Sophos supplements their Intercept X Advanced deep learning offering with EDR investigation and response capability, designed to save larger companies with SOCs time with EDR that is relatively easy to use, while giving partners downmarket access to the technology, particularly through MSPs. It is now in the early access stage.
Security software vendor Sophos has announced that a SKU with Endpoint Detection and Response [EDR] is now available for their Intercept X endpoint protection portfolio through a global early access program. It adds an investigation and response capability to Intercept X’s deep learning neural network. It’s a capability which has been limited until very recently to large enterprises with SOCs, and Sophos says that the ‘threat hunter’ offerings which have begun to hit the market are still too difficult to use, which opens up a market opportunity for them, and which isn’t just limited to large organizations.
“This new EDR capability leverages the threat intelligence feeds of Sophos Labs, which tracks and analyzes 400,000 unique and previously unseen malware attacks every day, where our data scientists develop algorithms that allow our deep learning neural networking to assess the DNA of suspicious files against the hundreds of millions of known convicted files,” said Dan Schiappa, general manager and senior vice president of the Sophos Endpoint and Network Security Group.
Endpoint detection and response is the search for threats which have already been able to get inside the network, which some vendors call threat hunting – a term that Schiappa doesn’t care for.
“Threat hunting is a great buzzword, but with this technology, most of the time is spent investigating an incident to understand what files were touched, what was done, and the implications for regulatory filings,” he said. “It typically involves the investigation of something suspicious, such as a processor running at high capacity, to determine if something should be manually blocked or not. The threat hunting component comes if you see something in one place, such as a specific kind of payload, and you look to see if it is happening somewhere else.”
Schiappa said that while there is no substitution for the best protection, the main problem with EDR products is that they are too complex.
“As a result, we decided to enter the market and bring our AI, threat intelligence and ability to make things intuitive to this space,” he said. “We have learned a lot from Sophos Labs about how attackers have moved from spray and pray tactics to custom, polymorphic malware designed for specific targets, which is well suited for this kind of solution.”
The market for EDR is typically very large enterprises – while most Sophos customers are SMB and midmarket. Schiappa said that this EDR capability is designed to both be helpful to large enterprises, and be something that some types of smaller companies can use, and can get value from.
“For a larger organization that has SOC analysts, this gives them information that allows them to prioritize, and so replaces part of the EDR process for these large customers with SOCs,” he indicated.” Even large SOCs can get overwhelmed. It is especially valuable for less experienced SOC analysts by showing what to investigate, by providing a visualization of a suspicious file, compared with a convicted file and benign files. It takes something that could be hours of investigation and reduces it to minutes.”
Schiappa said that this offering can be a good fit for some customers downmarket.
“We have built a product that can cover all ends of the spectrum, but this is really where the channel comes in,” he said. “The AI capability can help companies of any size do things that they could not do otherwise. It’s really up to a channel partner to determine if a customer is a good fit for this, and if it’s something that could help them. The major play downmarket is likely to be with companies which may not be large, but which have regulatory obligations. We also think that this is something that our MSP partners will want to have available as an offering.”
Schiappa emphasized that the channel was a key driver in getting this product created, and that initial response has been strong.
“The channel was key in pushing us into this focus area,” he said. “They told us that the EDR market was ripe for Sophos because it is too complex. They had a huge hand in setting up key value drivers, and the partner advisory councils have given valuable feedback. We just finished an event for partners in central and eastern Europe, the Middle East and Africa, and when we discussed this, it was standing room only. The feedback has been really, really positive.”
Sophos is also fully investing in educating the channel about the product, and arming them to sell it, Schiappa said.
Sophos will offer a separate SKU of EDR for Intercept X Advanced, as well as Intercept X Advanced without the EDR SKU. The EDR SKU is now available in a global early access program.