Homepage » Blog » Sophos Central » Why Endpoint Detection and Response (EDR)?
Sophos Endpoint Detection and Response (EDR)

Why Endpoint Detection and Response (EDR)?

Sophos offers both for Intercept X Advanced , as well as for Intercept X Advanced for Server offers a more expensive version with the addition "EDR". Since we are very often asked during purchase consultations what this "EDR" means exactly and whether the surcharge is worth it at all, I would like to go into more detail about the range of functions of EDR and the benefits in this article.

The EDR functionality, in addition to Intercept X Advanced, is already available for workstations. Since May 9th the product is also available for servers.

What EDR can help with

Somewhat simply explained, with Intercept X Advanced with EDR you can get to the bottom of two essential things in more detail: What exactly happened after an attack and is there the danger that something could happen in the near future?

1. what happened?

In order to find out what happened after an attack, you don't necessarily have to pay the extra cost for EDR at first glance. Sophos has long offered you the Root Cause Analysis (RCA) feature, which is included in Intercept X. However, upgrading to Intercept X Advanced with EDR significantly enhances the ability to analyze an attack.

With EDR, you can figure out

  • what really happened after an attack.
  • whether or not a threat has spread
  • what SophosLabs has collected from all Sophos customers about a particular software
  • if there's still sleeping malware in your organization.
  • if you can give your boss good news that no data's been stolen.

With EDR you get access to methods of artificial intelligence to analyze a process or files with machine learning even more precisely. You can also temporarily isolate the affected computer during an analysis to give you enough time.

2. Is anything else going to happen?

A common tactic of attackers is to put a small program somewhere on your computer, which does nothing bad for the time being and therefore does not appear suspicious. By this harmless behavior certain security mechanisms can be levered out first of all. At some point, however, this program will wake up and cause damage.

The advanced search capabilities of Intercept X Advanced with EDR, can be used to search for such "dormant threats" across the enterprise. Often, such programs have already spread to several systems and hide behind false file names. With EDR, Sophos offers the helpful function of searching all devices in the company for hash values. This allows you to quickly find out on which devices in the company a program has already been sighted and with whom it has communicated. In this way, you can detect command and control servers, for example, or locate servers to which data may have been leaked.

Where does EDR add value?

When an attack takes place in an organization, you rely primarily on the protection provided by Sophos Intercept X Advanced. Then you should take a closer look at the data collected from the attack and see if any data has been stolen or if the threat has spread to other systems. This would normally require a horde of forensicists to do nothing all day but search logs and draw conclusions. Sophos, on the other hand, uses artificial intelligence in its EDR solution. So processes in the network are analyzed with machine learning and the help of SophosLabs, not by people. This means that this job can now theoretically be done by someone who doesn't need to be an IT forensic scientist. 😎

Do I need EDR or not?

The answer to the question whether you should pay the additional price for EDR or not depends on two factors:

Factor 1: Interest

Are you among the people who are satisfied when Intercept X Advanced writes to the log after an attack that the danger could be stopped and all the data cleaned up? Then you don't need EDR.

But would you like to take a closer look at the attack and analyze the process? Would you like to know whether there are any more malicious programs lying around on computers or servers in your company that have simply not been noticed yet? Then I would say that you should consider the surcharge for EDR.

Factor 2: Compliance requirements

EDR tools are needed at the latest when a company has to prove after an attack that no data has been stolen. We're talking about compliance requirements that need to be met in certain areas, such as PCI (Payment Card Industry) or healthcare. This area also includes the GDPR (General Data Protection Regulation), which states that trustworthy data must be protected in accordance with the state of the art.

Such a law naturally makes a company vulnerable. Instead of demanding a ransom money to decrypt company data, as in a Ransomware attack, companies can now be blackmailed with even larger sums for a breach of the GDPR or compliance requirements.

Sophos's EDR capabilities can help you meet compliance requirements and prove whether data has been stolen or not. If you think such a tool makes sense for your business, then investing in Sophos Intercept X Advanced with EDR would definitely not be out of place.

Try Sophos Intercept X Advanced with EDR

If you don't have a Sophos Central account yet, you can sign up for on the Sophos website create one and all features, including "Sophos Intercept X Advanced with EDR" for computers and servers, test free of charge for 30 days.

If you already have a Sophos Central account and the 30-day trial period has expired, you can order a license for "Sophos Intercept X Advanced with EDR" in our store:

Shopping Cart
Scroll to Top