Sophos MTR – 24/7 threat hunting by experts
On October 1, Sophos launched a promising service that I’d like to introduce to you in a little more detail. We are talking about MTR, or Managed Threat Response. This new product is the result of the two acquisitions Rook Security and DarkBytes. Rook Security is particularly present in the services part of this offering, while DarkBytes with Managed Detection and Response (MDR), has contributed its part of the technology.
What is Sophos Managed Threat Response (MTR)?
Sophos MTR is based on Intercept X Advanced with EDR and addresses the big, fat elephant in the room. 😅 Those who have already read my article on Endpoint Detection and Response know where the added value of this product lies. But many customers simply don’t have the time to go out and find potential threats on their own. Add to that the fact that this job requires highly qualified and specialized personnel who have the right level of expertise. Such people are not only particularly hard to find, but have a really high salary level. If this service is to be extended to a 24-hour service, this eats up a very large part of the capital for your IT security. As a rule, only very large corporations have the opportunity and also the financial resources to create special incentives for employees here.
That’s where Sophos’s new MTR service comes in, offering you 24/7 service in the form of an elite security team that can take care of threat detection in your organization and intervene immediately in tricky situations. So the new MTR product is not another menu item in your Central Admin dashboard, but provides targeted human response. Sophos particularly emphasizes independent intervention in this service. So, in the event of an attack, Sophos’s MTR team will not only inform you about it, but will also take the necessary action on your behalf if requested. So you get a “fully-managed service”.
What are the variants of the MTR service?
We will definitely include the new MTR offer in our product catalog and will soon be able to offer it via our website. Basically, the service is available in the following variants:
- Central Intercept X Advanced with EDR and MTR [Standard / Advanced] – This is the bundle for all customers who have not yet purchased an EDR license. This therefore affects customers with, for example, “Intercept X Advanced” or only “Endpoint Protection”.
- Central MTR [Standard / Advanced] – This variant is suitable for all customers who already use “Intercept X Advanced with EDR” and would like to purchase MTR as an add-on.
Standard or Advanced – Where exactly are the differences?
As you can already see from the two variants listed above, Sophos MTR is offered in a standard and an advanced variant. Let’s take a look at what services are included in the two packages:
Scope of services of the standard variant
24/7 circumstantial threat hunting
Once you have licensed Sophos MTR and gone through the onboarding process (more on that later), your Central Account will be connected to the MTR team’s automated system. Since this system is constantly learning, it can automatically respond to known threats. The circumstantial threat scan comes into play when something has been detected on your system, but it could not be fully fixed and requires human expertise. You can think of it a bit like the “Threat Analysis Center” in your Central Admin account. There you can see threats that have already been stopped automatically by Intercept X Advanced on the one hand, and on the other hand “suspicious objects” that could be detected thanks to AI (artificial intelligence) but could not be fixed. In such a situation, the MTR team is there for you on a 24/7 basis. An expert then takes a close look at the critical indication and uses his or her experience to decide the severity of that particular detection and what needs to be done. The findings and knowledge from this incident are subsequently transferred to the MTR team’s automated system. The next time the same detection occurs in a different scenario, the system can automatically respond.
Attack detection
At the same time as the circumstantial threat hunting, the MTR team pays special attention to attacks executed through legitimate processes, such as PowerShell. Such attacks are very often successful because they are very difficult for monitoring tools to detect. The MTR team uses proprietary analytics to monitor these processes to ensure they are not being misused for malicious purposes.
Activity Reports
Transparency to you, the customer, is very important to the MTR team. Therefore, you will receive activity reports showing you all that the MTR team has done on your behalf. You will learn the current status of your systems, what intelligence was gathered during the reporting period, and what threats were averted. A histogram of these reports is then created over the period of time that you use the MTR service. With the help of this data, Sophos creates so-called “scorecards” for you, which you can use to compare yourself to previous periods. This will give you the promised transparency and you will see very quickly whether the MTR service is of any use to you.
Security Health Check
As you can see from the top three services, the MTR service standard is about detecting threats and preventing attacks. But the Security Health Check also ensures that your Sophos Central products, such as Intercept X Advanced with EDR, can always operate at maximum performance. To do this, the MTR team looks at your network requirements and makes recommendations for configuration changes. So you can be sure that Central products will be perfectly tailored to your business.
Scope of services of the Advanced variant
Let’s take a look at what additional services are offered to you in the Advanced variant:
24/7 circumstantial threat search
In addition to the evidence-based threat search in the Standard package, the Advanced variant also includes the evidence-free threat search. Here, the expertise lies entirely with the analysts of the MTR team, who take a close look at particularly important devices or user accounts in your company. They look at how people communicate on the network, whether any suspicious processes are running, or any other unusual or atypical behavior can be detected. The collected data is used to try to predict attackers’ strategy and identify new indicators of attack (IoA). When an incident is detected, you will be assigned a dedicated response leader who will be on the phone to assist you with the complete resolution of the issue!
Optimized telemetry data
MTR’s standard package includes the data provided by Intercept X Advanced with EDR. For enhanced telemetry, the Advanced version goes beyond just detecting events at the endpoint and includes data from other Central products in the threat analysis.
Direct telephone support
Another advantage of the Advanced variant is a direct access to the MTR analyst team, which is available for you 24/7. So if you have a question or want to talk about a specific threat case, for example, you can contact the Security Operations Center (SOC) directly by phone.
Proactive improvement of the security status
The Advanced package takes the Security Health Check to the next level. While the standard variant makes general recommendations for the configuration of Central products, the MTR team now also takes into account the business context behind the configuration settings of, for example, a policy. You’ll get help fixing configuration and architecture vulnerabilities that negatively impact your security.
Asset Recognition
Sophos specialists will not only discuss critical operations with you, but will also gain an overview of applications in use and identify potential points of attack that may arise in the system as a result. In doing so, the MTR team considers what they call an “asset inventory” that helps them understand which applications are running on an endpoint and whether they are affected by open vulnerabilities. This results in valuable detailed information specific to your business.
What levels of support are offered by the Sophos MTR team?
Regardless of whether you choose the Standard or Advanced variant, you retain control over how autonomously you want the MTR team to operate. This is regulated right at the beginning in the so-called onboarding process. When you purchase the Sophos MTR service, you can choose from three options that determine what response you expect from the MTR team:
- Notification: At this level, if the Sophos MTR team has detected a threat or attack, it will only notify you about it, but will not act on your behalf independently. However, you will get a detailed report about the cause and detection with actionable steps to fix the threat on your own.
- Collaboration: The Sophos MTR team works with your employees or even an external consulting firm to respond to the appropriate threats.
- Authorization: Here, the MTR team takes care of containment and neutralization actions completely independently and only informs you about the measures taken.
What differentiates Sophos MTR from competitors who also offer such a similar service?
Sophos mentions two competitors, SentinelOne and CrowdStrike, which are among the toughest competitors in terms of offering. However, Sophos’s MTR service offers a key advantage. Independent action, and proactive action at that, has not yet existed. With the Authorization response level listed above, Sophos no longer requires you to independently work through long lists of error and threat messages. All of this can now be handled on your behalf by trained specialists from Sophos.
While SentinelOne and CrowdStrike also offer such a service, it is only for the highest level of service, which a small business cannot afford. The highest authorization level in Sophos MTR, on the other hand, can be used by all companies, regardless of size or the service level booked.
What systems can Sophos currently serve with this service?
The service only became operational on October 1. For this reason, support is currently only offered for Windows Endpoint 32 and 64 bit. Support for other systems, such as Windows Server, Linux and Mac OS, is expected to follow in late November 2019. However, an exact date has not yet been named.
Furthermore, the service is only available in English in the first phase. However, there are plans to add other languages to the repertoire. However, it is not yet clear when this will happen and which languages will be used.
Conclusion on the Sophos Managed Threat Response Service
What I have read and heard so far about Sophos’s MTR service has really convinced me! This service from Sophos also gives small and medium-sized businesses the opportunity to afford comprehensive and professional IT security protection. This greatly reduces the need to search for qualified and experienced personnel and allows you to rely on the experts at Sophos itself.
I also really like the three different levels of support that Sophos gives all customers to choose from during the onboarding process. So you can decide completely for yourself how much control you want to give up. Absolutely unrivaled is also the offer of the “Authorization Level”, which is also available in the standard variant! So you don’t need to buy the more expensive Advanced package if you want Sophos specialists to take care of your network security completely independently.
If you are now interested in Sophos MTR, do not hesitate to contact us. We will also soon publish the different variants of the MTR service on our website, which will then also make the price no longer a secret. We will also be happy to clarify any open questions in a personal meeting.
