Endpoint Detection and Response (EDR) is a core control for meeting NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 SI.L2-3.14.7 because it provides the telemetry and detection capability needed to identify unauthorized use of organizational systems—something every small organization protecting Controlled Unclassified Information (CUI) must do. This post gives a practical, step-by-step implementation plan, specific technical configurations, real-world small-business examples, and compliance-focused evidence you can present to assessors.
Why this control matters and what to aim for
The SI.L2-3.14.7 objective is to identify and report unauthorized use of organizational systems. For EDR that means collecting the right telemetry (process creation, logons, network connections, device events), establishing baseline behavior, creating detection rules for anomalous or policy-violating activity, triggering alerts, and retaining evidence for incident response and audits. Your measurable goals: detect unauthorized logins, unapproved device use (e.g., USB/external drives), unauthorized lateral movement, and use of non-corporate endpoints to access CUI.
Step-by-step implementation (practical)
Step 1 — Scope & Inventory: Create an asset inventory that identifies all endpoints in scope for CUI access (workstations, servers, contractor laptops). Tag assets with roles (e.g., finance, engineering) and risk level. This mapping is required by CMMC assessors to show you know which endpoints must be monitored.
Step 2 — Choose & deploy EDR with required telemetry: Select an EDR product that can capture full process creation (including command line), parent process, network connection events, file/registry changes, device attach/detach, and memory/process dumps on-demand. Example vendors: CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, VMware Carbon Black. Deploy agents via management system (SCCM, Intune, JAMF) with staged rollout and version control.
Step 3 — Configure data collection and log settings: For Windows endpoints enable collection of Event IDs and Sysmon events—specifically 4624 (logon), 4625 (login failure), 4672 (privileged logon), 4688 (process creation), and Sysmon events 1 (process create), 3 (network connection), 11/12 (file create/modify) with full command-line capture enabled. For Linux, enable auditd rules (e.g., -a always,exit -F arch=b64 -S execve -k exec), collect bash history/command lines, and capture network connections (/proc/net/tcp or EDR network hooks). Set agent to capture parent process GUIDs and to retain a 30–90 day rolling window of critical telemetry depending on retention policy.
Step 4 — Create detections and map to MITRE/CMMC: Build detection rules that map to likely unauthorized-use behaviors. Example rules: - Alert on interactive logons (RDP/SSH) from countries/regions you don’t do business with. - Alert on new device (USB) mounts followed by archive or exfiltration file operations. - Alert when PowerShell (or suspicious scripting) spawns from non-admin user profiles with encoded commands (PowerShell -EncodedCommand). - Alert on process creation of data-staging tools (7zip, WinRAR, scp) immediately after accessing CUI directories. Tag each rule with MITRE ATT&CK techniques (T1078 Valid Accounts, T1140 Deobfuscate/Decode Files or Information) and link to SI.L2-3.14.7 in your control mapping document.
Integration, alerting, and automation
Step 5 — Integrate EDR with your SIEM/LOG management: Forward EDR alerts and raw telemetry to your SIEM (Splunk, Elastic, Azure Sentinel). Create dashboards for unauthorized-use metrics (e.g., unauthorized device use, off-hours remote access). Implement alert routing to a designated incident response mailbox and to a ticketing system (Jira, ServiceNow) for traceability.
Step 6 — Build triage and response playbooks: For each detection create a triage playbook that lists immediate steps (isolate endpoint, collect forensic snapshot, block account, preserve logs) and evidence artifacts (process tree, network connections, file hashes, screenshots). For small businesses, implement a simplified playbook with roles: IT lead, data owner, compliance officer, and an external incident response vendor contact.
Step 7 — Tune, test, and document evidence for compliance: Run regular red-team or tabletop exercises and benign simulations (e.g., run encoded PowerShell with SafeMock) to verify detection. Tune rules to reduce false positives (most EDRs allow thresholds, lookback windows, allow-lists). Maintain a change log (who changed what rule and why). For an assessment you’ll present: agent deployment reports, detection rule list, alert history with triage notes, and retention/backup configuration.
Small business real-world scenarios
Scenario A — Contractor uses personal laptop: EDR detects a new device joining the corporate network, a corporate file is opened, and an external cloud client performs a large upload. Detection triggers an alert for data exfiltration originating from an untagged endpoint. Action: isolate session, verify contractor authorization, collect forensic evidence, and, where appropriate, revoke access. Document findings in an incident log to satisfy SI.L2-3.14.7 reporting.
Scenario B — Insider uses USB to copy CUI: EDR rules alert on USB mount + access to CUI folder + new file creation named *.zip within 5 minutes. Response playbook automatically disables user network access, notifies compliance, and the EDR locks or quarantines created archives. This demonstrates both detection and immediate mitigation for assessors.
Compliance tips and best practices
Map every EDR capability to a compliance artifact: agent deployment evidence, policy that authorizes monitoring, list of detection rules, incident response playbooks, and retention policies. Enforce least privilege on EDR management consoles, rotate API keys, and require MFA for console access. Maintain a POA&M for any gaps (e.g., unsupported OSes). Retain logs according to your information retention schedule—assessors expect at least 90 days for many incident traces unless you document a justified alternate.
Risk of not implementing this control
Without properly configured EDR you risk undetected credential misuse, silent exfiltration of CUI, prolonged dwell time for attackers, contract loss, and failure during CMMC/NIST audits. Small businesses are attractive targets because they often have fewer detection controls; a single unauthorized laptop or unchecked contractor account can lead to data breaches and reputational damage that are expensive and sometimes fatal to operations.
In summary, meet SI.L2-3.14.7 by deploying EDR agents to all in-scope systems, capturing detailed telemetry (process, logon, network, device), creating behavior-based detections, integrating with a SIEM, documenting responses and evidence, and validating detections through exercises. For small businesses the focus should be on targeted, high-fidelity rules (USB + CUI access, unusual logons, suspicious scripting), simple documented playbooks, and demonstrable logs and tuning history for assessors—this approach gives you both operational security and the compliance artifacts required for NIST SP 800-171 / CMMC 2.0 Level 2.
