Sophos Endpoint Detection & Response (EDR)

Today’s EDR are used with endpoint security for increased detection, investigation, and response capabilities. However, many EDR solutions lack value to businesses because they are difficult to use, lack sufficient protection, and are resource intensive.

History of EDR

EDR was developed to fill the gap where endpoint protection was great at blocking everyday malware but missed sophisticated attacks, such as zero-day, file less malware and active hacking attempts. The goal is to detect activity that was being missed and respond quickly in order to avoid damage.

Early EDR, such as Carbon Black, pulled large amounts of data from endpoint protection software and sent to security analysts, who would apply threat intelligence to sort through the events. The most important ones were flagged and a response plan was formed for each threat.

Challenges security analysts face are:

  • Visibility and Detection – blind spots make it hard to understand what’s happening
  • Analysis & Investigation – teams suffer from a lack of data or are overwhelmed by data
  • Incident Response – Need more talent and time to respond to all incidents

Some alarming business statistics:

  • Businesses spend an average of 48 days per year investigating incidents
  • 54% of EDR users aren’t getting full value from it due to a lack in expertise
  • 80% of businesses want better expertise to detect, investigate and respond to incidents

Sophos Changes the Game

The first EDR designed for security analysts and IT admins

Intercept X Advanced with EDR allows you to ask any question about what happened in the past and what is currently happening on your endpoints. Hunt threats to detect active adversaries, or leverage for IT operations to maintain IT security hygiene. When an issue is found, be able to respond remotely with precision. By starting with the strongest protection, Intercept X stops breaches before they start, cutting down on investigations and saving time.

You get access to powerful, out-of-the-box, customizable SQL queries that access up to 90 days of endpoint and server data, allowing you to make informed decisions. Example questions and actions you can now answer with Sophos EDR are:

IT Operations

  • Why is a machine running slowly?
  • Is it pending a reboot?
  • Which devices have known vulnerabilities, unknown services, or unauthorized browser extensions?
  • Are there programs running that should be removed?
  • Is remote sharing enabled?
  • Are unencrypted SSH keys on the device?
  • Are guest accounts allowed?
  • Does the device have a copy of a particular file?

Threat Hunting

  • What processes are trying to make a network connection on non-standard ports?
  • List detected IoCs mapped to the MITRE ATT&CK framework
  • Show processes that have recently modified files or registry keys
  • Search details about PowerShell extensions
  • Identify processes disguised as services.exe

Intercept X Advanced with EDR

Other EDR tools are weak at protection, forcing users to waste time on incidents that should have been stopped in the first place. Sophos approaches EDR differently, by combining it with the best endpoint and server protection. Used together, they block the vast majority of threats before they need investigation. This reduces workload and noise, allowing you to focus on the greatest potential threats.

Respond Remotely and With Precision

Using a command line tool you are able to reboot devices, terminate active processes, run scripts or programs, edit config files, install/uninstall software, and run forensic tools. All from the same cloud management console.

Intercept X Advanced with EDR vs Intercept X Advanced for Server with EDR

Below you can see a top level overview of the different functions between the two:

Download the Intercept X Advanced with EDR datasheet for technical specifications.