The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory after the March 11, 2026, cyberattack on U.S.-based medical technology firm Stryker Corporation. CISA urged organizations to strengthen endpoint security in both information technology (IT) and operational technology (OT) environments. The agency identified vulnerabilities in endpoint management systems and recommended measures including zero trust architectures, consistent patch management, endpoint detection and response (EDR), and multi-factor authentication (MFA).
Background
The advisory followed an incident in which threat actors exploited Microsoft Intune, an endpoint management tool, to wipe devices at Stryker. The breach highlighted risks related to privileged access misconfigurations in enterprise environments. CISA is collaborating with the Federal Bureau of Investigation (FBI) to evaluate threat activities and support mitigation efforts. The agency noted that endpoint management platforms are increasingly targeted by threat actors across industries.
Details
CISA reported that the Stryker breach resulted from weaknesses in endpoint configuration. The agency advised administrators to adopt least-privilege access using role-based access control (RBAC), enforce MFA, and maintain privileged-access hygiene through controls such as Microsoft Entra Conditional Access and risk-based signals. The advisory emphasized requiring multiple administrator approvals for high-impact actions, including device wipes and RBAC modifications, aligning with Microsoft's guidance on protected administration models.
CISA recommended unified hardening playbooks that address both IT and OT environments. Strategies include:
- Establishing comprehensive asset visibility
- Deploying zero trust network segmentation
- Integrating EDR solutions across domains
- Enforcing regular patch management
- Implementing automated monitoring and containment tools
The agency stated that unified security baselines support improved detection, containment, and response across legacy and modern systems.
CISA acknowledged that OT environments pose additional challenges due to legacy systems with limited patch support and strict availability requirements. The advisory recommended close coordination between IT and OT teams, prioritization of critical assets, and the adoption of scalable automation that preserves safety and reliability. CISA urged organizations to adopt its Cybersecurity Performance Goals and use standardized cross-sector guidance to measure security improvements and streamline incident response.
Outlook
Organizations are expected to review and harden endpoint management configurations in the coming weeks, with a focus on collaboration between IT and OT teams. CISA's guidance may inform future regulatory requirements surrounding endpoint security and resilience for critical infrastructure sectors.
