Sophos has shipped a major upgrade of its endpoint detection and response (EDR) platform that adds threat hunting and remediation capabilities to enhanced versions of the product’s machine learning-based threat identification and malware analysis functionality.
“This is the most significant upgrade of any product we’ve ever had. It’s really that significant,” says Dan Schiappa, chief product officer at Sophos.
Available now at no extra cost as a component of both Sophos Intercept X Advanced for endpoints and Intercept X Advanced for Server with EDR, the new system offers protection for Windows, MacOS, and Linux devices. Sophos plans to add it to Cloud Optix, the cloud security solution it rolled out last year, before the end of the summer.
Users can employ the system’s new “Live Discover” threat hunting feature to query 90 days’ worth of data from thousands of endpoints and servers about issues like whether or not processes are trying to make a network connection on non-standard ports or which devices have unauthorized browser extensions.
“It’s all real-time data, and that’s super critical when you’re in detect mode,” Schiappa says.
The tool employs the familiar SQL language and automatically suggests how to complete a query as you compose it. “We show you as you’re writing it what the next command could be, very similar to what you might see in Excel when you’re doing an Excel formula,” Schiappa says, noting that the system comes with a library of pre-written queries as well.
Users can send a suspicious file identified during threat hunts to SophosLabs for deeper on-demand inspection. “We’ll do a machine learning scan on it, break it down for you, and give you some idea to help you decide whether it may be malicious or not,” Schiappa says. Companies can also pair the EDR solution with the Managed Threat Response service that Sophos introduced last October for assistance from live security experts.
Using the new system’s “Live Response” feature, technicians can mitigate threats found by Live Discover. Equipped with a command line interface and functionality normally found in RMM solutions, the tool lets administrators reboot devices, run scripts, terminate processes, install or remove applications, and more without switching to another application.
“You can actually jump on an endpoint or server and actually resolve the situation right from the console,” Schiappa notes.
The EDR solution’s mix of automated and hands-on capabilities is designed make it suitable for a wide range of users, he continues. “We’ve taken a tool that can be very powerful in the hands of a very sophisticated analyst and also made it very powerful for somebody who’s not sophisticated.”
Sophos’s latest solution arrives at a time of continuously escalating and increasingly dangerous threat activity. Sophos researchers describe one example of that phenomenon in a report published today about the Kingminer botnet, which utilizes brute force techniques to acquire server credentials and then spreads malware with help from a toolkit that includes the EternalBlue exploit, which gained worldwide notoriety three years ago in connection with the WannaCry ransomware attack.