Sophos Managed Threat Response: An evolved approach to proactive security protection

In its 2019 market guide for managed detection and response (MDR) services, Gartner forecasted that by 2024, 25% of organizations will be using MDR services, up from less than 5% today.

Sophos Managed Threat Response

While the percentage might not end up as high as that, there’s no doubt that the demand for these services will increase rapidly, fueled by organizations’ inability to acquire, train and retain cybersecurity talent and to keep pace with the rising sophistication and complexity of cyber threats.

What, exactly, is MDR?

MDR often gets confused with managed security services (MSS).

The difference is that while an MSS provider oversees and manages the client’s network and information system security (through device security management, vulnerability scanning, patch management, log monitoring, management of intrusion detection systems and firewalls, and so on), an MDR provider is focused on threat management, i.e. discovering attacks that have bypassed existing protections, threat validation, and providing actionable containment and remediation advice.

But some clients want more: they want somebody to help them solve their problems, not just point them out. Enter Sophos.

With the recent acquisitions of DarkBytes and Rook Security, the British security company has rounded off the technology and service stack needed to deliver Sophos Managed Threat Response (MTR), a new fully managed threat hunting, detection and response service that provides organizations with a dedicated 24/7 security team to not only detect, but also neutralize the most sophisticated and complex threats.

Notification as a starting point

Unlike most of its competitors in the MDR market, Sophos doesn’t stop at providing notification and remediation guidance.

“Many vendors claim to offer response capabilities, but in reality, few take the actions needed to eliminate threats as part of their core MDR offerings,” 451 Research Information Security Senior Analyst Aaron Sherrill notes. “Sophos MTR combines Sophos’ consistently top-rated endpoint protection with human expertise and troves of threat intelligence collected from SophosLabs to create an entirely new offering that meets a mounting market need.”

After testing Sophos Managed Threat Response in an early access program that went through every possible use case one could come up with, Sophos has made the offering available to organizations of all sizes and maturity levels.

Sophos Senior Director of Managed Threat Response J.J. Thompson says that the program showed them that customers are tired of investing in managed services that don’t actually respond to threats and take that action off their plate.

“That said, they don’t necessarily want to go directly from zero to somebody taking all the actions on their behalf. They want us to do the work, but they want to be in control – they want to own the decisions,” he says.

“And so we’ve set up incident response modes that let them stay in control: whether they want us only to notify them and offer recommendations for response actions, collaborate with them, or whether they want to go ahead and authorize us to actively neutralize those threats on their behalf.”

Customizable service

Clients can also choose between two service tiers: Standard and advanced.

The former provides 24/7 lead-driven threat hunting, detection of malicious processes that might appear legitimate to monitoring tools, security health checks and recommendations, and activity reports.

The latter includes all of those features, as well as:

  • 24/7 leadless threat hunting
  • Use of telemetry from a variety of Sophos products to aid in threat investigations
  • Direct call-in access to Sophos’ SOC and a dedicated threat response lead
  • Asset discovery
  • Proactive security posture improvement through prescriptive guidance

No matter which service tier they select, customers can opt for any of the three response modes (notify, collaborate or authorize).

“The notify mode is where people who aren’t yet sure how much they want us to do on their behalf can start. Later they can ‘graduate’ to collaborate mode,” Thompson explains.

“In the collaborate mode we are working with them to get authorization to take needed actions ad hoc. As we go through collaborate, there will be more and more decisions that they’re authorizing us to go ahead and take actions on their behalf. Then, in the authorize mode, Sophos handles containment and neutralization actions and then informs the partner or the customer of the action that was taken.”

Their goal, he says, is to provide customizable and highly effective specialized service delivery for organizations of all sizes and maturity levels. “As one of our ‘smaller’ EAP participants appropriately pointed out, the size of an organization shouldn’t dictate the quality of the service it receives,” he notes.

Building on solid foundations

Another notable difference between MSS and MDR services is that the latter are delivered using the provider’s own tools and technologies.

Sophos Managed Threat Response relies on the company’s:

  • Intercept X Advanced with EDR technology (a malware detection and exploit protection agent installed on endpoints and servers)
  • Cloud Optix (a cloud security monitoring, governance, risk and compliance service)
  • Sophos Central (a unified console for managing Sophos products deployed in an organization)
  • A unified MDR platform to deliver SOC services and take required actions on the endpoint (obtained through the DarkBytes acquisition)
  • Forced technology workflow, case management investigation technology, and experienced cyberthreat hunters and incident response experts (gained through the Rook Security acquisition)

Sophos Managed Threat Response

“Analysts can operate with peak efficiency for every detection that comes through as a case and investigate that case with case enrichment data provided at the exact point-of-use. We can also track analysts’ work through the entire workflow management process, run that back with intelligence, optimize that in the future and propagate that as an automated capability throughout the Sophos ecosystem to proactively stop future attacks,” Thompson notes.

And while they’re thrilled with the entire technology stack they get to operate off of, he points to Intercept X as the component that’s crucial to providing high-quality service.

“Best-in-class prevention is the starting point of it all. Thanks to Intercept X, which uses advanced machine learning to identify and block threats, we get to spend extra time proactively threat hunting for emerging threats, specifically on priority assets containing sensitive data in the customer’s environment,” he explains.

Jeremy Weiss, cybersecurity practice lead at CDW and Sophos partner agrees. “The only way to protect against today’s advanced threats is to combine the best tools with the brightest human minds. Sophos Managed Threat Response is a game changer, combining machine learning with human analysis for an evolved approach to proactive security protection. The customizable offering strengthens our existing threat hunting capabilities and helps us better protect our customers.”

As an added bonus, Thompson boasts that they don’t have any trouble recruiting, training and retaining the needed cybersecurity talent: while the industry average for a job opening is over eight months, theirs is under two weeks.

Fast and secure deployment

Whether the customer is a net new client, has already deployed some of Sophos’ solutions, or gets onboarded through Sophos’ channel partners or partner MSPs, the technology deployment process is always easy and fast.

“A net new customer will use their software deployment and management tools to push out Intercept X with EDR to their endpoints. The agent activates automatically, and the endpoints roll into out MTR operational view. Then our team goes through, does a health check of the environment, provides feedback on advanced configuration and makes sure that good telemetry is sent back to them. And that’s it: we are in business,” he says.

Clients that are already customers simply access their Sophos Central console, click a few buttons and automatically roll out Intercept X to all of their endpoints. And, finally, if customers go through a channel partner or Sophos’ partner MSPs, those do all that work for them.


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss