Endpoint & Device Security
The condition, posture, and configuration of user devices, including desktops, laptops, and peripherals.
Indicators
An observed identity operates on a platform that no longer receives vendor patches. Unsupported OS versions are high‑value targets for exploit kits and enable persistent attacker footholds.
An observed identity turns off core protections like antivirus, EDR, or firewalls. With safeguards disabled, malicious code can execute or persist with limited chance of detection.
An observed identity uses a device where storage is left unencrypted. Loss or theft of the hardware would expose local data to unauthorized access.
An observed identity repeatedly postpones OS or application updates. Delayed patching keeps known vulnerabilities exploitable well beyond their disclosure.
An observed identity works with local administrator rights as a norm. Elevated privileges amplify the blast radius of malware and increase risk of unintended system changes.
An observed identity installs applications linked to security weaknesses (e.g., P2P clients, outdated utilities). Such software expands attack surface and undermines enterprise hardening standards.
An observed identity’s endpoint generates multiple malware hits over time. Recurring detections indicate unsafe habits, targeted campaigns, or ineffective remediation.
An observed identity launches executables directly from removable media with unclear origin. This behavior bypasses normal vetting and is a common malware entry path.
An observed identity’s device exchanges traffic with infrastructure associated with threat actors. Command‑and‑control communication typically reflects active compromise and remote tasking.
An observed identity obtains and runs files verified as malicious by threat intelligence. Executing known bad artifacts presents immediate compromise risk and possible spread to peers.
An observed identity’s endpoint initiates unusual connections to internal systems. Such patterns are consistent with post‑exploitation movement to broaden access and locate valuable data.
An observed identity operates a device missing critical security patches past service windows. Unpatched systems are susceptible to commodity exploits and automated scanning attacks.
An observed identity relies on enterprise applications that no longer receive fixes. Legacy software preserves known defects and creates long‑term maintenance liabilities.
An observed identity defers required restarts after applying updates. Until rebooted, protections remain inactive and exposure persists despite patch installation.
An observed identity installs software that has not been sanctioned by IT. Unsanctioned tools evade governance, may contain unwanted components, and complicate incident response.
An observed identity executes portable binaries from external media to sidestep installation rules. This technique can evade monitoring and introduce unvetted code.
An observed identity connects to corporate resources from personal hardware outside device management controls. Non‑enrolled devices lack assurance of patching, encryption, and endpoint protection.
An observed identity attaches unfamiliar USB storage or input devices. Unknown peripherals can deliver malware, implant firmware, or exfiltrate data.
An observed identity initiates boot from external media. Doing so can defeat OS‑level controls and enable installation of unauthorized systems.
An observed identity charges equipment via untrusted USB power sources such as kiosks. Such connections risk juice‑jacking and malicious firmware exposure.
An observed identity keeps regulated or sensitive files on local storage without protection. Lack of encryption and access controls increases theft and insider misuse risk.
An observed identity moves confidential content onto removable storage. External media create shadow data channels that are difficult to monitor or recall.
An observed identity copies sensitive information between systems using the clipboard. Clipboard buffers can be harvested by other applications or synced to unintended destinations.
An observed identity demonstrates repeated browsing to malicious or high‑risk categories. Frequent exposure raises the likelihood of drive‑by downloads and phishing success.
An observed identity disables automatic locking on their device. Unattended sessions become accessible to anyone with physical proximity.
An observed identity leaves endpoints unlocked in public or shared areas. This invites opportunistic access to data and credentials.
An observed identity connects modified mobile devices that bypass platform protections. Jailbroken or rooted endpoints are easier to compromise and harder to trust.
An observed identity installs remote control utilities without authorization. Unapproved remote access creates potential backdoors and increases takeover risk.
An observed identity runs browser games or crypto‑mining scripts on corporate hardware. These workloads degrade performance, attract malware, and violate acceptable‑use policies.
An observed identity uses aging hardware that no longer receives firmware or driver updates. Unsupported devices accumulate unpatched flaws and operational risk.
An observed identity applies patches promptly after release. Rapid updating shortens the window during which new vulnerabilities can be exploited.
An observed identity consistently locks screens when stepping away. Enforcing idle protection reduces physical and shoulder‑surfing exposure.
An observed identity quickly disconnects or isolates a suspected‑compromised machine. Early containment limits spread and accelerates incident handling.
An observed identity removes unnecessary or risky applications proactively. Continuous pruning shrinks attack surface and improves device hygiene.
An observed identity maintains encryption enabled across assigned endpoints. Persistent full‑disk protection mitigates data loss from theft or decommissioning.
An observed identity uses only organization‑approved USB media. Trustworthy devices reduce malware introduction and uncontrolled data movement.
An observed identity acts on EDR alerts without waiting for IT. Timely self‑remediation curtails dwell time and demonstrates security awareness.
An observed identity avoids executing unsigned or untrusted programs. Exercising caution with binaries reduces the risk of installing malware.
An observed identity preserves default security baselines such as firewall and UAC settings. Maintaining hardened configurations sustains intended control efficacy.
An observed identity willingly participates in posture scans and health checks. Proactive engagement supports continuous compliance and hardening.
Relevance
Endpoints are frequent attack targets, and their security posture directly impacts enterprise resilience. Monitoring patching, malware detections, and device settings reveals both vulnerabilities and compliance gaps.
Why this matters
This matters because insecure devices are often exploited as entry points for lateral movement. Ensuring device integrity helps organizations prevent compromises and sustain a secure baseline.
Consequences of neglect
Unaddressed weaknesses in endpoint security leave enterprises exposed to ransomware, malware persistence, and data theft, often leading to widespread operational disruption.