Sophos is moving aggressively to put more “X” in its eXtended Detection and Response solution.
Unveiled in May, Sophos XDR is designed to provide a more complete view of threat activity by consolidating and cross-referencing input from endpoint, email, network, cloud, and mobile security products. Two acquisitions this month, the vendor says, augment that vision by adding more information from more sources to the analytical picture.
The first of those transactions, announced three weeks ago, involved Capsule8, a maker of detection and response software for Linux servers and containers. Sophos plans to use Capsule8 technology to buttress existing Linux defenses in its Intercept X endpoint protection solution at a time when exploits specifically aimed at Linux-based infrastructure are mounting.
“Windows has historically always been lower hanging fruit for an attacker because it was relatively easier for them to compromise Windows machines,” observes Sophos CTO Joe Levy, noting that Sophos and other vendors have long devoted the bulk of their attention to Windows servers as a result. “Attackers are beginning to realize that due to the relative negligence of Linux, there might actually be a better opportunity for them to go after those targets.”
With businesses rapidly migrating workloads into Linux-based cloud environments, moreover, there are much such targets to pursue. “Every business is just running more Linux now,” Levy says. “We felt that it was a good time for us to make a commensurate kind of an investment in being able to defend Linux as we have Windows.”
To add further firepower to its XDR arsenal, Sophos last week announced the acquisition of network detection and response vendor Braintrace. According to Levy, that company’s Dragonfly virtual appliance will give the company a rich new stream of network traffic data.
“They’ve built a set of flow analyzers that operate on a series of [machine learning] models that are just really good at detecting malicious traffic inside flows, even if the flow is encrypted,” he says. Braintrace software is also good at discovering and mapping previously overlooked devices, he adds.
“Something that we see commonly is that customers don’t always know how many assets they have,” Levy says, noting that unknown assets are unmanaged as well and often poorly protected as a result.
“Attackers are really, really good at finding this when it happens, and they will invariably go for the weakest link,” he observes. “Then they will use that as a point from which they can launch an attack on the rest of the network.”
Dragonfly will play a critical role in the Adaptive Cybersecurity Ecosystem (ACE) that Sophos introduced in May alongside its XDR system. Known during a multi-year gestation process internally at Sophos as “Project Darwin,” ACE is designed to help the company share data and coordinate response activity with third-party security solutions as well as its own.
“We know that any complete XDR offering needs to operate not just within its own vendor ecosystem, but broadly across everything that customers have deployed in their IT environments,” Levy says. When fully integrated with Sophos XDR sometime next year, Dragonfly will not only scrutinize local network traffic but collect telemetry from ACE-compatible solutions and upload it into the Sophos threat intelligence “data lake.”