Skip to content
Avanet
Why Endpoint Detection and Response (EDR)?

Why Endpoint Detection and Response (EDR)?

Sophos offers a more expensive variant with the addition “EDR” for both Intercept X Advanced and Intercept X Advanced for Server. Since we are very frequently asked in purchasing consultations what exactly this “EDR” means and whether the surcharge is even worthwhile, I would like to go into more detail about the functionality of EDR and its benefits in this article.

EDR functionality, in addition to Intercept X Advanced, has been available for workstations for a long time. Since May 9, the product is also available for servers.

How EDR can help

Explained a little more simply, with Intercept X Advanced with EDR you can get to the bottom of two essential things: What exactly happened after an attack and is there a risk that something else could happen in the near future?

1. What happened?

To find out what happened after an attack, you don’t necessarily have to pay the extra charge for EDR at first glance. Sophos has long offered you the Root Cause Analysis (RCA) function, which is included in the scope of Intercept X. However, the possibilities for analyzing an attack are decisively expanded by an upgrade to Intercept X Advanced with EDR.

With EDR you can find out:

  • what really happened after an attack
  • whether a threat has spread
  • what insights SophosLabs has gathered about a specific program from all Sophos customers
  • whether there is still dormant malware in your company
  • whether you can give your boss the all-clear that no data has been stolen

With EDR, you gain access to artificial intelligence methods to analyze a process or files even more precisely with machine learning. You can also temporarily isolate the affected computer during an analysis to buy yourself enough time.

2. Will anything else happen?

A common tactic of attackers is to place a small program somewhere on your computer that initially does nothing malicious and therefore does not appear suspicious. This harmless behavior can initially circumvent certain security mechanisms. At some point, however, this program will wake up and cause damage.

Through the extended search capabilities of Intercept X Advanced with EDR, such “dormant threats” can be searched company-wide. Often, such programs have already spread to numerous systems and hide behind false filenames. With EDR, Sophos offers the helpful function of searching all devices in the company for hash values. This allows you to quickly find out on which devices in the company a program has already been sighted and with whom it has communicated. In this way, you can, for example, detect Command and Control servers or locate servers from which data may have been exfiltrated.

What is the added value of EDR?

If an attack occurs in a company, one primarily relies on the protection mechanisms of Sophos Intercept X Advanced. Afterwards, however, one should take a closer look at the collected data of the attack and find out whether any data has been stolen or whether the threat has, for example, spread to other systems. This would normally require a horde of forensic experts who do nothing but search logs all day to draw conclusions from them. Sophos, on the other hand, relies on artificial intelligence methods for its EDR solution. Processes in the network are thus analyzed with machine learning and the help of SophosLabs and no longer by humans. This means that this job can now theoretically be performed by a person who does not have to be an IT forensic expert. 😎

Do I need EDR now or not?

The answer to the question of whether you should pay the extra charge for EDR or not depends on two factors:

Factor 1: Interest

Are you one of those people for whom it is enough if Intercept X Advanced writes in the log after an attack that the threat was contained and all data was cleaned up? Then you probably don’t need EDR.

However, would you like to take a closer look at the attack and analyze the process in more detail? Do you want to know if there are still more malicious programs lurking on computers or servers in the company that have simply not yet made themselves known? Then I would say that you should consider the extra charge for EDR.

Factor 2: Compliance requirements

EDR tools are needed at the latest when a company has to prove after an attack that no data has been stolen. We are talking about compliance requirements that must be guaranteed in certain areas, such as PCI (Payment Card Industry) or healthcare. Also falling into this category is the GDPR (General Data Protection Regulation), which states that one must protect one’s trusted data according to the state of the art.

Such a law naturally makes a company vulnerable. Instead of demanding ransom for the decryption of company data, as in a ransomware attack, companies can now be extorted for even larger sums due to a violation of the GDPR or compliance requirements.

Sophos’ EDR functions help you to comply with compliance requirements and, in an emergency, to prove whether data has been lost or not. If you consider such a tool to be useful for your company, then the investment in Sophos Intercept X Advanced with EDR would definitely not be out of place here.

Test Sophos Intercept X Advanced with EDR

If you don’t have a Sophos Central account yet, you can create one on the Sophos website and test all functions, including “Sophos Intercept X Advanced with EDR” for computers and servers, for free for 30 days.

If you already have a Sophos Central account and the 30-day trial period has expired, you can order a license for “Sophos Intercept X Advanced with EDR” in our shop:

David

David

David is responsible for content, structure, and digital implementation at Avanet. His focus is on making complex technical topics clear, precise, and search-friendly.