This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Defender for Identity Equivalent

We had some reps in to talk about moving from Sophos Intercept X XDR to Defender P2 (or the full E5 security stack).

What I really was impressed with was Microsoft Defender for Identity. We're a hybrid org with accounts in AD and synced to Azure. Their demo was impressive.

I'm just wondering what Sophos features are comparable and how they would handle this?



This thread was automatically locked due to age.
  • We don't have a direct equivalent to Defender for Identity, though Intercept X w/XDR does provide some coverage of AD and your Azure AD and MS365 environments. For example, Intercept X w/XDR can ingest MS365 audit logs and generate detections based on suspicious activity. An example is someone creating suspicious mailbox rules in a user's account (after phishing the user, for example). Said mailbox rules are frequently seen for hiding and forwarding malicious email. Another example is detecting "impossible travel," such as the same user having sessions logged in from Russia and the US at the same time. These detections generate "Cases" in the XDR UI and are assigned a priority determined by Sophos X-Ops. Similar detections may be grouped together in a single case.

    Even if you were to adopt the full P2 or E5 stack, Sophos can add value atop it via XDR or MDR. For example, the detections from Microsoft tend to be very noisy. Not every case of multiple user sessions, for example, is malicious. Our detection logic can correlate Microsoft's detections with additional telemetry (from Microsoft or our own tools) and only surface the ones that appear to be a real threat. In the case of MDR, our SOC analysts will investigate and, if needed, remediate threats.

    Microsoft does have an impressive security stack, but we find that many customers still prefer to use Sophos for some or all of their endpoint security and XDR needs. Even for seasoned experts, the complexity of Microsoft's solutions can make it challenging to maximize the technology and achieve the desired security outcomes. Some customers also question the wisdom of leveraging the infrastructure itself (Windows, MS365, etc.) to monitor and perform security for the infrastructure. As I mentioned above, it doesn't necessarily have to be all or nothing. Sophos XDR and MDR can complement and add value to Defender for Endpoint (P1 or P2). But, in our (admittedly biased) view, customers get the best experience, and the best security outcomes, using our platform for protection, detection, and response, and coupling that with secure configuration of the underlying Microsoft platforms.