Sophos XDR - a comprehensive and integrated threat detection and response system

May 19, 2021 Bastian Seibel
Sophos

Sophos introduced its new "Sophos XDR" solution on 15 May. It is the industry's only extended detection and response (XDR) solution that synchronises endpoint, server, firewall and email security. With this comprehensive and integrated approach, Sophos XDR provides a holistic view of an organisation's security environment, combined with an extensive data set and deep analytics capabilities to detect, investigate and respond to cyber threats. This allows even the most sophisticated attacks to be defended against - especially those that use multiple access points and initially move inconspicuously through the network to avoid detection.

Detailed threat analysis with extensive data set

At the heart of Sophos XDR is one of the industry's most comprehensive data sets: It stores up to 90 days of on-device data on the one hand, and up to 30 days of cross-product data in the cloud-based data lake on the other. The unique approach of combining on-device and data lake forensics provides comprehensive and contextual insights. These can be used by security analysts via Sophos Central and open application programming interfaces (APIs) to integrate with the following systems: Security Information and Event Management (SIEM), Security Orchestration, Automation and Response (SOAR), Professional Service Automation (PSA) and Remote Monitoring and Management (RMM).

The Data Lake contains key information from Intercept X, Intercept X for Servers, Sophos Firewall and Sophos Email. Sophos Cloud Optix and Sophos Mobile will also be added to the data lake later this year. This will enable security and IT teams to easily access this data to conduct cross-product threat investigations and quickly obtain granular details on past and current attack activity. The availability of offline access to historical data further protects against lost or compromised devices.

New EDR version

Further, Sophos has released a new version of its industry-leading endpoint detection and response solution, Sophos EDR. New scheduled queries and customisable contextual pivoting capabilities provide security analysts and IT administrators with fast and accurate identification and investigation of security issues for quick and targeted response. Through integration with the SophosLabs Intelix data science tool, the new version delivers pre-configured queries and powerful threat intelligence capabilities. Sophos EDR customers can access data hosted in the cloud for seven days (extendable to 30 days) in the data lake. For on-device data, this is possible for up to 90 days.

Sophos Adaptive Cybersecurity Ecosystem

Sophos XDR and EDR are part of the Sophos Adaptive Cybersecurity Ecosystem (ACE), a new open security architecture that optimises threat prevention, detection and response. Sophos ACE leverages automation and analytics, as well as the collective input of Sophos products, partners, customers, developers and other security vendors. As a result, this architecture creates protection that continuously improves; the system is constantly learning and evolving. Sophos ACE builds on extensive data collection and correlates actionable insights from Sophos solutions and services, as well as threat intelligence from SophosLabs, Sophos AI and the Sophos managed threat response team. Open application programming interfaces (APIs) enable customers, partners and developers to create tools and solutions that can interact with the system and take advantage of existing integrations. Sophos is leading the industry with this approach and is already working with many vendors.

The importance of having an IT security system that interacts and is based on as many data sets as possible is evident in the new Sophos study, "Intervention halts a ProxyLogon-enabled attack", which describes an attack on a large company. The attack began with the attackers compromising an Exchange server with the latest ProxyLogon exploit and moving through the network undetected. Over a period of two weeks, they were able to steal account credentials, compromise domain controllers and infiltrate several computers. In the process, they used a commercial remote access tool to maintain access to the hacked machines and distributed a number of malicious programs. The study shows that the attackers returned again and again. Sometimes they used the same tool, such as Cobalt Strike, but sometimes they used different tools on different computers. They used a commercial remote access tool rather than the more standard RDP that IT security specialists typically look for.

Dan Schiappa, chief product officer at Sophos. "The report highlights the complexity of cyberattacks carried out by humans, and how difficult it is for IT security teams to track and contain multi-vector incidents. Often, it is simply impossible to keep up with attack activity that has taken place across all parts of the organisation. According to the Sophos State of Ransomware report published at the end of April, this problem is widespread. More than 54 percent of IT managers surveyed said cyberattacks are too advanced for their IT teams to handle on their own. XDR is an important defence component here."