Sophos MTR - 24/7 Threat Search by Experts
Sophos Central

Sophos MTR - 24/7 Threat Search by Experts

David - November 27, 2019

On 1st October Sophos launched a very promising service which I would like to introduce to you. We are talking about MTR or Managed Threat Response. This new product is the result of the two acquisitions Rook Security and DarkBytes. Rook Security is particularly represented in the service area of this offering, while DarkBytes has contributed its part of the technology with Managed Detection and Response (MDR).

What is Sophos Managed Threat Response (MTR)?

Sophos MTR is based on Intercept X Advanced with EDR and addresses the big, fat elephant in the room. 😅 If you've read my article about Endpoint Detection and Response, you know where the added value of this product lies. But many customers simply don't have the time to search for possible threats on their own. In addition, this job requires ** highly qualified and specialized professionals** with the right level of expertise. Such people are not only particularly difficult to find, but have a really high salary level. If this service is to be extended to a 24-hour service, it will consume a very large part of the budget for your IT security. As a rule, only very large corporations have the opportunity and the financial resources to create special incentives for employees.

That's where Sophos's new MTR service comes in, offering you a 24/7 service through an expert security team that takes care of threat detection in your business and can take immediate action in sensitive situations. The new MTR product is therefore not another menu item on your Central Admin Dashboard, but offers a targeted human response. Sophos highlights the independent intervention in this service. Sophos's MTR team will therefore not only inform you in the event of an attack, but will also take the necessary action on your behalf if desired. So you will have a fully managed service.

Which variations of the MTR service are available?

We will definitely include the new MTR offer in our product catalogue and will soon be able to offer it on our website. Basically the service is available in the following variants:

  1. Central Intercept X Advanced with EDR and MTR [Standard / Advanced] - This is the bundle for all customers who have not yet purchased an EDR license. So this concerns customers with e.g. "Intercept X Advanced" or only the "Endpoint Protection".
  2. Central MTR [Standard / Advanced] - This option is suitable for all customers who are already using "Intercept X Advanced with EDR" and would like to purchase MTR as an add-on.

Standard or Advanced - Where exactly are the differences?

As you can see from the two variants listed above, Sophos MTR is available in a Standard and a Advanced version. Let's take a look at what is included in the two packages:

Scope of services of the Standard version

24/7 Lead-Driven Threat Hunting

Once you have licensed Sophos MTR and gone through the onboarding process (more on this later), your Central Account will be connected to the automated system of the MTR team. Because this system is constantly learning, it can automatically respond to known threats. The Lead-Driven Threat Hunting is used when something has been detected on your system but has not been fully resolved and requires human expertise. You can imagine it a bit like the "Threat Analysis Center" in your Central Admin account. There you can see threats that have already been automatically stopped by Intercept X Advanced, as well as "suspicious objects" that have been detected but not fixed thanks to AI (artificial intelligence). In such a situation the MTR team is there for you on a 24/7 basis. An expert then takes a close look at the critical clue and uses his experience to decide what severity this particular detection has and what needs to be done. The findings and knowledge from this incident are then transferred to the automated system of the MTR team. The next time the same detection occurs in a different scenario, the system can respond automatically.

Adversarial Detections

At the same time as conducting an evidence-based threat search, the MTR team pays special attention to attacks executed through legitimate processes such as PowerShell. Such attacks are often successful because they are very difficult for monitoring tools to detect. The MTR team monitors these processes using proprietary analysis techniques to ensure that they are not misused for malicious purposes.

Activity Reporting

For the MTR team transparency towards you as customers is very important. Therefore you will get activity reports which will show you what the MTR team has done on your behalf. You'll know the current state of your systems, what insights were gathered during the reporting period, and what threats were averted. A histogram of these reports is then generated over the period of time when you use the MTR service. Sophos uses this data to create scorecards, which you can use to compare yourself with previous periods. This gives you the transparency as promised and allows you to see very quickly whether the MTR service is of any use to you.

Security Health Check

As you can see from the top three features, the MTR Service Standard is about detecting threats and preventing attacks. The Security Health Check also ensures that your Sophos Central products, such as Intercept X Advanced with EDR, are always running at maximum performance. To do this, the MTR team will look at your network requirements and make recommendations for configuration changes. So you can be sure that Central's products are perfectly suited to your business.

Scope of services of the Advanced variant

Let's take a look at which additional services are offered to you in the Advanced variant:

24/7 Leadless Threat Hunting

In addition to the Lead-Driven threat hunting in the Standard Package, the Advanced Package also includes the Leadless threat hunting. In this case, the entire expertise lies with the analysts of the MTR team, who take a close look at particularly important devices or user accounts in your company. They look at how the network communicates, whether suspicious processes are being executed, or otherwise unusual or atypical behavior can be detected. The collected data is used to predict the strategy of attackers and to identify new attack indicators (IoA). If an issue is detected, you will be assigned a dedicated response leader to help you resolve the issue completely over the phone!

Enhanced Telemetry

The standard MTR package contains the data provided by Intercept X Advanced with EDR. For improved telemetry, the Advanced version goes beyond pure endpoint event detection to include data from other Central products in the threat analysis.

Direct Call-In Support

Another advantage of the Advanced variant is direct access to the MTR analyst team, which is available 24/7. So if you have a question or would like to talk about a particular threat, you can contact the Security Operations Center (SOC) directly by phone.

Proactive Posture Improvement

In the Advanced package, the Security Health Check is taken to the next level. While the standard version makes general recommendations for the configuration of the Central products, the MTR team now also considers the business context behind the configuration settings of, for example, a policy. You'll receive assistance on how to fix configuration and architecture vulnerabilities that can adversely affect your security.

Asset Discovery

In addition to discussing critical operational procedures with you, Sophos experts will also provide you with an overview of applications in use and identify potential points of attack that may arise in the system. The MTR team uses an asset inventory to help them understand what applications are running on an endpoint and whether they are affected by open vulnerabilities. This results in valuable detailed information that is specifically tailored to your business.

What levels of support are offered by the Sophos MTR team?

Regardless of whether you choose the standard or advanced version, you retain control over how autonomously the MTR team works. This is regulated right at the beginning of the so-called Onboarding process. When you purchase the Sophos MTR service, you can choose from three options which determine what response you expect from the MTR team:

  1. Notify: If the Sophos MTR team has detected a threat or attack, it will only inform you of it at this level, but will not act on your behalf. However, you will receive a detailed report on the cause and the detection, with steps that can be taken to neutralize the threat on your own.
  2. Collaborate: The Sophos MTR team works with your employees or an external consultant to respond to the threats they face.
  3. Authorize: The MTR team takes care of containment and neutralization actions completely independently and only informs you about the measures taken.

What is the difference between Sophos MTR and its competitors, who also offer a similar service?

Sophos has named SentinelOne and CrowdStrike as two of its most competitive offerings. However, Sophos's MTR service offers a significant advantage. There has been no independent, proactive action so far. With Sophos's authorization response level described above, you no longer have to deal with long lists of error and threat messages on your own. All this can now be done on your behalf by trained Sophos specialists.

While SentinelOne and CrowdStrike also offer such services, they are only available to the highest tier which a small business cannot afford. The highest level of authorization at Sophos MTR is available to all companies, regardless of size or service level.

What systems can Sophos currently operate with this service?

The service was only put into operation on 1 October. For this reason, support is currently only offered for Windows Endpoint 32 and 64 Bit. Support for other systems such as Windows Server, Linux and Mac OS will follow at the end of November 2019. However, an exact date has not yet been announced.

Furthermore, the service is only available in English in the first phase. However, it is planned to include other languages in the repertoire. When this will happen and which languages it will be, however, has not yet been decided.

Conclusion on the Sophos Managed Threat Response Service

What I've read and heard so far about Sophos's MTR service has really convinced me! Sophos's MTR service gives small and medium-sized businesses the opportunity to afford comprehensive and professional IT security protection. The search for qualified and experienced staff is greatly reduced and you can rely on Sophos's own experts.

I also find the three different levels of support that Sophos offers to all customers in the onboarding process to be a great success. So you can decide for yourself how much control you want to give up. The "authorization level" is also absolutely unrivalled and is also available in the standard version! So you don't need to buy the more expensive advanced package if you want Sophos specialists to take care of the security of your network on their own.

If you are interested in Sophos MTR, don't hesitate to contact us. We will soon publish the different variants of the MTR service on our website, so the price won't be a secret. If you have any open questions, we would be happy to discuss them with you.

Send Your Feedback

Share your thoughts about this article, your private queries are always welcome and greatly appreciated.

Send Feedback
All information are confidential

On our blog we regularly publish articles on various topics related to Sophos. To make sure you don't miss any articles, you can subscribe to our newsletter, and once a month you will receive an email with a summary of all articles published in the last 30 days.

Knowledge base

Do you need help with a Sophos product? Then maybe our free knowledge base can help you. We try to document most support requests in an article so that we can help as many people as possible.