EDR deployed on all servers
Demonstrate that EDR agents are installed, configured, and operationally active on 100% of in-scope servers with current signatures and connectivity to centralized management infrastructure.
Description
What this control does
Endpoint Detection and Response (EDR) software is deployed and actively running on all production, development, staging, and test servers across the organization. EDR agents continuously monitor system activity, process execution, network connections, file changes, and registry modifications to detect suspicious behavior indicative of malware, lateral movement, or advanced persistent threats. The solution provides real-time alerting, automated containment capabilities, and forensic data collection to enable rapid incident response and threat hunting on server infrastructure.
Control objective
What auditing this proves
Demonstrate that EDR agents are installed, configured, and operationally active on 100% of in-scope servers with current signatures and connectivity to centralized management infrastructure.
Associated risks
Risks this control addresses
- Undetected malware execution on servers leading to data exfiltration, ransomware deployment, or system compromise
- Lateral movement by threat actors across server infrastructure without triggering alerts or containment actions
- Insufficient forensic visibility following a security incident, resulting in inability to determine scope, timeline, or root cause
- Delayed detection of credential dumping, privilege escalation, or exploitation of unpatched vulnerabilities on server endpoints
- Non-compliant servers operating outside EDR coverage becoming entry points or persistence mechanisms for attackers
- Inability to correlate server-side threat indicators with network and endpoint telemetry during investigations
- Insider threats executing unauthorized commands or exfiltrating sensitive data from servers without detection
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of all in-scope servers including physical, virtual, and cloud-based instances from the IT asset management system or CMDB.
- Export the list of all servers with active EDR agents from the EDR management console showing hostname, IP address, agent version, and last check-in timestamp.
- Compare the asset inventory against the EDR deployment list to identify any servers without EDR coverage and document all discrepancies.
- Select a random sample of at least 15-20 servers across different environments, operating systems, and business units for detailed verification.
- Remotely connect to sampled servers or review agent logs to confirm EDR processes are running, services are enabled at startup, and agents are communicating with the management server.
- Review EDR console configuration to verify detection policies are enabled, signature updates are current within the last 24-48 hours, and alerting thresholds are appropriately configured.
- Test EDR responsiveness by reviewing recent detection events or alerts generated from sampled servers to confirm active monitoring and behavioral analysis capabilities.
- Validate that EDR deployment procedures include mechanisms for auto-deployment to newly provisioned servers and alerting when agents go offline for extended periods.
Where this control is tested