In this blog post, I would like to introduce Managed Threat Detection (MTD) for endpoints and Server, which can be purchased since the end of July 2021. With MTD, Sophos primarily targets customers who are not (yet) ready to replace their existing third-party endpoint and Server with the Sophos agent. For all other customers who already have a Sophos agent installed on their computers and servers and are running at least Intercept X Essentials, Managed Threat Detection is not relevant.
The Managed Threat Response (MTR) Success Story
Just recently, Sophos announced that Managed Threat Response (MTR) now protects more than one million devices. The products Managed Threat Response Standard and Advanced are the two most expensive options to protect computers and servers, but also provide the highest security and detection. You get an expert team of analysts, programmers and threat hunters who work around the clock (24/7) to keep you and your employees safe from cyberattacks.
Parallel operation with third-party providers not possible so far
“Sophos Managed Threat Response” requires the MTR client, which cannot be run in parallel with third-party solutions such as Microsoft, Symantec, Kaspersky, McAfee or others. The new “Managed Threat Detection” service, on the other hand, was developed specifically for parallel use with third-party providers and is thus intended to appeal to a further target group in order to get a foot in the door with the Sophos brand.
But anyone who thinks they can keep their third-party protection with Managed Threat Detection and get the same benefits without the MTR client as customers with Managed Threat Response is sadly mistaken.
The lack of Sophos’s powerful MTR client understandably brings with it a few limitations. The following comparison table shows which features you have to do without:
Notification as the only action step
Managed Threat Response Standard and Advanced offer a choice of three response levels:
- Notification: When the Sophos MTR team detects a threat event or attack, it will notify, but will not take action on its own. You get a report on the cause and detection with actionable steps to remediate the threat on your own.
- Collaboration: The Sophos MTR team works with your own IT team, or with an external IT firm if desired, to respond to the appropriate threats.
- Authorization: The MTR team takes care of containment and neutralization actions completely independently and only informs about the measures taken.
With Managed Threat Detection, on the other hand, only the “notification” response option is available. This means that although you receive an alert via the Central Dashboard or via e-mail when a threat has been detected by the MTR team, you have to neutralize and eliminate it on your own responsibility. If it is an active threat, where every second counts, the MTR team will at least briefly inform you by phone (but really only for active threats).
Sophos Rapid Response as a last resort
In the event of an active threat, Managed Threat Detection leaves you on your own to stop an attack. Unfortunately, the MTR team cannot provide support here, since the in-house Sophos MTR client is not installed on the computers and servers. This is exactly where the third-party protection software used should actually shine. If it does not, there is always the option of using the Sophos rapid response service. You will receive lightning-fast assistance from a team of Sophos experts, who will disable existing protection software on all computers and servers and install the MTR client.
Attention! Sophos Rapid Response is not part of Managed Threat Detection and must be purchased separately at a fixed price.
Sophos has created Managed Threat Detection, a service that makes the expertise of its MTR team available to customers who have not built their network security on Sophos solutions. And that makes perfect sense from a strategic perspective. Even if an IT administrator makes the decision today to equip the corporate network with Sophos solutions in the future, this cannot always be implemented in the short term. There may be ongoing contracts that get in the way or active licenses that have already eaten into the budget for the next 3 years.
With Managed Threat Detection, Sophos has created a kind of “add-on service” for precisely such scenarios, which can be considered in the short term to strengthen the security concept. The resources of the MTR team for threat detection are thereby made available to a much larger target group, with which Sophos can only gain. The more data available for analysis, the better the algorithms can be tuned, and it doesn’t matter whether that data is contributed by customers using the MTR or the MTD agent.
In principle, we would always recommend the MTR variant to all customers who want to protect their endpoints and servers with Sophos. But we also realize that this solution is not designed for every budget. However, it is better to start from the most expensive product with the highest security and work your way down, because security solutions are like insurance – you only regret having saved money when the damage has been done. 😜
For anyone else who, for whatever reason, doesn’t want to or can’t yet throw their entire infrastructure overboard, Sophos Central Managed Threat Detection for endpoints and Server is certainly a strong addition. It is highly recommended to have a team of experts monitor network activity.