In this blog post, I would like to introduce you to Managed Threat Detection (MTD), which has been available for purchase since the end of July 2021. With MTD, Sophos primarily targets customers who are not (yet) ready to replace their existing third-party endpoint and server solution with the Sophos agent. For all other customers who already have a Sophos agent installed on their computers and servers and are running at least Intercept X Essentials, Managed Threat Detection is not relevant.
The Managed Threat Response (MTR) success story.
Recently, Sophos announced that Managed Threat Response (MTR) now protects more than one million devices. The Managed Threat Response Standard and Advanced products are the two most expensive options to protect computers and servers, but also offer the highest security and detection. You get an expert team of analysts, programmers, and threat hunters who work around the clock (24/7) to keep you and your employees safe from cyberattacks.
Parallel operation with third-party vendors so far not possible
“Sophos Managed Threat Response” requires the MTR client, which cannot be run in parallel with third-party solutions such as Microsoft, Symantec, Kaspersky, McAfee, or others. The new “Managed Threat Detection” service, on the other hand, was developed especially for parallel use with third-party solutions. It is intended to appeal to a further target group to get a foot in the door with the Sophos brand.
But anyone who thinks they can keep their third-party protection with Managed Threat Detection and get the same benefits without the MTR client as customers with Managed Threat Response is unfortunately wrong.
The lack of Sophos's powerful MTR client understandably brings a few limitations. The following comparison table shows which features you are missing here:
Notification as the only action step
For Managed Threat Standard and Advanced, you can choose between three levels of response:
- Notification: When the Sophos MTR team detects a threat event or attack, it will notify, but will not act on its own. You get a report on the cause and detection, with actionable steps to remediate the threat on your own.
- Collaboration: The Sophos MTR team works with your own IT team, or with an external IT company if desired, to respond to the appropriate threats.
- Authorization: The MTR team takes care of containment and neutralization actions completely independently and only informs about the measures taken.
With Managed Threat Detection, on the other hand, only the “Notification” response option is available. This means that although you receive an alert via the Central Dashboard or via email when a threat has been detected by the MTR team, you must neutralize and eliminate it on your own responsibility. If it is an active threat, where every second counts, the MTR team will at least briefly inform you by phone (but really only for active threats).
Sophos Rapid Response as a last resort
In the event of an active threat, Managed Threat Detection leaves you on your own to stop an attack. Unfortunately, the MTR team cannot provide support here, as the computers and servers do not have the in-house Sophos MTR client installed. This is beyond question where the third-party protection software used should actually shine. If it does not, there is always the option of using the Sophos Rapid Response Service. This will provide you with lightning-fast assistance from a team of Sophos experts, who will disable the existing protection software on all computers and servers and install the MTR client.
Attention! Sophos Rapid Response is not part of Managed Threat Detection and must be purchased additionally at a fixed price.
Sophos has created a service, Managed Threat Detection, that makes the expertise of its MTR team available to customers who have not built their network security on Sophos solutions. And that makes perfect sense from a strategic perspective. Even if an IT administrator makes the decision today to roll out Sophos solutions to the corporate network in the future, it can't always be done in the short term. There may be ongoing contracts that get in the way or active licenses that have already burned up the budget for the next 3 years.
With Managed Threat Detection, Sophos has created a kind of “add-on service” for exactly such scenarios, which can be considered to strengthen the security concept in the short term. It makes the MTR team's threat detection resources available to a much larger audience, which is something Sophos can only gain from. The more data available for analysis, the better the algorithms can be tuned, and it doesn't matter whether that data is contributed by customers using an MTR or MTD Agent.
In principle, we would always advise all customers who want to protect their endpoints and servers with Sophos to use the MTR version. But we also understand that this solution is not designed for every budget. However, it is better to start from the most expensive product with the highest security and work your way down because security solutions are like insurance – you only regret having saved once the damage has been done. 😜
For everyone else who, for whatever reason, doesn't want to or can't yet throw the entire infrastructure overboard, Sophos Central Managed Threat Detection for endpoints and servers is certainly a strong addition. It's strongly recommended to have a team of experts monitors network activity.