What happens when you get two cybergeeks in the room to answer your most challenging questions? You'll find out when you join our cybersecurity guru, Andrew Mundell, and a featured guest each month during this new AMA series tackling a different aspect of modern cybersecurity in each session.
The first in the series focuses on threat hunting and how to see through the noise of thousands of MITRE mapped events to the signals that will help you detect and respond to an adversary.
Send us questions related to this topic today, and we'll address your current challenges head-on in a live videocast. You'll see real-world examples, review different types of threat hunts, and get answers from Sophos experts.
Speakers
Andrew Mundell, Principal Security Engineer, Sophos
Andrew focuses on threat prevention and investigation technologies. He provides security teams and CISOs from wide-ranging industries with practical, real-world advice on preventing, detecting, and responding to the latest cybersecurity threats. Prior to joining Sophos in 2008, Andrew held positions overseeing infrastructure and innovation technologies at the United Kingdom's Office of Communications and infrastructure engineering for a leading global provider of Information Services.
Karl Ackerman, Distinguished Product Manager, Sophos Endpoint Protection
Karl has over 15 years in the cybersecurity space as a software developer, architect, and product manager. Karl has a passion for security and a deep commitment to driving the criminal syndicates and nation-state actors off our networks and out of our devices. Over the years, Karl has collaborated with organizations from small businesses to national defense agencies to understand the threats these organizations face and design and build the software required to defend them from adversaries.
Webinar Details
November 16, 2021 | 7:00AM PST | Register Now
Can’t make it?
Even if you may not be able to attend any of the live sessions, be sure to still register. We will send a link to the recording following the presentation.
Q&A From the Webinar
Question | Answer |
How do you use XDR to inspect an endpoint that is suspected to be infected with malware or trojan? | The best place to start is making sure as much of the proactive prevention capabilities of Intercept X are enabled, check your policy and exclusions to be sure. Next you'd likely want to start with a couple of canned queries. "Process tree" is a great query to see everyrthign that's running right now, and it's parent and child processes. "Processes with an open network connection" is also a good start to identify if there are any unexpected network connections from interesting processes e.g. PowerShell. |
Does the Sophos Managed Threat Response (MTR) service give Sophos Central administrators access to the XDR features? | Yes, the Sophos MTR license includes access to the XDR capabilities including Live Discover, Data Lake storage, Live Response and the Detections UI shown today. |
What's the best educational material I could provide my admins to do better threat hunting? | Check out the Sophos Threat Hunting Academy, 2 seasons with tons of great content to help you understand the principles and practicalities of threat hunting with Sophos XDR. |
Are there any tools you can recommend to introduce data into Sophos XDR so I can practice threat hunting in my environment? | There's a number of useful tools to simulate active adversary activities. Check out this post on the Sophos Community about a tool called Caldera - https://community.sophos.com/intercept-x-endpoint/edr-data-lake-eap/f/discussions/126667/getting-started-installing-caldera-test-tool-and-using-live-discover-for-threat-hunting. NOTE: You will need to turn off many if not all of the proactive prevention capabilities of Intercept X on the target machine. This should only be done on non-production systems. |
I have Sophos Intercept X Advanced today for my servers and endpoints, can I trial Sophos XDR? | Yes, you should see a "Free Trials" section in the bottom left corner of Sophos Central which will let you enable a free, 30 day, fully featured, trial of XDR for servers and endpoints. |
Is there a way to suppress or acknowledge an XDR detection which we've investigated and don't need to be alerted to again? | We'll be adding this capability during the next phase of the EAP, stay tuned! |
If we have MTR, do we need to enable Data Lake uploads? Will I still see XDR Detections if I only have MTR enabled and havn't explicitly enabled Data Lake uploads? | Devices with the Sophos MTR agent will always upload to the Data Lake, and this will allow XDR detections to be created. |
Is it right that Data Lake uploads are required to see items in the Detections UI you showed? How can I make sure my systems are uploading data? | Yes, check out this great post from Jeramy Kopacko to make sure you're making the most of Sophos XDR and test the Dake Lake - https://community.sophos.com/intercept-x-endpoint/f/recommended-reads/130364/getting-started-with-sophos-xdr-data-lake-hydration. |
I can't see the Detections UI you showed, do all Sophos customers get that feature? | Sophos XDR is required to see the Detections UI and use other features like Live Discover, Live Response and ondemand device isolatoin. A free 30 trial can be enabled in Sophos Central by clicking on "Free Trials" in the bottom left corner of the dashboard. |