoint protection evidence found across public sources” - Indicates a high risk scenario with no visible signs of endpoint security measures in place, suggesting a significant vulnerability that could be exploited by malicious actors.

Removable Media Controls

Section titled “Removable Media Controls”

Purpose: This scanner analyzes the endpoints for removable media controls, including encryption requirements and data loss prevention (DLP) integration. It evaluates the presence of USB device restrictions, mandatory encryption, and DLP monitoring to identify potential vulnerabilities in data protection.

What It Detects:

  • USB Device Restrictions: Identifies whether there are policies in place to block or restrict the use of removable media devices.
  • Mandatory Encryption: Checks for encryption requirements on all removable media, including Bitlocker To Go and hardware encryption only settings.
  • DLP Integration: Evaluates the presence of DLP monitoring and content inspection for potential data loss prevention.

Inputs Required:

  • Domain: The target domain to be scanned for endpoint security measures related to removable media.

Business Impact: Ensuring robust controls over removable media is crucial as it directly impacts the confidentiality, integrity, and availability of sensitive information stored on such devices. Poorly managed or unsecured endpoints can lead to unauthorized access, data theft, and system compromise.

Risk Levels:

  • Critical: No USB device restrictions identified across all sources; missing USB device restrictions and encryption requirements; no DLP monitoring or content inspection for removable media.
  • High: USB device controls present but encryption not enforced; unencrypted removable media allowed creates data theft risk; lost or stolen devices expose sensitive data.
  • Medium: Encryption required but device controls unclear; no USB whitelisting or DLP monitoring documented; unauthorized devices bypass encryption requirements.
  • Low: Comprehensive removable media controls identified; USB device restrictions with mandatory encryption enforced; DLP monitoring and audit logging capabilities present.

Example Findings:

  • A critical vulnerability was found where the endpoint does not enforce any USB device restrictions, leading to potential data theft from unauthorized devices.
  • High risk detected due to unencrypted removable media being used on an endpoint, which poses a significant threat to sensitive information security.

Secure Remote Work

Section titled “Secure Remote Work”

Purpose: The purpose of this scanner is to analyze and assess the secure remote work controls for a given domain. It checks for the presence of VPNs with multi-factor authentication (MFA), endpoint security measures, documented policies for remote work, approved collaboration tools, and job postings indicating remote work capabilities. The findings are used to evaluate the overall risk level associated with remote work practices within an organization.

What It Detects:

  • VPN/remote access controls: This includes whether a VPN is required for remote workers and if multi-factor authentication (MFA) is documented or implemented.
  • Endpoint security measures: The scanner checks for the enforcement of encryption, endpoint detection and response (EDR), and BYOD policies to ensure that corporate resources are protected on devices issued by the organization.
  • Documented remote work policies: It verifies whether there are clear, documented policies regarding home network requirements, physical security guidelines, acceptable use practices, and user responsibilities for remote access.
  • Approved collaboration tools: The scanner identifies if approved video conferencing platforms and secure file sharing methods are in place to prevent unauthorized or insecure communication channels.
  • Job postings indicating remote work capabilities: This checks whether job listings suggest that remote work is an expected part of the employment experience, which could indicate a readiness for flexible working arrangements.

Inputs Required:

  • Domain: The target domain whose secure remote work controls are to be assessed.

Business Impact: The security and usability implications of remote work have significantly increased due to its widespread adoption during the COVID-19 pandemic. Effective remote work practices are crucial for maintaining both data privacy and operational continuity. This scanner helps organizations identify gaps in their remote access security measures, which could lead to unauthorized access, data breaches, or compliance issues.

Risk Levels:

  • Critical: If remote work is enabled but there are no documented secure access controls (e.g., VPN/ZTNA with MFA), the risk level is critical. This includes situations where password-based authentication alone is used without additional security measures like MFA.
  • High: If technical controls such as VPNs or ZTNAs are present but do not include MFA, there is a high risk of unauthorized access and potential data theft.
  • Medium: When secure access with MFA is in place but endpoint protection is unclear, the risk level is medium. This could lead to compromised remote devices accessing corporate resources without adequate technical controls.
  • Low: If comprehensive remote work security measures are identified, such as documented policies for collaboration tools and clear endpoint security requirements, the risk level is low.

Example Findings:

  1. “Remote work enabled but no secure access controls documented” - This finding indicates a critical vulnerability where there are no VPN or ZTNA configurations to protect remote workers from unauthorized access.
  2. “Missing VPN or ZTNA requirements for remote workers” - A high-risk scenario where the organization does not enforce any form of secure remote access, leaving data vulnerable to theft.

Endpoint Encryption

Section titled “Endpoint Encryption”

Purpose: This scanner is designed to analyze endpoint encryption deployment for a given domain. It checks for full disk encryption (FDE) deployments across various platforms, mobile device encryption enforcement, controls over removable media, key management practices, and compliance with relevant data protection regulations. The findings are used to assess the overall security posture of endpoints in relation to encryption and to identify potential vulnerabilities that could lead to unauthorized access or data loss.

What It Detects:

  • Full Disk Encryption (FDE) Deployment: Detection of FDE across Bitlocker, FileVault, LUKS, and self-encrypting drives. Additionally, it checks for any documented enterprise management tools used for encryption.
  • Mobile Device Encryption: Enforcement of encryption on mobile devices, including iOS and Android platforms, as well as the presence of a BYOD policy without adequate encryption requirements.
  • Removable Media Controls: Documentation of controls over removable media, such as USB encryption and blocking policies, to prevent data exfiltration through unencrypted devices.
  • Key Management Practices: Centralized escrow or recovery procedures for encryption keys, which is crucial for managing the security of encrypted data in case of key loss.
  • Compliance with Data Protection Regulations: Evidence of compliance with GDPR, HIPAA, and PCI DSS regulations regarding encryption practices.

Inputs Required:

  • Domain: The target domain to be analyzed for endpoint encryption deployment.

Business Impact: Endpoint encryption is critical for protecting sensitive data from unauthorized access. Inadequate or missing encryption can lead to significant risks such as data breaches, regulatory fines, and reputational damage. This scanner helps organizations ensure that their endpoints are adequately protected against these threats by identifying gaps in encryption practices and providing actionable insights for remediation.

Risk Levels:

  • Critical: No evidence of endpoint encryption found across all sources. Lack of full disk encryption deployment documentation is highly critical as it directly compromises data security.
  • High: Endpoint encryption deployed but key management procedures are unclear or missing. This could lead to risks associated with potential loss of encryption keys and the subsequent exposure of sensitive information.
  • Medium: Desktop encryption present but mobile device encryption is unclear, or BYOD policy exists without documented encryption requirements. These scenarios expose data to potential vulnerabilities through unencrypted devices.
  • Low: Comprehensive endpoint encryption deployment identified, along with adequate key management practices and controls over mobile and removable media.

Example Findings:

  1. The domain does not have any evidence of full disk encryption across all platforms or documented enterprise management tools for encryption. This poses a critical risk as it means there is no protection against unauthorized access to data stored on endpoints.
  2. While Bitlocker and FileVault are detected, the absence of LUKS or self-encrypting drives indicates a gap in FDE deployment that could be exploited by malicious actors seeking to gain unauthorized access to system resources.

Endpoint Privilege Management

Section titled “Endpoint Privilege Management”

Purpose: This scanner analyzes endpoint privilege management for a given domain by checking various configurations and controls related to least privilege, Privileged Access Management (PAM), application control, local administrator management, and monitoring. It aims to identify the presence of effective privilege management practices and any gaps that could lead to security vulnerabilities.

What It Detects:

  • Least Privilege Policy Documentation: Checks if a documented policy exists for enforcing least privileges on standard users and roles.
  • PAM Solution Deployment: Identifies whether there is evidence of a PAM solution deployed, such as credential vaulting or session monitoring capabilities.
  • Application Control: Evaluates the presence of application control mechanisms like whitelisting policies and software restriction settings.
  • Local Administrator Management: Assesses the implementation of least privilege principles in local administrator accounts through tools like Just-In-Time (JIT) access and unique password management.
  • Privilege Monitoring: Verifies if there is evidence of privileged activity logging, escalation detection, and audit review processes.

Inputs Required:

  • Domain Name: The target domain for the assessment to analyze its endpoint privilege management practices.

Business Impact: Ensuring that users operate with least privileges by default and having mechanisms in place to manage and monitor privileged access is crucial for reducing the risk of unauthorized actions, data breaches, and system vulnerabilities.

Risk Levels:

  • Critical: No privilege management controls identified; Missing least privilege policy documentation; No PAM solution or application control evidence; Critical privilege escalation and lateral movement risk.
  • High: Least privilege policy exists but enforcement mechanisms unclear; No PAM solution identified for privileged account management; Local administrator password management not documented; Privilege abuse detection and response capabilities uncertain.
  • Medium: PAM solution deployed but monitoring capabilities unclear; No privileged activity logging or escalation detection documented; Potential blind spots in privilege abuse detection.
  • Low: Least privilege enforced but application control unclear; No software whitelisting or installation restrictions documented; Users may install unauthorized or malicious software.
  • Info: Comprehensive privilege management program identified; PAM solution deployed with monitoring and auditing; Application control and least privilege enforced.

Example Findings:

  1. The domain lacks a documented policy for enforcing least privileges, which could lead to users having more access than necessary.
  2. While a PAM solution is detected, there are no clear indications of session monitoring or workflow approval features that would ensure the right level of privileged access.