Sophos beefs up Intercept X zero-day malware solution with advanced machine learning

Technology from last year’s Invincea acquisition gives Intercept X massively scalable machine learning, which far exceeds the number of data sets machine learning has traditionally processed.


Security software vendor Sophos has strengthened its Intercept X solution, which was specifically designed to protect against zero-day malware and unknown exploits, as well as ransomware. The upgraded version adds what Sophos terms Advanced Deep Learning, next-generation machine learning with a massively scalable detection process that far exceeds the number of data sets that machine learning has been able to process previously. The enhanced solution also improves the anti-ransomware and exploit prevention, and adds active-hacker mitigations like credential theft protection.

Sophos accompanied its new release with results from its own State of Endpoint Security survey, which showed that ransomware in particular continues to do significant damage. The survey indicated that more than 50 per cent of organizations surveyed were hit by ransomware last year – being struck twice on average. More than 75 per cent of these were running up-to-date endpoint protection when hit. However, more than 50 per cent did not have anti-exploit technology.

“I was shocked at how many people were successfully attacked by ransomware,” said  Dan Schiappa, Sophos SVP & GM, Enduser and Network Security Group. “Most of these had up to data AV protection. Most people, however, really don’t understand what exploits are, and that AV doesn’t block them.”

Sophos acquired anti-zero day malware capacity with Dutch security firm SurfRight, and brought it to market in late 2016 to give themselves a credible offering in this space. Market response since has been strong.

“It’s the fastest growing product in the company’s history,” Schiappa said. “We sell about 90 per cent of it alongside our traditional endpoint. However, we also had new customers who bought it and added it,  and 10 per cent of customers bought Intercept X and ran it beside a competitive traditional endpoint solution.”

Intercept X doesn’t scan files like traditional anti-virus solutions. It looks at hacker techniques and uses signatureless anti-malware detection to block zero-day, unknown and memory resident attacks. The enhancements in this version include leveraging the machine learning capabilities of Invincea, which Sophos acquired last year.

“This machine learning technology brings a deep learning capability,” Schiappa said. “It uses a neural network rather than Bayesian learning. This gives us a very exacting capability to train it – on data sets that are in the hundreds of millions. Data sets in the tens of millions are more typical with Bayesian learning. This greater scale gives Intercept X a better predictive impact.”

Schiappa said that Sophos’ own capabilities have enabled it to make exceptional use of this deep learning capability.

“We couple it with what we can do in our lab infrastructure,” he said. “Many machine learning capabilities just grab. Our massive labs infrastructure allows us to pull this efficiently into training sets.”

It also provides Intercept X with a relatively low false positive rate.

“We put a lot of emphasis into detecting false positives, because these are very problematic for the business continuity,” Schiappa said. “Machine learning has significantly higher false positive rates than traditional AV. However, with Intercept X, we get high detection rates from machine learning, combined with the lower false positive rates of traditional AV.”

Intercept X also has new protection against specific types of exploits. This includes credential theft protection – one of the most used exploits – to prevent the theft of authentication passwords and hash information from memory, registry, and persistent storage.

“This also protects against code caving, in which malicious code is buried inside legitimate code to fool traditional AV,” Schiappa said. “It also protects against an exploit in the Windows Kernel that let WannaCry move laterally very rapidly, which is how it was able to spread so fast.

Finally, Sophos Clean, a further signatureless, on-demand malware scanner, has been equipped with a new engine.

“I’m really excited about all these protections we have added, in addition to the deep learning,” Schiappa said.

Sophos goes to market through its network of channel partners, and Schiappa said that the channel plays a key role in introducing newer technologies like Intercept X to customers.

“The channel is a driving factor for change, because they recommend to customers what they need,” he stated. “With 54 per cent of survey respondents attacked by ransomware, including many of them being attacked twice, this is a pain point that the channel can address.”