Go to Phish Threat Settings Sending domains and IPs to review your domains and IP addresses. You must allow email and web traffic to and from these IPs and domains on your email gateway, web proxy, firewall appliance, or anywhere else in your environment where email and web filtering is done.
A few weeks ago, we published a brief overview of XDR. To summarize, XDR—short for extended detection and response (or sometimes x-product detection and response)—can be defined as:
An approach that unifies information from multiple security products to automate and accelerate threat detection, investigation, and response in ways that isolated point solutions cannot.
With the recent release of our early access program for Sophos XDR, we thought it a good time to take a closer look at how we got here, what exactly XDR is and does, and what we at Sophos are doing to deliver XDR to our customers.
The role of threat detection and response in security
There’s a classic saying in infosec: Prevention is ideal, but detection is a must.
Most in the field are familiar with the saying, but it’s often later in an organization’s security maturation that something gets done about it. Eventually, a CISO or security director or IT leader realizes that preventive controls like endpoint protection and next-gen firewall, while essential, just aren’t enough. The question turns from “What can we block?” to “What are we missing?”
- Sophos Antivirus for Linux Free Edition. Protect your mission critical Linux servers and stops all threats—even those designed for Windows. We keep our antivirus light and easy, so your Linux servers can remain lighting fast. It works quietly in the background with your choice of scanning on-access, on-demand or on a schedule. Finds and block malware.
- To determine whether this has succeeded, open the Sophos UI on the affected computer, click on Events, and then check for the Event Threat cleaned up against the ransomware detection. If the ransomware is cleaned up: You can close the Threat Case when you have finished your investigation.
- Sophos Network Threat Protection component fails to install on Windows 7 and Windows 2008 computers with error code 0x80070057. In the MSI log for this component the 'InstallSophosNTPLWF' custom action can be seen to be failing with error code 0x80070057. The relevant log files entries are as follows.
- Sophos Threat Hunting Academy On-Demand Listen to the recordings below to learn about the varied methods cyber attackers use to penetrate the networks of an entire organization. We'll review how Sophos EDR can help you detect these invasions before they escalate and, ultimately, eliminate the threat.
Threat detection and response, to quote my colleagues, is “a methodology that enables security operators to detect attacks and neutralize them before they cause disruption or become a breach.” In other words: What are we missing, and what do we do about it?
Like any technology solution, this methodology has to be underpinned by tools and by people who know how to use them.
Endpoint detection and response
In the past five years, endpoint detection and response (EDR) has emerged as a tool of choice for security teams.
Unlike a SIEM, which collects and attempts to correlate event logs from disparate products, EDR is a purpose-built tool. Its endpoint agent collects exactly the kinds of data that are most helpful in detecting and investigating threats. The console understands the data, enriching it, connecting activities together, enabling response actions (which are executed by the agent), and simplifying investigations.
As powerful as EDR tools are, though, they are limited to detection and response on endpoints. This isn’t entirely a bad thing; if you had to choose one place to focus your detection and response efforts, endpoints would be a good choice. They’re a rich source of data, they’re the primary point of interaction for your users, and they’re an effective control point for stopping threats. Focusing on only endpoints also constrains the data and the user interface, making for a more streamlined tool.
Still, there are things you just can’t do by working with endpoints in isolation. After all, your IT environment is an interconnected web of networks, communication tools, mobile devices, cloud applications, and more. To defend your IT infrastructure more comprehensively, it would help to have an integrated detection and response system. Enter XDR.
Extended detection and response
XDR takes the idea of EDR and, well, extends it. Instead of focusing only on the endpoint, it incorporates data from other security tools, such as firewalls, email gateways, public cloud tools, and mobile threat management products.
Since XDR is still an emerging technology, the exact technology varies from vendor to vendor, but some typical components include:
- Sensors that provide telemetry from different aspects of the IT infrastructure. These can be existing products, such as endpoint protection or a firewall, or supplemental components, like a virtual appliance you deploy in your datacenter.
- Enforcement points that allow you to take action, such as quarantining a compromised endpoint, blocking network traffic, or removing malware. Often, the sensors also function as enforcement points.
- An analytics and management platform, usually cloud-based. Ideally, the platform is powered by automation and data enrichment that streamline detection, investigation, and response.
- APIs that allow integration into existing systems and workflows.
While all these components could be stitched together manually, a proper XDR solution is designed to work together as a system. The components are aware of each other and interoperate to streamline threat detection and response workflows.
Ultimately, these workflows will be driven by people. The best XDR systems enhance the effectiveness of any IT or security professional, providing intuitive tools to the novice and granular control to the expert security analyst.
Organizations with the necessary resources—which often include round-the-clock staffing by highly-trained analysts—may choose to do all the operational work themselves. Others will enlist a managed detection and response (MDR) service to supplement or fully outsource their security operations.
Either way, an XDR platform serves as a foundational next-generation tool for enabling organization-wide threat detection and response.
Sophos and XDR
XDR is a new term for an emerging product category, but Sophos has been thinking about this concept for a long time. You can see this reflected in the products we’ve brought to market and the thought leadership we’ve demonstrated over the past several years.
First, there’s Sophos Central, our unified cloud-native management and reporting platform for all our next-gen products. We were one of the first security vendors to recognize the importance of bringing security management together in the cloud, and to this day we offer the broadest portfolio of security products within a single pane of glass.
Then there’s Synchronized Security, which we introduced back in 2015. Anticipating the need for an interconnected system, Sophos enabled two-way communication between products, such as our endpoint protection and our next-gen firewall. The added visibility and automated response enabled by Synchronized Security are steps toward the cross-product analytics and coordinated response required of an XDR solution.
EDR, of course, is also a stepping stone to XDR. Sophos offers a powerful EDR solution built atop the world’s best endpoint protection, Intercept X. Core elements of our EDR, like flexible SQL-based queries and auditable Live Response consoles, are foundational to delivering XDR.
For customers that can use a little (or a lot) of help with security operations, Sophos Managed Threat Response (MTR) delivers XDR as a managed service. MTR offers machine-accelerated human response that leverages our EDR and other Sophos Central products, like XG Firewall and Cloud Optix.
All of this has been building toward our vision of a fully interconnected XDR system. This incorporates all the above elements, but it goes further with a central data repository, cross-product search, adaptive analytics, programmable sensors, coordinated response, and APIs for extensibility.
Our recently-announced early access program for Sophos XDR is a sneak peek into our first manifestation of this. Give it a try to see how we’re preparing to empower our customers, our MTR service, and our managed service provider partners to deliver more effective, accessible, and comprehensive threat detection and response.
XDR and you
If your organization is ready to move beyond basic IT security hygiene, then implementing an XDR-powered detection and response operation—in-house, managed, or hybrid—may be a logical next step to protect you from hidden threats.
If you already have a threat detection and response operation, then you may want to consider an XDR solution to consolidate vendors, improve your efficiency, and increase your organization’s security posture.
To learn more about how Sophos can help you provide comprehensive threat detection and response, please enroll in the Sophos XDR early access program or contact your Sophos partner.
Threat indicators highlight suspicious files that Sophos hasn’t blocked but that you may want to investigate.
Sophos Threat Report
You can review threat indicators and take action as follows:
- Go to Overview > Threat Analysis Center and click Threat Indicators.
- On the Suspicious items tab, you see a list of files. This shows:
- Suspicion level: The probability that the file is malicious.
- Executed: Whether the file has been executed.
- Devices affected: The number of devices where the file has been seen.
- For more details of a file, click View details (on the right of the table). You can also:
- Click the file's SHA 256 hash to search for more instances of the file on your network.
- Click Generate threat case to do a more in-depth analysis of the file history.
- In the details pane, to make sure you have the latest analysis from Sophos, click Request latest intelligence.
This sends the file to Sophos for analysis. If we have new information about the file's reputation and prevalence, you’ll see it here in a few minutes.
- When you have finished your analysis, you can take action.
- If a file is believed to be malicious, click Clean and block.
- If you don't believe the file is malicious and don't want to take further action, click Dismiss. The file no longer shows in the threat indicators list.
Clean and block prevents the suspicious applications from being accessed or run on your devices. The file is added to the Blocked Items list (in your Global Settings).