CIS Control 13.7: Deploy a Host-Based Intrusion Prevention Solution
Host-based intrusion prevention is your last line of defense against threats that bypass perimeter controls. CIS Control 13.7 requires deploying endpoint detection and response (EDR) or intrusion prevention clients on enterprise assets to detect and stop attacks in real time. This control directly reduces your breach dwell time and minimizes attacker persistence.
What this means
Host-based intrusion prevention solutions monitor endpoint behavior from inside your assets rather than relying solely on network-level detection. These solutions—typically implemented as EDR clients—analyze process execution, file activity, network connections, and system calls to identify malicious behavior patterns. The control requires deploying these tools on enterprise assets where technically appropriate and supported, creating a distributed detection layer across your organization's critical infrastructure.
How to comply
- 1.Inventory all enterprise assets and identify which support host-based intrusion prevention solutions
- 2.Select an EDR or host-based intrusion prevention platform that fits your environment and budget
- 3.Deploy client software across all eligible endpoints, starting with high-value targets (servers, workstations with sensitive data access)
- 4.Configure detection rules and behavioral analytics to match your threat model and reduce false positives
- 5.Establish alert escalation procedures and response workflows for detected intrusions
- 6.Document deployment architecture, policies, and exception procedures for non-supported assets
- 7.Conduct quarterly reviews of detection coverage and EDR performance metrics
Evidence auditors look for
- EDR software deployment inventory showing asset names, deployment dates, and agent status
- EDR console screenshots demonstrating active monitoring across endpoints
- Detection tuning documentation and rule configuration records
- Incident response logs showing EDR-triggered alerts and remediation actions
- Asset-to-EDR coverage reports identifying which systems are protected
- Exception justification documents for assets where host-based solutions are unsupported
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically tracks EDR deployment status across your asset inventory, maintains audit evidence from your EDR console, and flags coverage gaps so you can prove continuous compliance with CIS 13.7 without manual spreadsheet work.
See how GRCWatch handles this control automatically
Start free trial