Kofola has cybersecurity under control

Thanks to a solution designed by autocont specialists, kofola now has the tools for early threat detection, advanced incident analysis and rapid response.

Realization 2022

aricoma avatar
00:00 00:00

Customer Profile

Kofola ČeskoSlovensko belongs to the Kofola Group, a leading producer and distributor of soft drinks in Central and Eastern Europe. It is the market leader in the Czech and Slovak markets and is also active in other European countries. The Group produces its well-known beverages in eleven main plants. Among the most famous are Kofola and Vinea drinks, Radenska, Studenac, Rajec, Ondrášovka and Korunní waters, Jupí syrup, Jupík children's drinks, Semtex energy drinks and UGO fresh juices and salads.

As the frequency of cyber-attacks continues to rise, a renewed security philosophy was needed. AUTOCONT came up with a solution to ensure automatic data collection and advanced data analysis. We are thus able to detect threats early, all in an admin-friendly environment.

Roman Birtek


Baseline and project objectives

Prior to deploying the solution, stations and servers were protected by a standard anti-malware solution with an on-premise admin console. Due to the increasing number of cyber attacks and their increasing complexity, it was necessary to change the security protection philosophy and deploy an EDR/XDR security solution. This will allow the IT department to perform advanced event analysis and respond quickly to detected threats, even when the compromised environment is no longer fully available. 

The goal of the project was to provide automated data collection from endpoints with the possibility of future extension to third party sources. At the same time, it was a requirement to find an administrator-friendly solution that would not burden the administrator unnecessarily thanks to the abundance of pre-prepared or easily completed analytical queries.


  • Fully cloud-based solution
  • Does not require hardware and admin server management time
  • Advanced incident analysis
  • Needed information can be retrieved directly from endpoints
  • Event collection from third party products (Firewalls, Email Gateway)
  • Pre-defined queries for XDR database
  • Possibility to connect to AUTOCONT Security Operation Center
  • Cloud Sandbox, Zero-day protection
  • Live Response - remote investment tool including Powershell usage
  • XDR Sensor can also be operated with AV product from another manufacturer


The Sophos InterceptX Advanced with XDR solution proved to be the most suitable for the situation. It is based on two components, the Sophos Central cloud console for managing the entire solution and the Sophos Endpoint Agent. A single multi-platform agent on the endpoint not only protects and detects, but also sends suspicious files to the cloud sandbox or useful, telemetry data to Sophos Central, where it is stored in a single "DataLake" repository.

This includes information about user password changes, successful or unsuccessful logins, information about network communication of unusual processes, newly created services or commands and parameters in CMD, etc. Before storage, the data can be enriched with additional information from services such as VirusTotal or Whois, or geolocation data. 

DataLake allows SophosLabs' team of specialists to perform advanced analysis on such consolidated data, making it easier to detect the initial stages of an attack. For example, based on user permission changes, suspicious communications to malicious IP addresses, attempted script execution or newly scheduled tasks in the Task Scheduler.

Used technologies

  • Sophos InterceptX Advanced with XDR
  • Sophos Central
  • Sophos Endpoint Agent
  • Sophos Datalake
  • Sophos Intelix Cloud Sandbox 


Are you interested in more information or an offer for your specific situation?

By submitting the form, I declare that I have familiarized myself with the information on the processing of personal data in ARICOMA.