SMB signing required with Intercept X?

Question

We are looking at requiring smb signing on our network. The fact that Microsoft and others say to expect a 15% performance impact makes that a hard pill to swallow. My question, would the types of attacks and lateral movement exploited by not requiring smb signing be blocked by Sophos Endpoint / Intercept X? We just want to avoid taking a performance hit to protect ourselves against something we might already be protected from. I've tried searching around on this one but can't find any indication either way.

This thread was automatically locked due to age.

RichardP · Accepted Answer

Hi Ryan, 
 Since this is a signing technology what it prevents is Man in the Middle and message tampering (alteration of the message in transit). It doesn't prevent lateral movement or malicious code running on a trusted machine. So, if Machine A talks to Machine B with signing enabled you know the message sent by A is the exact message B got. However, if A is compromised and is sending malicious content in the message - it still is transmitted and signed. 
 What technologies does Intercept X offer to help here? Exploit mitigation on a machine will detect specific actions regardless of the source - so if a code cave or some other exploit is happening it triggers. For lateral movement, the Endpoint IPS element of the endpoint is specifically built to inspect incoming and outgoing packets to see if they match exploits we are protecting against - such as EternalBlue which leveraged an exploit in SMB. 
 So, in short, signing lets you know if there is and prevents tampering of data in transit but, in and of itself, does not protect against lateral movement or exploits. 
 I hope that helps.

SMB signing required with Intercept X?

Top Replies