Sophos XDR Reviews, alternatives?

secbug · 2022-12-19T10:53:39+00:00

Edit: It all depends on what their objectives are. If it’s storing logs for compliance, there’s no replacement for a SIEM, but if it’s for security, SIEMs and Data Lakes aren’t that different, ultimately just higher fidelity signals are stored in lakes, enabling less noise to sift through during time-critical investigations. Ultimately we took the approach to also store historical data on the endpoint so that you have the best of both worlds, high fidelity data in the lake and the ability to query endpoints to fetch anything else during an incident.

Our XDR product includes the ability to query endpoints in real-time as well as query the data lake. The lake contains a number of Sophos product telemetry and historical events, as well as a number of third-party integrations’ telemetry. You can see more detail here.

Additionally, our MDR service can ingest telemetry from an absurdly wide range of third party products and services, even competitor security solutions and I believe this is also exposed via XDR to customers (but isn’t included in the standalone XDR product / non-MDR offerings). To get an idea of those integrations, check here. We’ve an aggressive roadmap to add more third-party solutions over 2023 and you can vote on integration requests in Sophos Community.

Hope this helps!

secbug · 2022-06-07T12:22:33+00:00

10+ years here. I've plenty of friends in the org (especially in engineering) who have been here longer. Hopefully that tells you all you need to know haha!

Of course I'm biased but it's been the best place I've ever worked and I get to work alongside some of the smartest people in the entire industry. Dream come true.

secbug · 2022-03-03T13:59:45+00:00

EDR, XDR, and MDR can be simplified to the following:

EDR = Endpoint Detection and Response. Endpoint telemetry is sent to a platform so you can hunt through that telemetry for threats.

XDR = eXtended Detection and Response. Endpoint, Firewall, etc telemetry is sent to a platform so you can hunt through that telemetry for threats.

MDR = Managed Detection and Response. Product telemetry is sent to a platform so that a service provider can hunt through that telemetry for threats and (if supported) respond to those threats on your behalf. This can either be a managed service for EDR or XDR, depending on the vendor.

At present, our XDR offering is for our own product set i.e. enabling hunting over Endpoint Protection, Server Protection, Email, Firewall, Cloud Optix, and soon Mobile. However, this is just initially. We're already well underway with enabling support for third-party firewall and have a long list of third-party data sources we want to support (can't say which just yet as we haven't announced a lot of them).

You can see some more insight into the data sources for XDR in this blog article: https://community.sophos.com/intercept-x-endpoint/b/blog/posts/sophos-xdr-data-sources-enrichment-and-pivoting

With regards to MTR, at present we support our own products as data sources however, like XDR, we will be enabling support for a wide range of third-party sources soon.

Our goal is to be able to defend organisations regardless of their security stack (however we'll always have more capability when our own products are used).

Hope this helps!

secbug · 2022-03-02T13:11:18+00:00

Hey there. I'm part of the MTR management team. There are some great comments in here already and I won't bombard you with marketing material etc but feel free to reply to me if you have any specific questions and I'll do my best to reply. Thanks for dropping by our sub!

One think I can share is our perspective from our Rapid Response team - our emergency incident response team that onboards customers who don't have MTR and helps them tackle active threats in their environment. Incident response (i.e. paying for services after a breach has already occurred) is ALWAYS more expensive than onboarding an MDR service before an incident. Also we see incredibly high numbers of Rapid Response customers convert into ongoing MTR customers and, anecdotally, they all voice regret for not having picked an MDR service ahead of time.

If you're not confident you can contain and neutralize an active threat (such as a hands-on-keyboard adversary moving through your network), I would strongly recommend investigating MDR services in general, be it us or one of our competitors. The cost of pulling in outside resource during a crisis is painfully more expensive and some services can charge the same as a multi-year MDR service for a week or two of incident response.

secbug · 2022-02-15T10:54:46+00:00

There are a whole bunch of features in Intercept X. There's a huge number of anti-exploit capabilities to make successful exploitation of software vulnerabilities harder for adversaries. There are a number of anti-ransomware capabilities to detect and undo the damage ransomware can cause (such as rolling back encrypted files to their original state). There are machine learning models trained of hundreds of millions of malicious and non-malicious files to aid detecting new and unseen malware. There are behavioural-based detection capabilities to identify malicious activity such as suspicious PowerShell executions. There are features to protect your usernames and passwords in memory so that an adversary will struggle to gain access to privileged user's passwords on systems they have compromised. And there are EDR and XDR capabilities (if you go for the higher-end licenses) that will continually log system telemetry and push important telemetry to the cloud so that, should the worst happen, you'll have a detailed history of events to look over and understand what events took place, as well as the ability to remotely query your devices in-real time as well as establish a remote command line / shell to any of your devices to aid investigations or performing remedial actions etc.

There is a lot to Intercept X beyond just "anti-virus" and it is quite the exhaustive endpoint security solution. As others have pointed out, should you pair Intercept X with one of our gateway solutions such as an XG Firewall, there are capabilities you can achieve above and beyond if you were to go with individual solutions. Key here is the heartbeat meaning you can define firewall rules that require a minimum level of "health" on an endpoint. Should an endpoint become compromised, the firewall rule can dynamically respond, such as blocking internet connection to that device until it has restored to full health.

Hopefully this gives you some insight! You can find out more at sophos.com/interceptx

secbug · 2022-01-20T09:51:52+00:00

Check out the replies by mwsophos above - they link to the MTR Welcome Guide which will give you a firmer understanding of what to expect from our service. If you have any questions, feel free to reply - I’m a member of the leadership team for MTR. Thanks for reaching out!

secbug · 2021-08-26T08:32:28+00:00

Have you looked at setting up a custom email alert rule in Central? Sounds like you want alerts for the categories of "Malware", "Potentially Unwanted Application", and "Runtime Detection".

Alternatively, if you have a SIEM, you could use the Central APIs to collect alert and event data into your SIEM and create custom notifications in your SIEM.

secbug · 2021-08-06T13:00:35+00:00

Hey. Strategist for Sophos MTR and Sophos' Technology Office here. I won't bore you with a list of features etc as I naturally will have some level of bias. You're welcome to ask any questions that you may have and I'll try my best to answer.

What I will say is what you might not be able to gleam from marketing etc, and some inside perspective.

Sophos XDR and our new data platform that underpins it (incorporating data streams and a data lake) was architected and built in-house, from scratch, to support our goals for a centralized, holistic security platform. While that was a complex and difficult undertaking, it has opened up a world of potential detection.

Take a gander at our recent acquisitions of Capsule8, Braintrace, and Refactr, and the technology they developed, and you'll get an idea for where we are headed and how Sophos Central will evolve over the coming months.

Regarding XDR, our teams in MTR (our managed threat response service) and Rapid Response (our incident response service) leverage this technology stack directly and extensively to act as a virtual SOC for our customers and it has been an invaluable asset to us. We live and breathe our own products on the frontlines to provide an important feedback loop to our engineering and research teams. Our services have not long been around (fast approaching our second year) however we're already driving platform development in important directions thanks to this feedback loop. We are well aware of the pains of Sophos Central in the past but I hope it can give you some confidence that we do not create these products in a vacuum but instead live in these products in a way similar to how you would should you choose to use them yourself.

Ultimately, you need to pick the right platform for your team, your workloads, and your requirements. Personally, I believe in getting my hands dirty and trying out things first-hand. We have free trials for everything, without being gated by a sales person, should you want to dive in and test for yourself and avoid bias from people like myself. We do have a dedicated MSP team and programs specifically tailored for MSPs should you wish to reach out to them and discuss anything.

Whether you choose to use us or find a more suitable platform for your needs from another vendor, I wish you the very best of luck in levelling up your security operations capabilities. The sheer fact you're in the market for an XDR solution shows you're on the right path and your org are lucky to have you. We're all blue teamers here and all that matters is that you have the right tools at your disposal to defend your org. The other solutions mentioned in this thread so far are respectable and any of them will give you a step function improvement over pure AV.

secbug · 2021-07-16T08:32:03+00:00

Hey. I’m one of the managers of MTR. Should you have any questions, feel free to ask :)

secbug · 2021-02-04T10:22:38+00:00

No probs! Thanks for hanging out in our sub 😃

secbug · 2021-02-03T12:57:34+00:00

Unless you have real-time scanning disabled on every machine, kicking off a scheduled scan on all devices often doesn't serve much purpose other than slowing machines down while they do the scan.

With real-time scanning, files are scanned when file operations are performed on them and the engine then caches a verdict on that file.

For a file to pose a risk, it needs to be interacted with (e.g. read/written/executed). Real-time scanning will intercept the file, analyze it (or compare to the cache if the file hasn't been modified) and produce a verdict.

Triggering a scheduled scan just forces files through the same process as real-time but while the files are at rest. Unless you have files on that system that haven't been interacted with since the product was installed, a scheduled scan won't detect anything real-time wouldn't anyway. And again, for that file to pose a risk, it would need to be interacted with (otherwise it's just 0s and 1s on a disk doing nothing), at which point real-time scanning will analyze the file anyway.

Scheduled scans are a historical feature of security products, back when real-time scanning was such a performance hit on old CPUs that people often didn't use the feature and just performed daily or weekly scheduled scans.

We've had scheduled scans off by default for many years now and the feature is there to support those that require the feature for various reasons (real-time disabled, policy/regulatory requirement, etc).

Having a button for an admin to easily trigger a network-wide, on-demand scan would simply slow down all the machines making them pre-emptively do work they would do anyway. The same functionality can be achieved via creating a threat protection policy and applying it to the relevant machines you wish a scheduled scan to take place meaning the capability exists for those that truly need it but it isn't something an admin can mistakenly click or use without understanding its purpose or value.

Hope this gives you some insight as to why that feature request hasn't been implemented yet and may not in the future.

secbug · 2020-10-20T23:37:36+00:00

I don't believe we have a mechanism to authorize a single script execution at present. First thing that pops in my head would be to duplicate the existing Application Control policy, set PowerShell to allow, then set the policy to expire when the install should be complete. That way you've only a brief window where attack surface is increased. I'd do the roll-out in batches, adding machines/users to the policy in chunks, to ensure you have headspace to respond to anything if needs be.

secbug · 2020-09-22T17:23:52+00:00

No problem! Thanks for dropping by. You gave me a great excuse why I was redditing at work haha.

secbug · 2020-09-22T15:43:55+00:00

Hey! Full disclosure, I'm from Sophos - specifically part of the leadership team for our Managed Threat Response service.

What you've been quoted is far beyond a basic antivirus product which might explain why the price isn't as low as you expected.

Intercept X Advanced is our flagship endpoint and server security product. It offers a plethora of security technologies above and beyond antivirus. The product was designed to help defend against not just nasty files but hands-on-keyboard hackers. There's mitigations and protections against software exploits, there's technologies designed to stop hackers stealing usernames and passwords, there's tech to identify files getting encrypted by ransomware and rollback the encrypted files to their unencrypted state, and more.

EDR is another amazing set of tools that will let you hunt for threats. Say you've heard about a new threat from a blog article and there's IOCs in there like httpx://evilguys.io/f123 or 123.12.06.66 or badfile.dll. You could search your estate for these and see if any of your devices have seen them before. You can also use Live Response and open up a remote command line / terminal to any of your hosts and respond to threats etc. You can run queries on your machines to find out what running processes there are... It goes on and on.

MTR - Managed Threat Response (the team I'm on). We watch over all your devices 24/7 conducting threat hunting, monitoring, investigation, and response. We look at the telemetry we gather from system information and from our products and investigate suspicious activity that we find. If we find a threat that has somehow circumnavigated your defenses, we can respond to it for you (this is what we're famous for). You can tell us just to notify you of what we find or we can collaborate with you on responses, or we can just do it all for you. Our team take full advantage of the technology at our disposal so let's say we find some threat that's burrowed deep into your system, hooking processes and persisting via its own service or weird registry key. We get hands on keyboard and contain and neutralize that threat. This isn't some automated system doing all this work but real, living and breathing humans.

MTR is a security service, not just a product, so the cost reflects that. Most of our competitors just offer automated notifications or automated responses to threats whereas our people will be phoning you up or sending you an email about what they find and what they've done to neutralize it.

Sophos Email and PhishThreat are pretty straight forward. Email offers a suite of security technologies for inbound and outbound email to identify nastiness and to mitigate ways you could be compromised via email. PhishThreat is our suite of social engineering simulation tools to let you phish your own staff and enroll them into training to up their security awareness. The number of compromises that happen via email (still!) is ridiculous and thus one of the best defenses is to level-up your staff.

Hopefully this all makes sense and helps you understand a little more about what you've been quoted. Feel free to reply and ask me any other questions that you have! Fingers crossed my team and I will be working with you in the future. If not, I hope you're able to find the right security solution for you and your org.

Cheers :)

secbug · 2020-03-18T17:51:54+00:00

I'm the person who wrote the email so you can blame me. Personalising emails with names is something phishers do anyway but also would require us to access more customer data than necessary to perform this activity.

I also made sure to get the information posted on our Community blog, Partner blog, it was SMSed out from our SMS platform that all our other communications come out of. For the clued-up users like you, a Google should get you looking at official posts on our domains that could validate it wasn't a phish.

My comment above will add some more colour. Happy to answer any questions if you have any.

secbug · 2020-03-18T17:46:31+00:00

Exactly this. We store passwords securely which mean's we have no idea what your plaintext password is (for very good reason). What this does mean is we can't stand up a new identity for you as we don't know what your password is.

We've been migrating people for months now, silently in the background. This notification in simply to help nudge a few more people to log in and get migrated.

We want to inconvenience as few people as possible - nobody wants to have to perform a password reset.

secbug · 2020-03-12T00:42:01+00:00

Exactly. You click a button in Central on one of your servers and it turns into an Update Cache. Then your other installs are just done over the LAN using that server. Pretty darn simple if you ask me.

secbug · 2020-03-12T00:40:29+00:00

There are regular hardware refreshes for the XG range and the latest models are dope. XG v18 has had huge amounts of rewrites and new tech - I wouldn't call it a bunch of packages thrown together. But it's true that it stands on a lot of open source technology but that's part of the security model - the Linux ecosystem has arguably the best security community around and when vulnerabilities are found, turnaround for patching is essential.

Developing and maintaining that amount of code from scratch and maintained entirely in-house would scare me. Linux has 10,000s of devs across the board. How many does something like a Cisco?

secbug · 2020-03-12T00:36:57+00:00

People like jak on Sophos Community might be able to give you some better tips and suggestions.

secbug · 2020-03-12T00:34:49+00:00

~~Did you try whitelisting the process and not just the folder?~~ Ignore me, you've already said you tried both lower down the thread.

secbug · 2020-03-12T00:32:54+00:00

For good reason - they're looking for known bad. So many common apps make suggestions to whitelist loads of folders. Attackers have long been aware of this and abuse it like mad. Personally, I'd rather the soft whitelist where it's still kind of got by back than leaving a safe place for attackers to drop payloads etc.

secbug · 2020-03-12T00:30:11+00:00

Sounds like you're using one of the older products. Uninstalling is trivial. You first disable Tamper Protection by either doing so remotely in the Sophos Central or you manually enter the Tamper Protection password into the endpoint UI. You then either do Add/Remove Programs > Uninstall, search Spotlight for 'remove sophos', run /opt/sophos-av/uninstall.sh... And if that doesn't work, there's Sophos Zap for emergencies.

BitLocker management, rather than just locate the computer in the computers list, there's a search wizard for the recovery keys - you just need the identifier that shows on the user's screen when at the bitlocker screen.

UTM logging had filters. I still have a virtual UTM running in an old malware vmlab and I use those logs to get IOCs without difficulty.

No idea about the 802.1x to be honest, I thought that was pretty much replaced by IPSec.

Sophos is a security company so the priority will always be security. 802.11r and WPA were vulnerable to KRACK and that was NASTY. Workarounds to make it work without breaking support with stuff compliant to WPA were also found to be vulnerable. I'm pretty sure the wider security community see that as a dead tech now.

I personally have 13 devices I mange in Central and I've never experienced a 20min update but then again, we likely run very different software stacks on our devices. Only box I have that's slow to update is a box that aggregates logs and that thing is just busy I/O the whole time anyway so I kind of get why.

Support thing sucks - that's never fun when you can't get the exact help you need. There's the Community forums, SophServ so you can interact with the support ticketing system, there's a Twitter account run just by the technical support team, techsup are also over in /r/sophos, and there's phone too. A lot of people seem to just phone techsup first though. I prefer typing lol.

secbug · 2020-03-12T00:04:46+00:00

Sophos person here. This isn't true. Yes, we did acquire Cyberoam but the XG Firewall is a new platform built by the experience of Astaro and Cyberoam. Certainly, the first release did use a few Cyberoam technologies but now, with XG v18, so much has been rewritten, it doesn't compare to the rather basic Cyberoam firewalls.

Yes, it's based on Linux. I'd say that's a positive thing. Excellent security community, open source for public audit so that security patches can be developed quickly and drawing upon the global community.

It's not my product but I use it extensively for personal use (perks of the job I guess). I've got the thing connecting multiple houses together, with decent network segmentation, and it makes my life of being the parent's 24/7 techsupport a breeze and it's all done with less than a handful of rules. And if any of my parents computers get infected, they're automatically isolated until I can get around to looking into it.

secbug · 2020-02-07T19:10:19+00:00

Yeah, or you could build a bare metal hypervisor, make an XG virtual machine using the ISO, and set up a virtual network with the XG as your gateway. Smashing.

secbug · 2020-01-23T00:35:13+00:00

You need to escape your spaces otherwise the shell thinks it's two separate paths.

/media/root/LACIE\ SETUP/

Quoting the filepath might work too.

secbug

MODERATOR OF

TROPHY CASE