Managed Threat Response – Artificial Intelligence Mixed with Human Expertise
With Sophos Central Intercept X Advanced for servers with XDR and MTR, you can achieve the highest level of security Sophos can currently offer to protect your servers (Windows Server 2008 R2+). In this bundle you get all the features of Intercept X Advanced for Server with XDR and the MTR service introduced in October 2019.
Try Sophos Central for free !
Create a free Sophos Central account now and try all products, including Central Intercept X Advanced for servers with XDR and MTR Advanced non-binding for 30 days. If you are convinced of the solution after your test period, you can easily order the licenses from us.
Active threat response by a team of experts – 24/7
With the MTR service, Sophos has done a huge favor for all the people who would have loved to buy Intercept X Advanced for servers running XDR, but simply didn’t have the resources to really get the potential out of XDR. It takes highly skilled and specialized personnel to use XDR to scan the network for potential threats and take the correct steps when an attack occurs.
With Sophos MTR, you no longer need to go out and find trained personnel yourself. Sophos provides you with a team of threat experts who work 24/7 to combat threats.
Sophos MTR: standard
24/7 circumstantial threat hunting
If something has been detected on your system that could not be fixed automatically and requires human expertise, the MTR team is there for you on a 24/7 basis. An expert then takes a close look at the critical note and uses his experience to decide what needs to be done.
Attack detection
The MTR team pays special attention to attacks that are executed through legitimate processes, such as PowerShell. Such attacks are very often successful because they are very difficult for monitoring tools to detect. The MTR team uses proprietary analytics to monitor these processes to ensure they are not being misused for malicious purposes.
Security Health Check
The Security Health Check ensures that your Sophos Central products, such as Intercept X Advanced with XDR, can always operate at maximum performance. To do this, the MTR team looks at your network requirements and makes recommendations for configuration changes.
Activity Reports
You’ll learn the current state of your systems, what intelligence was gathered during the reporting period, and what threats were averted. Over the period where you use the MTR service, a histogram of these reports is then created. With the help of this data, Sophos creates so-called “scorecards” for you, which you can use to compare yourself to previous periods.
Sophos MTR: Advanced
24/7 circumstantial threat search
MTR team analysts take a close look at the most critical devices or user accounts in your organization. They look at how people communicate on the network, whether any suspicious processes are running, or any other unusual or atypical behavior can be detected. The collected data is used to try to predict attackers’ strategy and identify new indicators of attack (IoA).
Dedicated contact person
When an incident is identified, you’ll be assigned a dedicated response leader who will be on the phone to assist you with the complete resolution of the issue!
Direct telephone support
Another advantage of the Advanced variant is direct access to the MTR analyst team, which is available 24/7 for your team. So if you have a question or want to talk about a specific threat case, for example, you can contact the Security Operations Center (SOC) directly by phone.
Optimized telemetry data
For enhanced telemetry, the Advanced version goes beyond just detecting events at the endpoint and includes data from other Central products in the threat analysis.
Proactive improvement of the security status
The Advanced package takes the Security Health Check to the next level. While the standard variant makes general recommendations for the configuration of Central products, the MTR team now also takes into account the business context behind the configuration settings of, for example, a policy. You’ll get help fixing configuration and architecture vulnerabilities that negatively impact your security.
Asset Recognition
Sophos experts will not only discuss critical operations with you, but will also gain an overview of applications in use and identify potential points of attack that may arise in the system as a result. In doing so, the MTR team considers what they call an “asset inventory” that helps them understand which applications are running on an endpoint and whether they are affected by open vulnerabilities. This yields valuable detailed information specific to your business.
Onboarding process with maximum control and transparency
Regardless of whether you choose the Standard or Advanced variant, you retain control over how autonomously you want the MTR team to operate. This is regulated right at the beginning in the so-called onboarding process. When you purchase the Sophos MTR service, you can choose from three options that determine what response you expect from the MTR team:
Notification
At this level, if the Sophos MTR team has detected a threat or attack, it will only inform you about it, but will not take action on your behalf. However, you will get a detailed report about the cause and detection with actionable steps to fix the threat manually.
Cooperation
The Sophos MTR team works with your team or even an external consultancy to respond to the appropriate threats.
Authorization
Here, the MTR team takes care of containment and neutralization actions completely independently and only informs you about the measures taken.
Technical specifications
Intercept X Advanced for Server | Intercept X Advanced for Server with EDR | Intercept X Advanced for servers with XDR¹ | Intercept X Advanced for servers with MTR Standard | Intercept X Advanced for servers with MTR Advanced | |
---|---|---|---|---|---|
Web Security | ✔ | ✔ | ✔ | ✔ | ✔ |
Download reputation | ✔ | ✔ | ✔ | ✔ | ✔ |
Web Control/Category-based URL Blocking | ✔ | ✔ | ✔ | ✔ | ✔ |
Peripheral control | ✔ | ✔ | ✔ | ✔ | ✔ |
Application Control | ✔ | ✔ | ✔ | ✔ | ✔ |
Application Whitelisting (Server Lockdown) | ✔ | ✔ | ✔ | ✔ | ✔ |
"Deep Learning" malware detection | ✔ | ✔ | ✔ | ✔ | ✔ |
Anti-malware file scans | ✔ | ✔ | ✔ | ✔ | ✔ |
Live Protection | ✔ | ✔ | ✔ | ✔ | ✔ |
Behavioral analysis before execution (HIPS) | ✔ | ✔ | ✔ | ✔ | ✔ |
Blocking pot. unwanted applications (PUAs) | ✔ | ✔ | ✔ | ✔ | ✔ |
Intrusion Prevention System | ✔ | ✔ | ✔ | ✔ | ✔ |
Data Loss Prevention | ✔ | ✔ | ✔ | ✔ | ✔ |
Runtime behavior analysis (HIPS) | ✔ | ✔ | ✔ | ✔ | ✔ |
Antimalware Scan Interface (AMSI) | ✔ | ✔ | ✔ | ✔ | ✔ |
Malicious Traffic Detection (MTD) | ✔ | ✔ | ✔ | ✔ | ✔ |
Exploit Prevention (details on page 5) | ✔ | ✔ | ✔ | ✔ | ✔ |
Active Adversary Mitigations (details on page 5) | ✔ | ✔ | ✔ | ✔ | ✔ |
Ransomware File Protection (CryptoGuard) | ✔ | ✔ | ✔ | ✔ | ✔ |
Disk and Boot Record Protection (WipeGuard) | ✔ | ✔ | ✔ | ✔ | ✔ |
Man-in-the-Browser Protection (Safe Browsing) | ✔ | ✔ | ✔ | ✔ | ✔ |
Enhanced Application Lockdown | ✔ | ✔ | ✔ | ✔ | ✔ |
Live Discover (cross-environment SQL queries to the Threat Hunting and for security compliance). | - | ✔ | ✔ | ✔ | ✔ |
SQL query library (pre-formulated, customizable queries) | - | ✔ | ✔ | ✔ | ✔ |
Suspicious event detection and prioritization | - | ✔ | ✔ | ✔ | ✔ |
Data storage on hard disk (up to 90 days) with fast data access | - | ✔ | ✔ | ✔ | ✔ |
Cross-product data sources (e.g. firewall, e-mail) | - | - | ✔ | - | see PDF |
Cross-product queries | - | - | ✔ | - | see PDF |
Sophos Data Lake (cloud data storage) | - | 7 days | 30 days | see PDF | see PDF |
Scheduled queries | - | ✔ | ✔ | ✔ | ✔ |
Threat cases (root cause analysis) | ✔ | ✔ | ✔ | ✔ | ✔ |
Deep Learning Malware Analysis | - | ✔ | ✔ | ✔ | ✔ |
Advanced threat data from SophosLabs on demand | - | ✔ | ✔ | ✔ | ✔ |
Export of forensic data | - | ✔ | ✔ | ✔ | ✔ |
Automated malware removal | ✔ | ✔ | ✔ | ✔ | ✔ |
Synchronized Security Heartbeat | ✔ | ✔ | ✔ | ✔ | ✔ |
Sophos Clean | ✔ | ✔ | ✔ | ✔ | ✔ |
Remote terminal access (remote analysis and response) | - | ✔ | ✔ | ✔ | ✔ |
On-demand server isolation | - | ✔ | ✔ | ✔ | ✔ |
With one click "Remove and block | - | ✔ | ✔ | ✔ | ✔ |
Cloud Workload Protection (Amazon Web Services, Microsoft Azure, Google Cloud Platform) | ✔ | ✔ | ✔ | ✔ | ✔ |
Synchronized Application Control (Transparency via applications) | ✔ | ✔ | ✔ | ✔ | ✔ |
Managing your security status in the Cloud (Monitor and protect cloud hosts, serverless functions, S3 buckets etc.) | ✔ | ✔ | ✔ | ✔ | ✔ |
Server-specific policy management | ✔ | ✔ | ✔ | ✔ | ✔ |
Update cache and message relay | ✔ | ✔ | ✔ | ✔ | ✔ |
Automatic scan exceptions | ✔ | ✔ | ✔ | ✔ | ✔ |
File Integrity Monitoring | ✔ | ✔ | ✔ | ✔ | ✔ |
24/7 evidence-based threat hunting | - | - | - | ✔ | ✔ |
Security Health Checks | - | - | - | ✔ | ✔ |
Data storage | - | - | - | ✔ | ✔ |
Activity Reports | - | - | - | ✔ | ✔ |
Attack detection | - | - | - |