SIX WEEKS TO BASELINE.

The starting point for any endpoint rollout is not the tooling. It is the inventory. An endpoint is any device that connects to a network and represents a point where data can enter or leave. At Thornbridge that definition had three tiers: the corporate Windows and Mac fleet managed through Intune and Jamf Pro; sixty personal phones on the BYOD sales programme; and 112 assets on the Swindon manufacturing floor running Windows 7 Embedded, proprietary RTOS, or embedded firmware — none managed by corporate IT, none formally inventoried before Rachel arrived.

The manufacturing director, Barry Calloway, attended the first steering group meeting to make one point: "Nothing you put on the floor generates a stop signal. A batch abort on Line 4 costs us four hundred thousand pounds and a GMP deviation report."

Rachel noted the constraint and started where she could: a hardening baseline audit of the manufacturing network. A hardening baseline is a documented standard for how a system should be configured — services running, ports open, accounts present, software installed. The industry reference is the CIS Benchmarks; the US federal equivalent is the STIG (Security Technical Implementation Guide), relevant because Thornbridge had a US government-funded clinical trial in progress. The audit found default credentials on six HMI panels, SMBv1 enabled on four Windows 7 Embedded hosts, and three machines with no patch history since 2021. Classic OT estate: high availability, low hygiene.

The corporate fleet rollout was the tractable part. CrowdStrike Falcon's Prevent and Insight modules were deployed via Intune as a managed package to all 1,840 Windows endpoints in a phased ring model — IT department first, then R&D, then administrative, then sales — with a two-week monitoring window at each ring before the next wave. The Mac workstations received the Falcon sensor through Jamf Pro policies, deployed as a PKG with a LaunchDaemon configuration profile. By week three, corporate fleet coverage was 94 percent. The remaining six percent were endpoints that were offline, in repair, or held by staff on extended leave. These were tracked in a remediation register with a hard deadline for agent installation before network access would be suspended.

The Falcon deployment gave Rachel something antivirus alone never had: behavioural telemetry. Legacy antivirus compares file hashes against a list of known-malicious signatures — reactive by definition. EDR instruments the OS at kernel level: it watches process creation chains, registry modifications, and network connections opened by processes. When a Word document spawns a PowerShell process that connects to an external IP, that behaviour chain is flagged regardless of payload signature. EDR catches fileless malware and living-off-the-land techniques that antivirus misses entirely.

XDR — Extended Detection and Response — correlates telemetry across endpoints, network, email, and cloud into one unified platform. An EDR alert tells you a process on a single machine behaved suspiciously. An XDR alert adds that the same process contacted an IP that also received a phishing email to five staff members in the past hour. Context is what separates an alert from an investigation. Thornbridge also subscribed to CrowdStrike's MDR tier for out-of-hours coverage: a third-party SOC team monitoring Falcon telemetry and responding on their behalf. EDR is a tool, XDR is a correlated-data platform, MDR is the service wrapper that provides the human analyst layer when an internal SOC does not exist around the clock.

The BYOD cohort was a separate problem. The existing Intune compliance policy required a PIN and iOS 15 or later — nothing else. Rachel's audit found eleven devices on hardware that could run iOS 17 but hadn't been updated, three Android phones with patches over a year old, and two with no screen lock at all.

MDM — Mobile Device Management — is the centralised control plane for mobile endpoints. Rachel rebuilt the Intune policy from scratch: minimum iOS 17 and Android 13, mandatory device encryption, six-digit PIN with a thirty-second lock timeout, and remote wipe capability on every enrolled device. Remote wipe is the last resort: a command issued when a device is reported lost that deletes the corporate container on next network contact. For BYOD, Intune's selective wipe was configured — removing only the corporate data container, leaving personal data intact. That distinction matters legally: deleting personal data as a side effect on a personal device can become an employment tribunal claim.

The sales director pushed back on OS version enforcement. Four reps had older handsets that could not run iOS 17. Rachel gave them thirty days, requested a hardware refresh budget, and moved those four to read-only CRM access as a temporary compensating control.

For corporate Windows endpoints, Rachel added three baseline-layer controls via Intune. Secure Boot ensures only cryptographically signed bootloader code executes during startup, defeating bootkits that load before the OS. The TPM chip stores the keys Secure Boot relies on and underpins Windows 11's device attestation model. Full disk encryption via BitLocker, with recovery keys escrowed to Azure AD, means a stolen laptop is recoverable by IT and inaccessible to the thief. A standardised host-based firewall profile completed the baseline: unlike a perimeter firewall, the host firewall travels with the device and is the only control layer when a sales rep connects from a hotel or a home broadband line.

The application allow list question came up in the R&D labs. A deny list blocks known-bad applications and permits everything else — reactive by definition. An allow list inverts the logic: only explicitly authorised applications execute; everything else is blocked by default. For the lab Macs, which run a stable and defined set of scientific software, Jamf Pro Application Blocking policies enforced allow-listing cleanly. For the corporate fleet, where software requirements change frequently, the maintenance overhead tips the balance toward deny-listing supplemented by Falcon's behavioural engine.

Week four was the manufacturing floor. Barry's constraint had not changed, but Rachel came to the second steering group meeting with a proposal that did not require installing agents on PLCs.

The fundamental problem with OT — operational technology, the hardware and software that controls physical industrial processes — is that the design assumptions are the opposite of corporate IT. Corporate IT assumes availability can be briefly sacrificed for integrity: you can reboot a machine, patch it, or isolate it from the network without catastrophic consequence. OT assumes the reverse. A PLC — programmable logic controller — managing a tablet press on a pharmaceutical production line cannot be rebooted mid-batch. It cannot run a software agent that consumes CPU cycles unpredictably. It cannot accept a patch without a validated change process that takes weeks and requires sign-off from the equipment manufacturer. In many cases it runs a proprietary RTOS that has no general-purpose execution environment at all. You cannot install EDR on it because there is no OS layer that would accept an agent.

The compensating control framework Rachel proposed used three layers. First, network segmentation: the OT environment moved to a dedicated VLAN with no direct routing to the corporate network, traffic permitted only on explicitly authorised telemetry paths. Second, a data diode at the OT/IT boundary: a hardware device that enforces one-directional data flow at the physical layer. Data can exit the OT network toward the corporate monitoring infrastructure; no inbound connection path exists. Unlike a firewall rule, which is software-enforced, a data diode is a hardware constraint — the physics do not permit return traffic. Third, Claroty deployed for agentless passive monitoring via SPAN port mirroring on the OT switches. Claroty inventories assets, baselines communication patterns, and flags anomalies without installing anything on the monitored devices. Barry got his guarantee: nothing on the floor generated a stop signal, because nothing was on the floor.

The Claroty deployment surfaced something within its first seventy-two hours of passive monitoring: one of the HMI panels on Line 3 was generating outbound DNS queries to a domain that resolved to a residential broadband address in the Netherlands. The queries had been happening for an estimated four months. No agent had caught it because no agent had been looking.

By week six, Rachel's status report to the board showed corporate fleet EDR coverage at 98.6 percent, BYOD MDM compliance at 100 percent of enrolled devices, OT network fully segmented with passive monitoring live across all 112 assets, and the CIS Benchmark hardening audit completed with a remediation backlog of thirty-one findings, prioritised by severity. The CISO signed the Q2 close. Barry Calloway sent a one-line email: "Line 3 is being investigated. You were right."

The lesson Rachel takes from the six weeks is not about any specific tool. CrowdStrike, Jamf, Intune, Claroty — these are choices, and choices change. The principle underneath them is stable: know what you have, apply the appropriate control to each class of asset, compensate where the primary control is impossible, and document every exception with a review date. The principle of least privilege — every user, application, and system operates with only the minimum permissions its function requires — runs through all of it. Least privilege on a corporate endpoint limits what an attacker can do with a compromised account. Least privilege in the OT VLAN's firewall policy limits what that compromised HMI can reach. The blast radius of any compromise is proportional to the permissions that were left in place when it happened.