In this blog post, I would like to introduce you to Managed Threat Detection (MTD) for endpoints and servers, which has been available for purchase since the end of July 2021. Sophos primarily targets MTD at customers who are not (yet) ready to replace their existing third-party endpoint and server solution with the Sophos agent. For all other customers who already have a Sophos agent installed on their computers and servers and are running at least Intercept X Essentials, Managed Threat Detection is not relevant.
The Managed Threat Response (MTR) Success Story
Just recently, Sophos announced that Managed Threat Response (MTR) now protects more than one million devices. The products Managed Threat Response Standard and Advanced are the two most expensive options to protect computers and servers, but also provide the highest security and detection. You get an expert team of analysts, programmers and threat hunters who work around the clock (24/7) to keep you and your employees safe from cyberattacks.
Parallel operation with third-party providers not possible so far
“Sophos Managed Threat Response” requires the MTR client, which cannot run in parallel with third-party solutions such as Microsoft, Symantec, Kaspersky, McAfee or others. The new “Managed Threat Detection” service, on the other hand, was developed specifically for parallel use with third-party providers and is thus intended to appeal to a further target group in order to get a foot in the door with the Sophos brand.
But anyone who thinks they can keep their third-party protection with Managed Threat Detection and get the same benefits without the MTR client as customers with Managed Threat Response is sadly mistaken.
Not using Sophos’s powerful MTR client understandably comes with a few limitations. The following comparison table shows which features you have to do without:
Notification as the only action step
Managed Threat Response Standard and Advanced offer a choice of three response levels:
- Notification: When the Sophos MTR team detects a threat event or attack, it will notify, but will not take action on its own. You get a report on the cause and detection with actionable steps to fix the hazard on your own.
- Collaboration: The Sophos MTR team works with your own IT team, or with an external IT firm if desired, to respond to the appropriate threats.
- Authorization: The MTR team takes care of containment and neutralization actions completely independently and only informs about the measures taken.
In Managed Threat Detection, on the other hand, only the “Notification” response option is available. This means that although you receive an alert via the Central Dashboard or also via email when a threat has been detected by the MTR team, you have to neutralize and eliminate it on your own responsibility. If it is an active threat, where every second counts, the MTR team will inform at least briefly by phone (but really only for active threats).
Sophos Rapid Response as a last resort
In the event of an active threat, Managed Threat Detection leaves you on your own to stop an attack. Unfortunately, the MTR team cannot provide support here, as the computers and servers do not have the in-house Sophos MTR client installed. This is exactly where the third-party protection software used should actually shine. If it does not, there is always the option of using the Sophos rapid response service. You will receive lightning-fast assistance from a team of Sophos experts, who will disable existing protection software on all computers and servers and install the MTR client.
Attention! Sophos Rapid Response is not part of Managed Threat Detection and must be purchased separately at a fixed price.
Sophos has created Managed Threat Detection, a service that makes the expertise of its MTR team available to customers who have not built their network security on Sophos solutions. And that makes perfect sense from a strategic point of view. Even if an IT administrator makes the decision today to equip the company network with Sophos solutions in the future, this cannot always be implemented in the short term. There may be ongoing contracts that get in the way or active licenses that have already eaten into the budget for the next 3 years.
With Managed Threat Detection, Sophos has created a kind of “add-on service” for precisely such scenarios, which can be considered in the short term to strengthen the security concept. This will make the MTR team’s threat detection resources available to a much larger audience, which is something Sophos can only gain from. The more data available for analysis, the better the algorithms can be tuned, and it makes no difference whether this data is contributed by customers using the MTR or the MTD Agent.
In principle, we would always recommend the MTR variant to all customers who want to protect their endpoints and servers with Sophos. But we also realize that this solution is not designed for every budget. However, it is better to start from the most expensive product with the highest security and work your way down, because security solutions are like insurance – you only regret having saved money when the damage has been done. 😜
For anyone else who, for whatever reason, doesn’t want to or can’t yet throw their entire infrastructure overboard, Sophos Central Managed Threat Detection for endpoints and servers is certainly a strong addition. It is absolutely recommended to have the network activities monitored by a team of experts.