Sophos NDR is now GA, up to date documentation can be found at the following link: Sophos VA Console
Sophos Network Detection and Response
Every second counts when an adversary is in your environment. Yet all too often defenders are slowed down by limited visibility and a lack of insight. And this becomes even more complicated when security tools don’t work well together.
The most comprehensive data drives the most accurate detection strategy
All organizations can benefit from a more holistic approach to threat detection and response and better and faster ways to collect and correlate an ever-growing volume and variety of data. Sophos detection and response solutions perform investigations and threat hunts across a wide variety of network data. The deeper the visibility and context, the more precise and faster the investigation into threat activity, and when combined with other security telemetry can paint a more complete, accurate picture of the entire attack path and progression, enabling an accurate, comprehensive response.
As a stand-alone component of Sophos MDR, the Sophos Network Detection and Response (NDR) virtual appliance monitors network traffic to identify suspicious network flows. These alerts are sent to the Sophos data lake and evaluated and assigned a corresponding risk score, automatically generating detections and cases for the Sophos threat response team to investigate and validate. NDR alerts can trigger an investigation into internal host connections to network servers, other network connections, and endpoint activity related to the detection. Detections can also be used to enrich other threat hunt investigations for endpoint activity and determining what other devices an endpoint communicated with surrounding the time of an escalated detection.
Ingest and Inspect Network Traffic Right off the Wire
Network analytics provide critical insights, enabling organizations to detect stealthy threats, and when combined with endpoint and other security data, it provides higher confidence rates in alerts.
Table 1: Sophos NDR Features
|
Feature: Detection Engines |
Description |
|
Encrypted Payload Analytics (EPA) |
Detect the presence of malware – even within encrypted traffic where it can often remain hidden. |
|
Domain Generation Algorithms (DGA) |
Detect communications with command-and-control servers (C2s) and other malicious domains that were specifically spun up to evade detection – without requiring any known threat intel. |
|
Deep Packet Inspection (DPI) |
Detect known indicators of compromise (IOCs) amongst encrypted and plain text traffic to rapidly know threat actors and TTPs. |
|
Session Risk Analytics (SRA) |
Identify network traffic characteristics that are abnormal, such as self-signed certs or the use of non-standard ports, that when seen in conjunction with other unexpected/suspicious activity may indicate high risk activity worthy of investigation. |
|
Device Detection Analytics (DDA) |
Identify systems communicating on your network that are not managed by Sophos, in order to both identify coverage gaps for legitimate devices and detect unauthorized, potentially malicious, systems/devices. |
NDR Use Cases
Network telemetry is important in a variety of security use cases:
- Unprotected Devices – Protection for devices that cannot support endpoint sensors such as POS systems, legacy operating systems, IoT and OT devices
- Rogue Assets – Monitoring for unknown or unmanaged devices through network device discovery
- Novel Threats - Immediate visibility of seemingly normal activity like slow moving data uploads during a remote session
- Insider Threats – Awareness of network traffic during off hours being sent to offsite locations
Delivered as a virtual appliance, once Sophos NDR is deployed, it automatically authenticates with Sophos Central and starts sending data. NDR sensor status is viewable in the Central management console and detections are available on the Sophos Central console, Threat Analysis Center, Detections list.
Learn more about Sophos MDR and Network Detection and Response on the community forum. https://community.sophos.com/mdr-community-channel/mdr-integrations-eap/w/ndr_wiki