Sophos upgrades EDR solution with enhancements for both threat hunting and IT admins

Sophos says the new version of their EDR solution has the biggest version to version enhancement they have ever done, and now gives them the best EDR offering in the industry.

Today Sophos is announcing an enhanced version of its Sophos Endpoint Detection and Response [EDR] solution, which makes it much more effective as a threat hunting tool, while also being accessible to IT admins who are not security specialists, and improving their efficiency as well. It is available with both Sophos Intercept X Advanced with EDR and Intercept X Advanced for Server with EDR.

“This is a new version of our EDR, and the most significant version to version upgrade we have ever done,” said Dan Schiappa, Sophos’ EVP & Chief Product Officer. “Before it was focused on root cause analysis. This is much more proactive and focuses on threat hunting, and the investigation tool spans IT administration as well as security. There’s a lot of value just from an IT perspective.”

Sophos is touting this as the first EDR solution designed for both security analysts and IT admins.

“IT admins may read, for example, that there’s a vulnerable version of Adobe Acrobat, and who want to see which machine haven’t been patched,” Schiappa said. “That’s an IT exercise, not threat hunting, but the same process lets you see how many people are running this, that lets you kill the processes in advanced threat mode. You can arm SOC analysts with this, and still give it to non-security experts and make it very valuable to them.”

The two major new capabilities in Sophos EDR are Live Discover and Live “Response.

The primary function of Live Discover is the ability to query endpoints and servers in real time and across a history of 90 days worth of data,” Schiappa said. “That’s very powerful because you can determine if something bad is running, not just if it ran.”

Schiappa emphasized the flexible and multi-faceted nature of the query engine.

“For building queries, there’s a tool similar to Excel,” he said. “We help you fill out the query, and we have a bunch of prebuilt queries. We have categorized them into popular categories. we can also push down queries from Sophos Labs if there are indicators of compromise.”

The other new capability, Live Response, allows remote response and access using a command line interface to perform further investigation and remediate issues.

“The purpose of Live Response is to give  an easy way for admins to get on devices and respond to a particular threat,” Schiappa said. “If we find a device that’s unmanaged, we can push out an endpoint agent to that.”

Sophos is highlighting the new announcement within the context of upcoming research by them on the KingMiner Botnet, which attempts to gain brute-force access to servers and use the EternalBlue exploit to spread malware. Sophos is emphasizing that these tools are effective against this particular attack, as well as others, both sophisticated and brute force in nature.

“While admins may block the ransomware, they want to respond quickly and that’s where these response tools come into play,” Schiappa said. “Our EDR now  has all the pieces that make an EDR tool really shine.”

Schiappa also emphasized that the broad utility of these new tools is consistent with Sophos EDR’s traditional approach to serving a very broad range of the market.

“We are unlike many players in this space, because we have customers ranging from big defense contractors down to mom and pops,” he said “We have combined capability with ease of use in order to serve both. This is a much improved product which continued that approach. We now have the best endpoint protection product in the industry.”