Skip to the content

Understanding Endpoint Detection and Response

Sophos EDR - The Must Have Tool

68% of organisations report being hit by a cyber-attack in the last year. 37% of attacks were discovered on servers and the most significant threats are in environments for an average of 13 hours before being detected.

Security Risks and Trends

According to Gartner Top 9 Security and Risk Trends for 2020,  three key emerging trends in cybersecurity are:


  • Extended detection and response capabilities are improving accuracy and productivity


  • Zero-trust network access technology is beginning to replace VPNs


  • Security processes are increasingly automated, eliminating repetitive tasks.

The Current Threat Landscape

Malware is increasing, and the rate of increase itself is also growing. Cybercriminals are getting more resourceful and there is also a significant shift in their aims and objectives. Cybercriminals are evolving their approach and looking to monetize their activities.

Crypto Ransomware

When crypto-ransomware first appeared, the victim would have to pay a ransom, hope they had a backup strategy in place, or accept the loss of their data.

The world moved on, and we saw cybercriminals blending network based attacks with malware to deliver their ransomware payload, for example in the cases of WannaCry and Petya.

In the latest types of approach, advanced persistent malware, for example with Emotet and Ryuk, announce their presence by encrypting as much data as they can get hold of. They also hide out in the shadows, in corners of the network, so that once the Admin has cleaned up a network, they then spring back to life. It’s then necessary to go through the whole process again, so being able to find these hidden fragments is key.

Seven Uncomfortable Truths about Endpoint Security

Finding from a recent Sophos survey, Seven uncomfortable truths about Endpoint Security reveal that:

  • 51% of organisations have been hit by ransomware
  • 73% of attacks successfully encrypted data
  • 9/10 had up to date endpoint protection that was properly configured
  • 20% were unable to pinpoint the source of the attack

Layered Defense

Sophos advocate having multiple layers of defence, so that we can interrupt what is referred to as ‘the Cyber Kill Chain’.

This describes the phased process that cyber criminals go through:

  • Reconnaissance
  • Development
  • Delivery
  • Exploitation
  • Install
  • C&C
  • Actions

Just like with any chain, if one link is broken, then the chain no longer functions. If we can break one of the links in the Cyber Kill Chain, then we can help to fend off a cyber-attack and keep ourselves safe.

Traditionally we’ve done this with reactive security, with anti-virus tool. However , as shown in our survey, 9/10 respondents who experienced ransomware were running anti-virus which was installed correctly, and up-to-date, so why did they still get infected?

Why Do I Need Next-Gen Cybersecurity?

Sophos sees, on average, 450,000 new malware samples at the Sophos Labs every single day.

This means that the idea of reactive security just doesn't work anymore.  We need to empower the Endpoint to be able to work for itself, and recognise what is likely to new malware when it comes across it.

This is where Sophos Intercept X comes into play. It’s a next-generation defence, and it is expanding how we can look at the threat chain and leveraging a lot of next generation techniques - anti-exploit techniques, machine learning and anti-ransomware capabilities.

This is what Sophos consider to be the basic level of protection that is now needed, empowering the endpoint to be able to work for itself and recognise threats on its own.

What Is Endpoint Detection and Response (EDR)

EDR is a set of tools that is becoming increasingly commonplace, allowing our network administrators to become Threat Hunters;

  • looking at their estate and recognising the tell-tale signs of malware that is or has been present on the network, or that is lying dormant on the network;  
  • being able to expose exactly what that malware has done, what is interacted with, and how we can learn to defend ourselves better in the future

According to Gartner:

‘Over the last 2 years the requirements for EDR use cases have become increasingly mainstream.

As a result the core functions of EDR solutions have been increasingly adopted by EPP (Endpoint Protection) vendors.  Similarly, many of the EDR vendors have incorporated prevention techniques typically associated with EPP solutions, hoping to displace incumbent EPP vendors with their solutions.

Intelligent EDR

EDR starts with the strongest protection, and allows you to add expertise, rather than headcount. It’s built for security analysts and also for IT administrators.

The Problems Facing IT and Security Teams

Lack of Time

  • 26% of IT teams’ time is spent managing security

Lack of resources

  • ⅔ say budget for people and technology is too low

Lack of visibility

  • 68% say data breaches take one month or longer to detect

Top 5 reasons you need EDR

  1. To confidently report on your security posture at any given moment
  2. To detect attacks that have gone unnoticed
  3. To respond faster to potential incidents
  4. To add expertise
  5. To understand how an attack happened and how to stop it from happening again
The Gap of Uncertainty

EDR helps us understand the ‘gap of uncertainty’. We have samples which we know are malicious ; we have samples that we know are good processes - files etc. There is always a grey area in the middle and one of the key tricks is to make the grey area as small as it possibly can be.

Add Expertise, Not Headcount

Threat hunting Powered by Artificial Intelligence.

Sophos Intercept X automatically detects things that look a bit wrong or shaky and then, using artificial intelligence, prioritises them for Administrator attention.

The highly efficient dashboard is easy to navigate. It that shows the top things that need to be looked at immediately and it also helps identify how an attack took place.

Understand Your Security Posture with Guided Investigation

What happened, where an attack came from, what processes were involved and also suggested next steps. This is curated intelligence, based on the exact outbreak.

On Demand Threat Intelligence curated by Sophos Labs

In real-time you can click through and gain more information about a particular file or process;  for example, its reputation - do we know if it's good or bad;  and we can also open up the world of machine learning.  Sophos can help you make your own decisions by looking at the attributes and characteristics of files.

EDR Designed for Security Analysts and IT Administrators

EDR helps everyone to upskill. It turns IT operations into Security Analysts and turns Security Analysts into out and out Threat Hunters.

Answering the Tough Questions About an Incident

EDR helps us to identify the key factors in an attack, so that we can:

  • Understand the scope and impact of an outbreak
  • Detect attacks that may have gone unnoticed
  • Search for indicators of compromise across the network
  • Prioritise events for further investigation
  • Analyse files to determine if they are a threat or potentially unwanted
  • Confidently report on your security posture at any given moment

New Features of Sophos EDR

You can now search for anything, security related or not:

Threat hunting examples

  • Query what processes are running on your network
  • Query what ports are being listened to
  • Look for indicators of compromise
  • See processes that have recently modified files or registry keys
  • Search details about Powershell executions
  • Identify processes disguised as legitimate

IT Operations examples

  • Why is machine slow? Is it pending a reboot?
  • Are critical services running (eg, disk encryption, firewall)
  • Find known vulnerabilities, out of date versions, bad certificates, unknown services, and unauthorised browser extensions
  • Check for security best practices (is remote sharing enabled? Are encrypted SSH keys on the device? Are guest accounts enabled?)
  • Are there programs running on the machine that should be removed?
  • Does the device have a copy of a file I am looking for?

Live Discover examples

This lets you ask any question about what is happening in the past, and what is happening now.

  • Rich Endpoint search capabilities
    • IT insight
    • Threat hunting
    • Look beyond malware
  • SQL queries
    • Out of the box queries
    • Easily customise
    • Access more via community
  • Up to 90 days on disc live and historic data

Remotely Respond with Precision

This lets you remotely remediate managed devices with a command line interface, eg

  • Reboot the device
  • Terminate active processes
  • Run scripts or programs
  • Edit configuration files
  • Install/ uninstall software
  • Run forensic tools
  • Audit logs

Benefits of Sophos EDR

  • Work faster
  • EDR helps you work faster, right across your organisation
  • Do more with less
  • A single console lets you carry out the wide range of security tasks, searching, remove malware with just a few clicks
  • Stay ahead and stay on top of your security stance

Why is Sophos EDR different from the competition?

  • Built for IT generalists and security analysts
  • Out of the box, powerful, customisable searches
  • Built on the industry’s best protection

To view a demonstration of these functions and features, view our on-demand webinar:

Intercept X with EDR vs Managed Threat Response (MTR)

Intercept X with EDR

  • Threat hunting tools which enable searches to locate threat artifacts and undetonated malware
  • Still requires in-house resource.

Managed Threat Response

  • If you do not have the time to be investing in managing an EDR solution, then it may be worth considering a Managed Threat Response option.
  • This empowers Sophos specialists to be looking at your network 24/7, and to respond to issues that they see.

Next Steps

  1. Decide on Your Appetite for Risk.
    • Do you have the appropriate level of resources to invest in EDR, or would a Managed Threat Response Solution be more suitable?

Get in touch to take a deeper dive into the solutions, or to request pricing

  1. Request A Demo
    • If you would like to find out more about EDR, please request a demo. Our specialists at Chess will go through your individual requirements with you and help you understand how EDR can work for you in your specific environment.

Get in touch to request a demo.

  1. Begin a Customer Trial
    • Already a Sophos customer? If you’re running Intercept X, you can initiate a trial across your whole estate.

Get in touch to start a Customer Trial.



Chess is one of the UK’s leading independent and trusted technology service providers, employing 300 skilled people across the UK, supporting over 20,000 organisations.

 By leveraging world-class technology, Chess helps you to connect your people, protect your data, grow your business, reduce your costs and work better together, which means your business, your people and your customers can thrive.

At Chess, we’re passionate about our unique culture and our continuous investment in our people to be industry experts. We’re extremely proud that our people voted us No.1 in ‘The Sunday Times 100 Best Companies to Work for’ list 2018, and we continue to celebrate more than ten years in the top 100.

Speak to a Product Specialist

You can fill out the form and one of our product specialists will contact you shortly with more information.
To contact our Sales team directly, please call 0344 770 6000 and choose option 4.
Customer Service
For general queries or to report a non-urgent fault, please log a ticket on our customer portal using the email address associated with your account. Logging a ticket is quick and easy to do. Once you have logged your ticket, we will respond within 24 hours or your Service Level Agreement, whichever is quicker.
I agree for my information to be used for marketing communications.
Chess Privacy Notice

By submitting your personal information through this form, you consent to your information being processed in accordance with the Chess group privacy notice.