EDR deployed on 100% of corporate endpoints
Demonstrate that EDR agents are installed, operational, and reporting telemetry on 100% of in-scope corporate endpoints with no coverage gaps.
Description
What this control does
Endpoint Detection and Response (EDR) solutions are deployed on all corporate-managed endpoints including workstations, laptops, and servers to provide continuous monitoring, threat detection, and incident response capabilities. These agents collect telemetry on process execution, network connections, file system changes, and registry modifications, transmitting this data to a centralized console for analysis and alerting. Full coverage ensures no gaps exist where adversaries could establish persistence or conduct lateral movement undetected, providing security teams with comprehensive visibility across the endpoint estate.
Control objective
What auditing this proves
Demonstrate that EDR agents are installed, operational, and reporting telemetry on 100% of in-scope corporate endpoints with no coverage gaps.
Associated risks
Risks this control addresses
- Unmonitored endpoints allow attackers to establish initial footholds without detection through phishing, drive-by downloads, or supply chain compromises
- Adversaries pivot through unprotected systems to move laterally across the network, bypassing detection on protected endpoints
- Ransomware executes and encrypts data on endpoints lacking EDR before security teams can isolate infected systems
- Insider threats exfiltrate sensitive data from endpoints outside EDR monitoring, leaving no forensic trail for investigation
- Advanced persistent threats maintain long-term persistence on unmonitored systems, conducting reconnaissance and data staging undetected
- Incident responders lack telemetry from incomplete endpoint coverage, preventing accurate scope determination and root cause analysis
- Compliance violations occur when sensitive data processing systems lack required monitoring and detection controls
Testing procedure
How an auditor verifies this control
- Obtain the complete inventory of corporate endpoints from asset management systems, including workstations, laptops, virtual desktops, and servers designated as in-scope
- Export the list of all endpoints reporting to the EDR management console within the last 24 hours, including agent version and last check-in timestamp
- Compare the asset inventory against the EDR reporting list to identify discrepancies, calculating the coverage percentage and listing any unprotected endpoints
- Select a representative sample of 25-30 endpoints across different locations, departments, and operating systems from the EDR console inventory
- Physically or remotely verify EDR agent presence on sampled endpoints by checking running processes, services, and agent status indicators in system trays or management tools
- Review EDR policy configurations to confirm real-time protection is enabled, agent tamper protection is active, and telemetry collection settings are properly configured
- Test agent communication by reviewing recent telemetry uploads, alert generation, and command-and-control connectivity logs for sampled endpoints in the EDR console
- Examine exception processes and waiver documentation for any endpoints identified as lacking EDR coverage, validating business justification and compensating controls
Where this control is tested