Sophos, a popular next generation cybersecurity company has unveiled an updated version of its Endpoint Detection and Response (EDR), the first solution designed for both security analysts and IT administrators.
Significant advancements and new capabilities make it faster and easier than ever before for security analysts to identify and neutralise evasive threats, and for IT administrators to proactively maintain secure IT operations to reduce risk.
Sophos also published new research, “An Insider View into the Increasingly Complex Kingminer Botnet,” underscoring the use of servers in carrying out attacks and the importance of threat intelligence in detecting such activity. The opportunistic Kingminer botnet attempts to gain server access by brute-forcing login credentials, and Sophos now finds that it’s using the infamous Eternalblue exploit in an attempt to spread malware among other attack mechanisms. The new version of Sophos EDR offers a custom-built query engine to detect indicators of compromise.
Read also: Ransom payment doubles cyber attack recovery cost for organisations SophosLabs report
Kingminer shares many of the attributes that advanced ransomware attackers use to gain access, evidence of the need for EDR with the ability to hunt active attacks. As Sophos recently discovered in its ‘state of ransomware 2020’ survey, only 24 percent of organisations breached in a ransomware incident were able to detect the intrusion and stop it before it was able to encrypt their files. Its new EDR capabilities help security and IT teams detect threats and breaches that could otherwise take months to uncover.
“Cybercriminals are raising the stakes, stopping at nothing to capitalise on expanded attack surfaces as organisations increasingly move to the cloud and enable remote workforces. Servers and other endpoints are all too insufficiently protected, creating vulnerable entry points that are ripe for attackers to exploit,” Dan Schiappa, chief product officer, Sophos, said.
“Sophos EDR helps identify these attacks, preventing breaches and shining light on otherwise dark areas. Live querying capabilities only available with Sophos EDR in Intercept X enable organisations to search for past indicators of compromise and determine the current system state. This level of intelligence is critical in understanding changing attacker behaviors and reducing attacker dwell time,” he said.
Sophos EDR now provides powerful visibility across an organisation’s entire estate, enabling security and IT practitioners to quickly answer critical threat hunting and IT security operations questions, and easily respond. New features include:
· Live Discover:
Pinpoint past and present activity with up to 90 days of data retention. Out-ofthe-box ready SQL queries allow administrators to answer threat hunting and IT questions, and can be selected from a library of prewritten options and fully customised by users.
· Live Response:
Remotely respond and access endpoints and servers using a command line interface to perform further investigation and remediate issues; easily reboot devices, install and uninstall software, terminate active processes, run scripts, edit configuration files, run forensic tools, isolate machines, and more.
“Sophos EDR is a force multiplier that gives me the tools I need to do the job of an entire team without adding additional headcount,” Ryan Miller, chief information security officer, Mission Search, said.
“This new version drastically reduces the time it takes to detect and respond to incidents, saving me on average four to five hours per day. Easy to use SQL queries simplify the previously complex and time intensive process of investigating suspicious activity, and allow me to perform searches that are completely unique to my network. Unlike other EDR tools that are limited in what they can see and report on, Sophos EDR provides complete visibility into all of my endpoints with vast capabilities not available anywhere else. As the chief information security officer of a Joint Commission certified healthcare staffing firm, I am extremely sensitive to any time delays in receiving warnings related to suspicious activity that could be a precursor of a malicious attack designed to obtain sensitive data,” he said.