Sophos is entering the XDR space relatively late, but believes that their offering has multiple differentiating features, including the ability to work for both relatively sophisticated and unsophisticated customers, to stand out in the market.

Cybersecurity vendor Sophos has announced their entry into the XDR space with Sophos XDR. While XDR is frequently sold to enterprises, some midmarket firms, and organizations like MSSPs that have SOCs, Sophos also sees Sophos XDR as a strong play for SMBs as part of a bundle in their Sophos MTR service.

“This is a very big release for Sophos,” said Dan Schiappa, the company’s chief product officer. “These types of solutions tend to be very challenging for SMBs. Some of the tools are made for very large organizations. We try to go deeper and broader than anyone else. We will have integrations right out of the box for an SMB that uses Sophos products.”

Schiappa emphasized that one of the key attributes of the Sophos XDR design is that it has been constructed to work both for more complex and mature IT operations, as well as for comparatively simple ones.

“We don’t segment by size of business, but by the capabilities of the security operations, and have the appropriate tool for each,” Schiappa said. “We built Sophos XDR so it’s extremely powerful for very sophisticated operations, but also built it for early-on IT admins becoming security ops persons. Our very sophisticated query language makes this possible. It also allows the querying of  endpoints and servers direct for real time information, and 90 days of historical operations. For larger organizations, we have an AI platform that lets us plug into third party platforms. For less experienced operators, we have canned queries. In addition, for the SMBs we also made this an IT operations tool, to detect unprotected devices in the environment, and added these raw IT admin capabilities in there as well.”

Schiappa said that ability of Sophos XDR to be relevant to both sophisticated and less sophisticated analysts is an important element of differentiation for it against competitors who brought their XDR solutions to market earlier.

“We also have two types of data retention, with 90 days of on-device data, plus 30 days of cross-product data in our cloud data lake,” he added. “Our canned queries and new query pivots, which recommend a subquery to run off a query, mean that results will come back faster than with competitors. That in turn will make analyst live responses faster.”

Schiappa also emphasized the high level of synchronization in the Sophos products, that reduces the amount of work needed to be done by human analysts.

“Synchronization is the key, and others don’t synchronize the way we do,” he said. “We just added a new Search and Destroy capability to our email protection, which is  part of that synchronization. We also have AI models that run on top that augment human analysts. We do a lot to filter out stuff before humans see it.”

Along with Sophos XDR, Sophos also released new public research, “Intervention halts a ProxyLogon-enabled attack,” detailing an attack against a large organization that began when the adversaries compromised an Exchange server using the recent ProxyLogon exploit.

“It talks about the attack on a customer site over a multi week period, using tactics which were both bold and stealthy,” Schiappa said. “They used nation state tactics, but also ‘live off the land’ tools. They would move from one machine to the other and conduct a long, relentless attack.” They stole account credentials, compromised domain controllers, deployed a commercial remote access tool to retain access to hacked machines, and delivered a number of malicious programs.

“What this shows is that you have to have an equivalent of what’s happening in the ecosystem,” Schiappa said. “You can’t just gobble up data like a SIEM. You have to present it to analysts so they can come to a decision quickly.

“I think a lot of the time the defensive companies don’t get as much credit for evolving as the adversaries do,” he added. “The tools and tactics the attackers use have forced this broader view. What we have done with XDR is bring it into a true ecosystem, not just be SIEM 2.0 where we only pull in data. We also have programmable sensors, which makes it all more dynamic.”

Schiappa added a final differentiation for the Sophos product.

“We also believe we have the best protection in the industry,” he said. “The more we can block with protection, the less we have to deal with in the XDR.”

Channel partners are Sophos’ entire route to market, and Schiappa expects that the way partners will sell Sophos XDR will vary.

“It depends on the circumstance,” he said. “When we launched our synchronized security, partners did a great job of cross-selling, and that will make customers prime candidates for XDR. We have out managed threat response [MTR] service that can be bundled with XDR, which will be similar to how EDR was sold. XDR and EDR were designed for mid-market and enterprise companies who have a SOC, but even SMBs can leverage something like our MTR service. We sell MTR as a bundle, and customers can get the EDR or XDR bundle.”

Today, Sophos is also releasing a new version of its Sophos EDR endpoint detection and response solution. It features some of the same advanced found in the new XDR product, like new scheduled queries, customizable contextual pivoting capabilities and the ability to access seven days of cloud hosted data, which is upgradeable to 30 days in the data lake, and 90 days of on-device data.

“Every customer you have as a channel partner has to care about security,” Schiappa concluded. “Regardless of how small and less sophisticated they are, the adversaries are very sophisticated. So you have to be able to protect them, and we think we have balanced it for both very sophisticated and less sophisticated customers.”

Both Sophos XDR and the updated EDR capabilities for Intercept X Advanced with EDR and Intercept X Advanced for Server with EDR are available worldwide on May 19.