EDR on every endpoint
Demonstrate that every in-scope endpoint has an operational EDR agent deployed, reporting telemetry, and receiving current detection signatures without gaps in coverage.
Description
What this control does
Endpoint Detection and Response (EDR) software must be deployed on all workstations, servers, and mobile devices within the organization's asset inventory. EDR agents continuously monitor endpoint activity, detect suspicious behaviors using signature-based and behavioral analytics, provide forensic visibility into security incidents, and enable rapid containment through remote isolation or remediation actions. This control ensures that every managed endpoint has an active, up-to-date EDR sensor reporting to a centralized management console, eliminating blind spots where attackers could establish persistence undetected.
Control objective
What auditing this proves
Demonstrate that every in-scope endpoint has an operational EDR agent deployed, reporting telemetry, and receiving current detection signatures without gaps in coverage.
Associated risks
Risks this control addresses
- Unmonitored endpoints allow attackers to establish persistent footholds without detection, enabling lateral movement and data exfiltration
- Ransomware executes on unprotected systems without triggering alerts, leading to widespread encryption before response teams can intervene
- Insider threats or compromised credentials are used on endpoints lacking behavioral monitoring, preventing detection of abnormal activity patterns
- Post-compromise forensic investigations fail due to absence of endpoint telemetry logs, preventing root cause analysis and scope determination
- Zero-day malware bypasses perimeter defenses and operates freely on endpoints without behavioral detection capabilities
- Compliance violations occur when sensitive data is accessed or exfiltrated from endpoints outside the EDR monitoring scope
- Shadow IT devices connect to corporate networks without security instrumentation, creating unmanaged attack surfaces
Live threat patterns this control mitigates:
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of all in-scope endpoints including workstations, servers, virtual machines, and mobile devices from asset management systems or CMDBs.
- Export the list of all devices with active EDR agents from the EDR management console, including agent version, last check-in timestamp, and operational status.
- Cross-reference the asset inventory against the EDR enrollment list to identify endpoints missing EDR agents or with agents in a disconnected state.
- Select a representative sample of endpoints (minimum 20-30 across different OS types, business units, and locations) and remotely verify the EDR agent is running and communicating with the management server.
- Review EDR agent configuration policies to confirm real-time protection is enabled, telemetry collection is active, and automatic updates are configured.
- Query EDR logs for the sample endpoints to confirm they are generating and transmitting security event data within the past 24 hours.
- Verify that documented exceptions for endpoints without EDR (air-gapped systems, legacy unsupported OS, etc.) have current risk acceptance approvals from appropriate management.
- Test EDR detection capability by executing a safe simulation (EICAR test file or EDR vendor's built-in test tool) on a sample endpoint and confirm the alert is generated and visible in the console.
Where this control is tested