CIS-10.1 / CIS-10.5 / SI-3 CIS Controls v8

Do you run an EDR / next-gen AV on every endpoint and server (CrowdStrike, SentinelOne, Defender for Endpoint, etc.)?

Demonstrate that EDR or next-generation antivirus software is deployed, actively running, and properly configured on all in-scope endpoints and servers with centralized monitoring and management.

Description

What this control does

This control requires deployment of Endpoint Detection and Response (EDR) or next-generation antivirus software on all endpoints (workstations, laptops, mobile devices) and servers. EDR platforms provide real-time behavioral monitoring, threat hunting, automated response capabilities, and forensic analysis beyond traditional signature-based antivirus. These solutions detect advanced persistent threats, fileless malware, ransomware, and zero-day exploits through machine learning, behavioral analysis, and continuous telemetry collection.

Control objective

What auditing this proves

Demonstrate that EDR or next-generation antivirus software is deployed, actively running, and properly configured on all in-scope endpoints and servers with centralized monitoring and management.

Associated risks

Risks this control addresses

Undetected malware execution on endpoints leading to data exfiltration or lateral movement
Ransomware deployment and encryption of critical business data before detection
Fileless malware and living-off-the-land attacks bypassing signature-based detection
Privilege escalation and credential theft exploiting unmonitored endpoint vulnerabilities
Lack of forensic visibility into attack chains following security incidents
Non-compliant or outdated agents failing to report telemetry to central management console
Gaps in coverage creating safe havens for adversaries on unprotected systems

Testing procedure

How an auditor verifies this control

Obtain a complete inventory of all endpoints and servers in scope from asset management systems or network discovery tools.
Request from IT or security operations a list of all devices with active EDR/next-gen AV agents from the management console.
Compare the asset inventory against the agent deployment list to identify systems without EDR coverage.
Select a representative sample of endpoints and servers across operating systems, business units, and locations (minimum 15-20 systems).
Remotely verify or physically inspect sampled systems to confirm the EDR agent is installed, running, and reporting to the management console.
Review the EDR management console configuration to verify agent policies include real-time protection, behavioral monitoring, script control, and ransomware prevention.
Examine telemetry logs or console dashboards to confirm sampled systems have transmitted heartbeat signals and detection events within the past 24-48 hours.
Test a decommissioned or isolated test endpoint by simulating a benign threat (e.g., EICAR test file or safe exploit simulation tool) to validate detection and alerting functionality.

Evidence required Collect screenshots or exports from the EDR management console showing the count of protected endpoints and servers with agent status. Obtain configuration policy exports demonstrating enabled protection modules and detection settings. Capture log excerpts or console reports from sampled systems confirming agent heartbeat, version, and recent detection or scanning activity.

Pass criteria All in-scope endpoints and servers have an EDR or next-generation antivirus agent actively installed, running, reporting to the centralized management console within the last 48 hours, and configured with real-time protection and behavioral detection enabled.