IT security company Sophos has announced an updated version of its Endpoint Detection and Response (EDR), the first solution for both security analysts and IT administrators, now available in Sophos Intercept X Advanced and Intercept X Advanced for EDR servers
Sophos also published new research entitled “An Insider View into the Increasingly Complex Kingminer Botnet”, underlining the use of servers to perform attacks and the importance of threat intelligence in detecting such activity.
The opportunistic Kingminer botnet attempts to gain server access by brute-forcing login credentials, and Sophos now finds that it’s using the infamous EternalBlue exploit in an attempt to spread malware among other attack mechanisms. The new version of Sophos EDR offers a custom-built query engine to detect indicators of compromise.
Kingminer shares many of the attributes that advanced ransomware attackers use to gain access, evidence of the need for EDR with the ability to hunt active attacks. As Sophos recently discovered in its State of Ransomware 2020 survey, only 24 per cent of organisations breached in a ransomware incident were able to detect the intrusion and stop it before it was able to encrypt their files. Sophos’ new EDR capabilities help security and IT teams detect threats and breaches that could otherwise take months to uncover.
Dan Schiappa, chief product officer, Sophos, said, “Cybercriminals are raising the stakes, stopping at nothing to capitalise on expanded attack surfaces as organisations increasingly move to the cloud and enable remote workforces. Servers and other endpoints are all too insufficiently protected, creating vulnerable entry points that are ripe for attackers to exploit.
“Sophos EDR helps identify these attacks, preventing breaches and shining a light on otherwise dark areas. Live querying capabilities only available with Sophos EDR in Intercept X enable organisations to search for past indicators of compromise and determine the current system state. This level of intelligence is critical in understanding changing attacker behaviours and reducing attacker dwell time.”
Sophos EDR now provides great visibility across an organisation’s entire estate, enabling security and IT practitioners to answer critical threat hunting and IT security operations questions quickly, and easily respond. New features include:
Live Discover: Pinpoint past and present activity with up to 90 days of data retention. Out-of-the-box ready SQL queries allow administrators to answer threat hunting and IT questions. They can be selected from a library of pre-written options and fully customized by users. This flexible query engine provides access to some of the most granular and detailed endpoint activity recordings that are further enhanced with Sophos’ deep learning technology.
Live Response: Remotely respond and access endpoints and servers using a command-line interface to perform further investigation and remediate issues; easily reboot devices, install and uninstall software, terminate active processes, run scripts, edit configuration files, run forensic tools, isolate machines, and more.
Sophos EDR is powered by Sophos’ deep learning neural network which is trained on hundreds of millions of samples to search for indicators of threat. Security analysts and IT administrators also gain on-demand access to SophosLabs’ curated threat intelligence, which tracks, deconstructs, and analyses more than 400,000 samples of malware daily.
