Sophos NDR is now GA, up to date documentation can be found at the following link: Sophos VA Console
Device Detection Analytics
- Identifies systems communicating on your network that are not managed by Sophos.
- Illuminates coverage gaps for legitimate devices.
- Detects unauthorized, potentially malicious, systems/devices.
Deep Packet Inspection
- Inspects network traffic beyond the port and protocol level.
- Detects known IOCs amongst encrypted and plain text traffic to rapidly identify threat actors and TTPs.
- Provides robust alerting capabilities integrated with over 250 protocol decoders.
- Along with content matching signature-based detections, the DPI engine computes:
- JA3c+ Fingerprints (Extended JA3c)
- Network Flow Periodicity
- Producer Consumer Ratio
- Destination Popularity
Encrypted Payload Analytics
- Identifies network sessions generated by malware families based on patterns found in the session packets size, direction and interarrival times.
- Detects zero-day C2 servers and new variants of trained malware families.
- Unique pattern analytics enable Sophos NDR to detect the presence of malware families with high confidence, despite encryption.
- Patented process for transforming and presenting traffic patterns to a Convolutional Neural Network (CNN) for classification.
Domain Generation Algorithms
- Powered by a deep learning Long Short-Term Memory (LSTM) prediction model.
- Trained to detect domain names generated by algorithms.
- Malware uses DGA to evade detection and complicate takedown efforts.
- Does not require any known threat intelligence.
Session Risk Analytics
- Powerful logic engine that utilizes rules that alert on session-based risk factors.
- Risk factors do not require threat intelligence to function
- Examples include:
- Binary Application transfer
- Expired Certificates
- IP Address Hostnames
- Malformed Packets
- Protocol on Non-standard port
- Self-Signed TLS Certificates