Sophos MDR – What is New?

Adam reviews Sophos MDR and compares it to its predecessor Sophos MTR. He covers:

• • Introducing Sophos Managed Detection and Response (MDR)

• • Sophos MTR vs Sophos MDR

• • What are the new features that MDR brings?

• • What are the differences between the 3 Sophos MDR Tiers?

• • How fast is MDR at stopping threats?

• • FAQs

Introducing Sophos Managed Detection and Response (MDR)

Sophos are about to launch the successor to their award-winning Managed Threat Response (MTR) service – Managed Detection and Response, MDR for short.

MDR has three service tiers, with features being added as you ascend through the tiers.

Sophos MTR vs Sophos MDR

MDR builds upon the MTR product but adds some key features illustrated by the graphic below. For existing MTR customers reading, you will automatically be migrated to the MDR Complete product at launch.

 

What are the new features that MDR brings?

The three key features in the previous graphic are somewhat of a simplification of the new capabilities.

• • Compatibility with non-Sophos security tools and data sources

Unquestionably this is a big one. It takes the Sophos MDR service from a single vendor ecosystem to one that embraces telemetry from other Cyber Security vendor technologies already used by customers.

In doing so, MDR is removing a significant management/monitoring overhead from internal IT teams and placing it firmly within the Sophos Threat Experts and Analyst teams (aka the Sophos SOC) area of responsibility.

These additional telemetry sources are used to expand visibility across the environment, generate new threat detections and improve the fidelity of existing threat detections, conduct threat hunts, and enable more response capabilities.

A number of integrations are included with each tier of MDR:

There are then API integrations available as add-ons to bring in telemetry from other security products:

 

• • Root cause analysis (Full environment detections and investigations)

Along with supplying proactive recommendations to improve your security posture, we perform root cause analysis to identify the underlying issues that led to an incident. We give you prescriptive guidance to address security weaknesses, so they cannot be exploited in the future.

This new feature has been added and closes the loop on one aspect of incident response that was not delivered by MTR previously. Root cause analysis is a critical function in responding to any Cyber incident. Not assessing the source of the incident potentially leaves the environment open to compromise again if the source is not isolated or eliminated.

• • Sophos MDR ThreatCast

Delivered by the Sophos MDR operations team, the “Sophos MDR ThreatCast” is a monthly briefing available exclusively to Sophos MDR customers. It provides insights into the latest threat intelligence and security best practices.

The ThreatCast is based not only on the threats that have been seen in the UK but globally. So sometimes, when we are trying to assess emerging threats, we are not looking far enough afield to get a full picture. ThreatCast offers an easy way to get that insight without having to do the legwork yourself.

• • One last thing…. Breach Protection Warranty

Another new addition to the MDR service that is well worth a mention, Sophos are so confident in their ability to prevent and worst -case, halt an attack before it becomes a breach, a $1,000,000 USD breach-protection warranty is offered as a feature of a fully deployed and configured MDR Complete across Windows and MacOS.

What are the differences between the 3 Sophos MDR Tiers?

The MDR tiers have been tailored to meet a variety of customer requirements.

In the graphic above Sophos define, in broad terms, what each tier does from the perspective of:

1. People – what function of manpower do you want to offload?

2. Process – what level of action do you want to be responsible for?

3. Technology – What products do you want MDR to work with?

On point 3, it’s worth noting that detection and response capabilities are possible even with non-Sophos products. Still, a small Sophos agent is required on the endpoints/servers to facilitate remote command line access – which is essential for interrupting attacks.

How fast is MDR at stopping threats?

Sophos are experts in threat hunting and remediation. They have been doing it for years, after all.

Since the speed at which an incident is closed down is directly proportional to the damage caused, it is essential to understand the time scales.

The graphic below serves to illustrate that and the differences in response times of MDR compared to that of internal SOC teams:

Since MDR takes a more focused view of the telemetry in an environment from dedicated cyber security sources and is not necessarily being swamped with information from dozens of other sources such as databases, syslog, etc, the MDR team have less noise to work through and as such spend much less time on the investigation phase of the response.

Sophos aim to stop 99.98% of threats automatically via their products, but of those that get through, the average time to complete remediation is typically 38 minutes rather than the hours it can take a SOC team to reach the same point.

FAQs

It might seem like just a re-brand of the Sophos MTR service with a few bells and whistles. However, the integration of telemetry from multiple other data sources changes the nature of the MDR solution from a comprehensive anti-malware solution with automated detection and response to something more akin to something like a managed SIEM/SOC solution.

I’m not trying to say that MDR is comparable to a SIEM solution. Its integrations are not that comprehensive – but MDR, with add-on API integrations and the new Network Detection & Response technology (see future articles about that) is a very compelling halfway house:

• • Ingesting telemetry from multiple sources

• • Looking at network traffic for indicators of compromise

• • Using AI modelling and machine learning to corroborate and cross-reference disparate events and information into a cohesive composite picture of sneaky shenanigans

• • Enables intervention before it evolves into an actual attack

• • A fraction of the cost a managed SIEM/SOC solution

Add to that the time saved in your IT teams by no longer having to check or respond to alerts, and I think you’d be mad not to give MDR serious consideration.

• • Who needs MDR?

Based upon the cyber threat landscape today, every business should have a 24/7 cyber security monitoring and response capability. The question is whether the cost is worth the peace of mind it brings to you and your business.

It’s a case of weighing up the cyber risks that pose a realistic threat to your business and what the impact would be should that risk become a reality. Were I a business owner, what questions would I ask myself?

• • Do I want MDR?

If you don’t have 24/7 monitoring at least already, then the answer is almost certainly yes. But to what extent? MDR for everything? Or just MDR for your critical infrastructure?

• • Do I need to monitor all of my endpoint computers 24/7, and what are the implications if I don’t?

Your endpoint computers may not even be on 24/7, so there is nothing to monitor in that case, and any that are on may need to be reimaged, causing disruption to users, especially remote.

A threat left unchecked may propagate to more sensitive areas of my infrastructure.

• • Can I get away with just having my server estate monitored 24/7?

Possibly – if you can live with the prospect of not stopping a threat before it gets to the more business critical areas of your environment and the potential damage that may be caused.

• • Which service tier of MDR is most appropriate from a response perspective?

This depends on how quickly you want the threat contained and how thoroughly you want the threat eradicated.

The Sophos Threat Advisor will provide you with alerting. Still, every second between you getting the alert and responding means the problem worsens – if you already have the resources to react quickly and effectively 24/7, this may be best for you.

MDR may be best for teams with skilled IT professionals who can effectively investigate and clean their environment. Sophos will contain the threat until you can get your team in a position to eradicate it from your environment.

Time is of the essence for anyone delivering mission-critical services or environments susceptible to any type of outage. MDR Complete is a sensible option to ensure a full response to quickly eradicate threats and remove the prospect of secondary incidents flaring up.