Sophos NDR – Eliminate Network Blind Spots

In my recent articles, I wrote about Sophos Managed Detection and Response (MDR), starting with the renaming of MTR to MDR and continuing with the new, powerful add-ons for integrating third-party telemetry data.

If you have read those two articles, you will have seen why Sophos MDR is an essential service for protecting your business against network attacks and cybercrime. In reality, though, it is only the beginning.

Don’t get me wrong: with Sophos MDR, you have already done a great deal for your network security. The Sophos Agent is (hopefully) running on every computer and server, and your Sophos Firewall is connected via Synchronized Security and sends logs to the Data Lake. You have also entrusted monitoring and response to the Sophos MDR team (Sophos X-Ops), which is on guard 24/7. Bravo! 👏

Are you using a third-party firewall? No problem. Thanks to the new integrations, you can also connect devices from Palo Alto Networks, Fortinet, Check Point, Cisco, or SonicWall with the MDR Firewall add-on.

Even though the combination of the firewall and Sophos Managed Detection and Response is a dream team for securing the corporate network, there are still questions that can keep a conscientious IT administrator awake at night:

How can I protect our IoT devices, POS terminals, printers, thin clients, smart TVs, etc. where no Sophos Agent can be installed?
How can I monitor network traffic behind our firewall?
How can I monitor and analyze the behavior of internal users?
How can I keep track of data movement across the network?
How can I regularly take inventory of the assets in our network?
How can I detect new or unauthorized systems in our network?
How can I gain insight into the encrypted data traffic in our network?

These are all important questions, and Sophos Network Detection and Response (NDR) can answer them. NDR adds a decisive layer to your defense. The firewall controls traffic entering and leaving the corporate network, while Intercept X Advanced and the MDR service detect suspicious behavior on endpoints and servers where the Sophos Agent is installed. But what about traffic inside the environment as a whole?

Attackers do everything they can to avoid detection, and evasion is a known system-level tactic in the MITRE ATT&CK® Framework. Exploits can hide from EDR solutions, for example, and attackers can disable and delete system logs. But there is one thing they cannot avoid: they have to move through the network. That is exactly what the Sophos NDR sensor records, no matter how quietly or cautiously an attacker proceeds. Every action leaves a trace.

What is Sophos NDR?

Sophos Network Detection and Response (NDR) is provided as a virtual appliance that passively monitors all network traffic via a SPAN port. Everything captured through this port is analyzed in real time using the five core detection algorithms delivered with NDR.

Sophos acquired the technology behind NDR in July 2021 through the acquisition of “Braintrace.” Braintrace had developed a virtual machine that could monitor network traffic using five core algorithms and distinguish malicious activity from benign activity.

When one of these five core algorithms detects a threat, the finding is forwarded to the Sophos Data Lake, classified, and assessed. Cases are generated for the Sophos Threat Response Team to analyze and validate. Information from the NDR sensor can also be correlated with data from other sensors, such as identity, email, network, and firewall telemetry.

The five NDR core algorithms

Let’s take a closer look at the five powerful algorithms Sophos NDR provides:

Encrypted Payload Analytics (EPA)

This engine can detect malware even in encrypted traffic, where it can otherwise often remain hidden.

Domain Generation Algorithm (DGA)

This engine helps detect communication with command-and-control (C2) servers and other malicious domains, even without known threat intelligence.

Session Risk Analytics (SRA)

Identify abnormal characteristics in network traffic, such as self-signed certificates or the use of non-standard ports. Together with other unexpected/suspicious activities, these characteristics indicate a high risk that should be investigated.

Data Detection Engine (DDE)

This engine is designed to help detect systems in the network that are not managed by Sophos. This helps to identify gaps in the coverage of authorized devices, as well as to detect unauthorized, potentially malicious systems or devices.

Deep Packet Inspection (DPI)

Deep Packet Inspection can be used to search the network for specific indicators of compromise. This could be communication with a command-and-control server (C2) or a suspicious IP address that has no business being in your network.

What is needed for Sophos NDR

Sophos NDR is currently available only as an MDR integration. This means you need an active MDR license to set up NDR. Since mid-July, XDR customers have also been able to try NDR free of charge through the Early Access Program.

As explained above, the Sophos NDR sensor (log collector) runs on a virtual machine (VM). It collects data and forwards it to the Sophos Data Lake. Sophos NDR currently supports “VMware ESXi 6.7” or newer and “Microsoft Hyper-V 6.0.6001.18016 (Windows Server 2016)” or newer.

Try out Sophos NDR

Has this blog post convinced you of the strengths and benefits of Sophos NDR, or at least made you curious? Since mid-July, customers with an MDR or XDR license have been able to register for the Sophos Early Access Program and test NDR free of charge. According to Sophos, the EAP is scheduled to run from July to November 2023.

If you are not yet using XDR or MDR licenses and would like to try Sophos NDR, you can simply order them through our online shop:

The exact steps for adding NDR as an integration in Central, configuring the image, downloading it, and deploying it on the VM are described in the following Sophos guide: Set up Sophos NDR