Security vendor Sophos Ltd. has shipped a major new update of its Intercept X product with neural networking-based deep learning capabilities and enhanced exploit protections.
Introduced in September 2016, Intercept X is a next-generation endpoint security solution equipped with anti-ransomware and anti-exploit features that are designed to block never-before-seen attacks before they execute. The original edition, which has been available in a subscription-priced version targeted at MSPs since November 2016, also included root cause analysis functionality that helps companies diagnose successful breaches and a module called Sophos Clean that hunts down and eliminates spyware and other forms of deeply embedded malware.
The new edition adds malware detection functionality powered by a deep learning engine armed with neural networking technology. While machine learning systems can study tens of millions of virus samples, according to Sophos, Intercept X’s deep learning component can process hundreds of millions.
That makes the new feature, which takes up just 20 MB of storage space, a good counterpart to the malware sample repository maintained by the Sophos Labs research unit, which contains hundreds of millions of files and gains roughly 300,000 more every day.
In testing Sophos conducted over a six-week period, Intercept X was 150 to 400 percent better on a week-over-week basis at detecting previously unidentified strains of malware than traditional endpoint security solutions, and 10 to 60 percent better than competing systems with built-in machine learning. The system was no more likely than its competitors to produce false positive readings.
“If you are having too many false positives, IT administrators are running around white listing stuff and employees are not as productive because something that they’re using for their job has now been triggered as malicious,” observes Dan Schiappa, senior vice president and general manager of products at Sophos. “It just becomes a lot of noise in the system.”
New exploit protections in the updated edition of Intercept X include active adversary mitigations that guard against credential theft, “code cave” attacks, in which malicious code hides within legitimate programming, and application procedure calls of the sort used recently in the WannaCry and NotPetya viruses.
Other enhancements include protections against process privilege escalation and remote reflective DLL injection, a technique attackers can use to move between processes. New application lockdown functionality isolates software acting in unusual ways, such as a browser attempting to execute a Microsoft PowerShell script.
“We’re able to understand the typical behaviors of an application and ensure that it doesn’t operate outside those behaviors,” Schiappa says.
Also new to Intercept X in the latest edition is “synchronized application control” functionality that allows endpoints to collaborate with the Sophos XG Firewall on preventing software from evading firewall-level security policies. Companies with a signature-based policy against use of unauthorized video chat software, for example, could employ that feature to block a system trying to slip past the firewall undetected by disguising itself as something else.
“Because there’s a tight connection between the two [products], we can accurately tell the firewall specifically what that app is,” Schiappa states. Sophos last updated XG Firewall in October.