ds-4 High priority Device Security / Device Security

Endpoint detection and response (EDR) is deployed on all managed devices

Antivirus alone is no longer sufficient against modern threats. Endpoint Detection and Response (EDR) tools provide behavioral monitoring, threat hunting, and automated response capabilities that go far beyond signature-based detection. CISA recommends EDR as a baseline for all organizations because the threat landscape has evolved far past what traditional AV can address.

3h estimated effort

edr endpoint-protection malware detection

Complete first: ds-1

Implementation steps

1

Deploy EDR on all managed endpoints

Install an EDR agent on every company-issued laptop, workstation, and server. Ensure the management console shows 100% device coverage. Investigate any devices that are not reporting. Unmanaged or personal devices should not have access to production systems or sensitive data without going through a secure access proxy.

crowdstrike sentinelone microsoft-defender jamf
2

Configure EDR to alert on high-severity detections

Ensure EDR alerts route to a monitored channel where someone will act on them. High-severity detections: malware execution, credential dumping attempts, lateral movement indicators, and persistence mechanisms should generate immediate alerts. Low-severity detections can be reviewed in a daily digest.

crowdstrike sentinelone pagerduty slack
3

Review EDR coverage and detections regularly

At least monthly, review the EDR console for: devices that have dropped off coverage, any unresolved detections, and trends in threat activity. Ensure the EDR software itself is kept up to date. Document the review and any actions taken.

crowdstrike sentinelone microsoft-defender