Sophos continues to build out Adaptive Cybersecurity Ecosystem with Braintrace acquisition to add innovative network detection and response technology

The deal comes on the heels of the Capsule8 acquisition earlier this month, which also further built out Sophos’ ACE technology.

Joe Levy, Sophos’ CTO

Cybersecurity vendor Sophos has announced the acquisition of Braintrace,  a Utah-based MSP which has developed Network Detection and Response [NDR] technology that provides deep visibility into network traffic patterns without having to do separate decryption to perform the inspection. The technology will further enhance the Sophos Adaptive Cybersecurity Ecosystem [ACE].

Sophos ACE, formerly Project Darwin, is a long-time Sophos project that was formally unveiled this spring.

“We have been working on it for three years,” said Joe Levy, Sophos’ CTO. “We have been modernizing our entire data platform, and it has become the basis of our XDR, the delivery for MTR, and the platform for the integration of the two acquisitions, Braintrace and Capsule8. It’s a data ingest pipeline with embedded analytics and sensors to collect that data – a full loop multi-iteration platform for all the current Sophos products.”

The Braintrace technology has been on Sophos’ radar for years.

“About four years ago, we decided to get into the MDR [Managed Detection and Response] business, and I scoured the earth looking for good technology to help us bootstrap that,” Levy noted. “In 2019, we acquired DarkBytes for our operations platform for MDR, and acquired Rook for security operation teams. We then processed and launched our MTR [Managed Threat Response] solution later that year, and we now have over 5000 MTR customers.”

It was during that search process, Levy said, that he first encountered Braintrace.

“They had been licensing some tech from a third party which was acquired, so they decided to build their own,” he indicated. “I really believe in practitioner-led security, where they have a stake from having skin in the game. The result of this was their Dragonfly network traffic analyzer.”

Levy said that Dragonfly is differentiated from other solutions in the market that aim to do the same thing.

“They use a different packet and flow analyst technique to extract features that go into machine learning modules that they created themselves,” he said. “This allows them to do unparalleled job at detection of malware in encrypted flows without having to do decryption for inspection.”

This kind of technology has attracted investment in recent years, particularly around startups, but Levy said this was more effective than any of the others.

“We looked at similar claims from others, but this just worked better,” he stated. “They also do general session risk analysis, and do domain analysis for DNS. They will give us much better insight into the unmanaged asset problem. As an industry, we do well at protecting assets we know about. We do less well when we don’t know the assets. This gives a 50,000 foot view of everything that is happening.”

Levy stressed that this technology also represents a ‘shift left’ capability in the detection process.

“We want detections to occur as early as possible in the lifecycle to reduce the cost of an event with early detection,” he said. “We can make better security predictions and make them earlier, and thus lower the cost of security operations. Partners will also like this because it becomes an enabler for superior MDR service, so end customers are more secure and with fewer incidents.”

Sophos will deploy Braintrace’s NDR technology as a virtual machine, fed from traditional observability points like a Switched Port Analyzer (SPAN) port or a network Test Access Point (TAP) to inspect both north-south traffic at boundaries or east-west traffic within networks.

“The overall architecture of ACE uses this common model where everything operates as a censor, and based on inferences from those analytics, there’s a set of responses that can be taken,” Levy said. “This becomes a new censor.”

Braintrace’s MSP business will be integrated into the Sophos business.

“Their NDR customers will become our MTR customers,” Levy said. “They had some other business relationships, which we will farm out to our current channel partner community.”

The plan is to have Braintrace’s NDR technology for MTR and XDR fully integrated and available in the first half of 2022.

The technology from Sophos’s acquisition of Capsule8 earlier this month is also being integrated into ACE. Capsule8 provides Linux server and cloud container security, with runtime visibility, detection and response for Linux production servers and containers.

“We have always had tooling and protection available for the Linux platform, but it was never as well developed as Windows, which has been our primary concern as a threat target,” Levy said. “As Linux increasingly becomes a target, we wanted to make sure we had good representation there, especially as more workloads switch to containerized techs. So with this, we got our Linux caught up to our capabilities around Windows.”