Why Endpoint Detection and Response (EDR)?
Sophos Central

Why Endpoint Detection and Response (EDR)?

David - 17. Juni 2019

Sophos offers a more expensive version of Intercept X Advanced as well as Intercept X Advanced for Server with the addition "EDR". Since we are frequently asked during purchase consultations what this "EDR" means and whether the surcharge is worth it at all, I would like to go into more detail in this article about the functional scope of EDR and the benefits.

The EDR functionality, in addition to Intercept X Advanced, is already available for workstations. Since May 9th the product is also available for servers.

What EDR can help with

Somewhat simply explained, with Intercept X Advanced with EDR you can get to the bottom of two essential things in more detail: What exactly happened after an attack and is there the danger that something could happen in the near future?

1. What happened?

In order to find out what happened after an attack, you don't necessarily have to pay the extra cost for EDR at first glance. Sophos has long offered you the Root Cause Analysis (RCA) feature, which is included in Intercept X. However, upgrading to Intercept X Advanced with EDR ** significantly enhances the ability to analyze an attack**.

With EDR, you can figure out

  • what really happened after an attack.
  • whether or not a threat has spread
  • what SophosLabs has collected from all Sophos customers about a particular software
  • if there's still sleeping malware in your organization.
  • if you can give your boss good news that no data's been stolen.

With EDR you get access to methods of artificial intelligence to analyze a process or files with machine learning even more precisely. You can also temporarily isolate the affected computer during an analysis to give you enough time.

2. Is anything else going to happen?

A common tactic of attackers is to put a small program somewhere on your computer, which does nothing bad for the time being and therefore does not appear suspicious. By this harmless behavior certain security mechanisms can be levered out first of all. At some point, however, this program will wake up and cause damage.

Intercept X Advanced's advanced search capabilities with EDR make it possible to search for such "sleeping threats" company-wide. Often such programs have already spread on several systems and hide behind false file names. With EDR, Sophos offers the helpful feature of scanning all devices in the company for hash values. This allows you to quickly find out on which devices in the company a program has already been viewed and with whom it has communicated. This way you can, for example, detect command and control servers, or locate servers that may have run out of data.

Where does EDR add value?

When an attack takes place in an organization, you rely primarily on the protection provided by Sophos Intercept X Advanced. Then you should take a closer look at the data collected from the attack and see if any data has been stolen or if the threat has spread to other systems. This would normally require a horde of forensicists to do nothing all day but search logs and draw conclusions. Sophos, on the other hand, uses artificial intelligence in its EDR solution. So processes in the network are analyzed with machine learning and the help of SophosLabs, not by people. This means that this job can now theoretically be done by someone who doesn't need to be an IT forensic scientist. 😎

Do I need EDR or not?

The answer to the question whether you should pay the additional price for EDR or not depends on two factors:

Factor 1: Interest

Are you among the people who are satisfied when Intercept X Advanced writes to the log after an attack that the danger could be stopped and all the data cleaned up? Then you don't need EDR.

But would you like to take a closer look at the attack and analyze the process? Would you like to know whether there are any more malicious programs lying around on computers or servers in your company that have simply not been noticed yet? Then I would say that you should consider the surcharge for EDR.

Factor 2: Compliance requirements

EDR tools are needed at the latest when a company has to prove after an attack that no data has been stolen. We're talking about compliance requirements that need to be met in certain areas, such as PCI (Payment Card Industry) or healthcare. This area also includes the GDPR (General Data Protection Regulation), which states that trustworthy data must be protected in accordance with the state of the art.

Such a law naturally makes a company vulnerable. Instead of demanding a ransom money to decrypt company data, as in a Ransomware attack, companies can now be blackmailed with even larger sums for a breach of the GDPR or compliance requirements.

Sophos's EDR capabilities can help you meet compliance requirements and prove whether data has been stolen or not. If you think such a tool makes sense for your business, then investing in Sophos Intercept X Advanced with EDR would definitely not be out of place.

Try Sophos Intercept X Advanced with EDR

If you do not yet have a Sophos Central account, you can create one on the Sophos website and try all the features, including Sophos Intercept X Advanced with EDR for computers and servers free for 30 days.

If you already have a Sophos Central Account and the 30-day trial period has expired, you can order a license for "Sophos Intercept X Advanced with EDR" from our shop:

Send Your Feedback

Share your thoughts about this article, your private queries are always welcome and greatly appreciated.

Send Feedback
All information are confidential

On our blog we regularly publish articles on various topics related to Sophos. To make sure you don't miss any articles, you can subscribe to our newsletter, and once a month you will receive an email with a summary of all articles published in the last 30 days.

Knowledge base

Do you need help with a Sophos product? Then maybe our free knowledge base can help you. We try to document most support requests in an article so that we can help as many people as possible.