Sophos Intercept X Advanced with EDR is at the forefront of modern cybersecurity, with tremendously strong endpoint detection and deep learning for extremely outstanding protection against suspicious activity, unknown malware and ransomware.
With version 3.0, two breakthrough features have been implemented that will be of great help to admins in managing the daily demands and challenges of IT. These new features are already available for Windows 8, 8.1, 10 and Windows Server. Support for Linux and Mac are to follow later in the second quarter.
Note: To use the new features of Intercept X Advanced with EDR 3.0, you need access to the Early Access Program. The Early Access Program is available to anyone who has licensed either Intercept X or Intercept X for Server. If you have already signed up for the EAP “New Endpoint Protection and EDR Features”, then you don’t need to do anything else. Your devices will get the update automatically.
- Live Discover
- Live Response
Live Discover is the latest and most important feature of Sophos Intercept X Advanced with EDR 3.0. Live Discover gives you the opportunity to ask questions about device security concerns. To do this, Live Discover gets access to past activity and the current state of your devices to then get answers directly. This can be a simple query á la “How long has the device been running?”. But it can also handle much more complex queries, such as detecting variations in network communication or default values of individual devices within the last 30 days. You can run all these queries directly from Sophos Central. You are able to fully use the API via Central, ask questions and select the device you want to ask them to. By using this method, you will be able to detect threats that may come your way at an early stage.
And how does it work?
With the help of Live Discovery, you can ask any question you have about your servers or endpoints using SQL. You can either pick from a variety of predefined questions or edit them to provide exactly the information you want. This can then help with threat hunting or solving IT specific queries such as:
- How is the performance of the device?
- Why is my device running slowly?
- Which patch is running on the device?
- What hardware and operating system info is available on the device?
- What data and what registry entries are present on my device? Has anything been changed on it in the last 10 days?
Besides editing an existing query, you also have the option to create a completely custom SQL query and save it in a category. There are numerous categories in Live Discover, which you can see in the screenshot below:
Note: You can find additional support in the Sophos Community and share queries that you have written. However, a Sophos ID is required for access.
To start a query, first select the devices from which you need certain information. In the screenshot below, for example, you can see the result of a query of various operating system information:
In response to this request, Live Discover will present you, for all selected devices, the hostname, CPU manufacturer name, operating system and OS version, and more. The statistics and data are processed on each individual device that you have selected before the query and transmitted to Central. If you send a query to, say, 10,000 devices, the load will be distributed across all of them, which in turn means that the load on a single device will be minimal.
This is how the new Live Discover features help you with your tasks:
- allows you to select multiple devices for queries
- Provides advanced features in the hunt for threats
- Helps with forensic analysis
- provides SQL queries for more details
- Provides historical data – From the current day to 90 days in the past
- Scales with thousands of devices
- contains details about patches, OS versions, video and storage information
- has access to system events
- Has information about all processes – once running and currently running
- provides access to view changes in the registry
- Provides information about user access
Live Response is another awesome feature of Sophos Intercept X with EDR 3.0 that you’re sure to love. It allows admins to remotely access all devices in your own environment from anywhere in the world Live. This does not mean a direct remote session with an image, but more a secure access to the command line, which you can operate via Sophos Central in the browser. Sophos Central acts here as a terminal to control the desired device. This gives you the ability to perform detailed and security-related investigations on a device or respond to a threat in real time.
And how does it work?
Before you can start the live response session, you must first make the appropriate setting in Sophos Central. However, only super admin accounts that have also authenticated themselves via 2FA are authorized to do so.
Once Live Response is enabled in the global settings, you can start a shell as a super admin for any computer or server you manage in Central. Here you can now use all possible commands that you could also physically execute directly on the machine. For example, “iponfig” to check the IP address of the selected device, or the “reg” command to show you the registry keys, change them or delete them. You can also browse, view or delete files.
Note: At the moment, only Windows computers or Windows servers are supported here as well. Linux and Mac support will follow later.
Sophos Central provides a secure connection to your device. You do not need to open any ports specifically for this purpose. As mentioned at the beginning, live response sessions can only be started by super admins with two-factor authentication. In addition, each live response connection is recorded in the audit log and it is possible to track at any time when a session was started and stopped.
This is what Live Response offers:
- Remote access to your devices from anywhere in the world
- Devices that are waiting for an update can be restarted
- Edit registry keys
- Search files
- Delete files
- Start programs and scripts
- Help track down and eliminate questionable activity
- Search all running processes – And terminate them at any time
- Software installation and uninstallation
- Launch Forensic Tools
- Full system access
Try Sophos Intercept X with EDR 3.0 now!
To see Live Discover and Live Response for yourself, you can simply join the EAP (Early Access Program) “New Endpoint Protection and EDR Features.” You need at least a valid license for Intercept X or Intercept X Advanced for Server.
If you don’t have a Sophos Central account yet, you can create one on the Sophos website and try all the features, including “Sophos Intercept X with EDR 3.0”, for free for 30 days.
If you have a Sophos Central account and the 30-day trial period has already expired, you can order either a license for “Sophos Intercept X” or “Intercept X Advanced for Server” via our website and then benefit from the EAP: