The best just got better. Sophos is pleased to announce that the Intercept X Advanced with EDR Early Access Program is now open.  The new Endpoint Detection and Response (EDR) capabilities allow you to take charge of security incidents by answering the tough questions about an event, investigate with deep expertise, and respond with a click of a button.  The EAP is open to Central Endpoint Protection Intercept X customers, as well as trialists.

 

The key new capabilities being delivered in the Early Access Program are outlined below.

 

Enhanced and Enriched Threat Cases (Formerly Root Cause Analysis)

We’ve been hard at work overhauling Root Cause Analysis (RCA) and implementing a number of additional features to make it easier for admins to conduct deeper investigations.  With this new functionality comes a new name – “threat cases”.  In addition to automatically identifying the root cause or sequence of events that led to a  potential malicious file, we will display more intelligence to aid in investigating, and will provide suggested next steps.

 

 

On-demand threat intelligence curated by SophosLabs:

Request the latest Sophos Threat intelligence on a highlighted processes from within the threat cases view (formerly RCA).  The file will be submitted from the endpoint in question to SophosLabs for a detailed analysis. Feedback highlighting suspicious behaviors, such as attempting to install itself for automatic startup in the Windows registry or attempting to download an executable file, will be provided within minutes.

 

Cross Estate Threat Searching:

With the new EDR version of Intercept X you can now search for file names or SHA-256 hashes to identify which endpoints have seen suspect files. Searches can also be run on processes from within an existing threat case. Note that Sophos Central will only store details on portable executable files that have a bad or uncertain reputation and therefore will only return results on those files where a query is matched.

 

Export Forensic Data:

For admins looking to do more detailed investigations, The SDR Exporter is a new utility we will provide which can convert the Sophos Data Recorder snapshots on an endpoint into formats where advanced queries can be run. This is ideal for forensic deep dives and unleashing the power behind threat data.

 

Clean and Block With the Click of a Button: 

A new “clean and block” action is available which will add the hash of suspect files to a blocked item list which will be distributed to the endpoints.  The clean and block action will only apply to portable executable files that don’t have a good Sophos reputation.  If files matching the hash are identified on endpoints Sophos will clean the suspected bad file and any associated artifacts, and prevent execution on any further endpoints.

 

Endpoint Isolation:

 

In the event potential undetected threats have been identified, new incident response capabilities can be applied to help contain the threat. Admin led isolation can restrict the TCP and UDP network connectivity of an endpoint.  A new self-isolation capability has also been introduced to allow an endpoint to automatically isolate in the event its health status goes red. 

 

Coming Soon:

As the Early Access Program continues we will aim to introduce additional new capabilities such as further enhancing threat intelligence feedback when submitting to SophosLabs to leverage a variety of new machine learning technologies. 

 

How do I join?

Click here to view a presentation walking through the EAP registration process

 

Technical requirement

Due to a change in how the endpoint agent monitors and then logs system changes, Sophos recommends that endpoints enrolled in the EDR Early Access Program have a minimum of 15GB of free hard disk space available.

 

A known issues document, an EAP overview video, an EAP demo video and other collateral related to the new features are available on the Intercept X Early Access Program community landing page:

https://community.sophos.com/products/intercept/early-access-preview/

 

Please use the Endpoint Detection and Response forum for asking questions, highlighting issues, or sharing feedback:

https://community.sophos.com/products/intercept/early-access-preview/f/endpoint-detection-and-response