EDR on all endpoints + servers
Demonstrate that EDR solutions are deployed and operational on all in-scope endpoints and servers with adequate coverage, appropriate detection policies, and functional alerting mechanisms.
Description
What this control does
Endpoint Detection and Response (EDR) software is deployed on all workstations, laptops, and servers to provide continuous monitoring, threat detection, and automated response capabilities. EDR agents collect telemetry including process execution, network connections, file modifications, and registry changes, then correlate this data using behavioral analytics and threat intelligence to identify malicious activity. This control enables rapid detection of advanced threats that evade traditional antivirus, provides forensic capabilities for incident investigation, and supports containment actions such as process termination or network isolation.
Control objective
What auditing this proves
Demonstrate that EDR solutions are deployed and operational on all in-scope endpoints and servers with adequate coverage, appropriate detection policies, and functional alerting mechanisms.
Associated risks
Risks this control addresses
- Advanced persistent threats (APTs) execute undetected on endpoints due to lack of behavioral monitoring and evade signature-based antivirus
- Ransomware encrypts critical data before detection because traditional antivirus cannot identify novel or polymorphic variants
- Lateral movement by attackers across the network goes unnoticed due to insufficient visibility into process-to-process communication and credential usage
- Insider threats exfiltrate sensitive data without triggering alerts because file access and network egress patterns are not monitored
- Compromised servers remain active for extended dwell times because malicious processes blend with normal activity without behavioral analysis
- Incident response is delayed or incomplete due to lack of forensic telemetry for root cause analysis and scope determination
- Zero-day exploits successfully compromise endpoints because heuristic and machine learning detection capabilities are absent
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of all endpoints (workstations, laptops) and servers from asset management systems or network discovery tools
- Export the list of all devices with active EDR agents from the EDR management console, including device names, installation dates, and agent versions
- Compare the asset inventory against the EDR agent deployment list to identify any devices without EDR coverage
- Select a representative sample of endpoints and servers (minimum 10-15 across different segments) and verify EDR agent operational status through the management console
- Review EDR detection policy configurations to confirm behavioral analytics, threat intelligence feeds, and automated response actions are enabled
- Examine alert logs from the past 90 days to verify that the EDR platform is generating and escalating security alerts appropriately
- Validate that EDR agents are configured to maintain persistence through reboots and have tamper protection enabled to prevent unauthorized uninstallation
- Test EDR response capabilities by reviewing evidence of at least one recent incident where the EDR system detected and contained a threat or triggered an alert for investigation
Where this control is tested