Sophos XDR: Driven by data

Credit to Author: Seth Geftic| Date: Wed, 19 May 2021 12:59:30 +0000

When we set out to build our extended detection and response (XDR) solution, we focused on a key mantra: if you want the best XDR, you need the best data.

Sophos XDR is driven by data. It delivers the most comprehensive and precise data across multiple dimensions for the most accurate threat detection, investigation, and response. This is achieved thanks to the scope of data, range of sources, and data quality.

Scope of data

Sophos XDR blends 90 days of rich, on-device endpoint and server data with 30 days of cross-product telemetry in our data lake. This provides the broadest and most in-depth, contextualized insights for both live and offline devices.

Why do you need both on-device data and data stored in a data lake? The two types of data complement each other, which is key to stopping stealthy, high-stakes attacks.

On-device data provides a live view of what’s happening right now on your endpoints and servers, plus an incredibly detailed historical record of activities for the last 90 days – far more detailed than a data lake would typically retain.

All key information and events are logged. This includes process information down to the thread level (starting, stopping, parent, child), changes to the registry, programs running, system events, and much, much more.

The data lake provides its own set of advantages, such as the ability to detect incidents by correlating information across your estate.

Crucially, it also allows users to query both online and offline devices – even those which may have been taken offline during an attack. However, data stored in a cloud repository is always historical and does not provide a real-time view.

The two data types work together. The data lake provides the 10,000-foot view and helps correlate events across your estate from both live and offline devices. From there, you can pivot to live running systems and access the industry’s richest on-device data set to see exactly what’s happening right now, or what happened in the last 90 days.

Blending on-device data with the information stored in the data lake ensures you get the broadest scope of data so you don’t miss a thing.

Data sources

Sophos XDR is the first and only XDR solution that synchronizes native endpoint, server, firewall, and email security – with mobile and cloud integrations coming soon.

This broad set of data sources goes well beyond endpoint and server visibility alone. Instead, you get the full picture when detecting and investigating incidents.

For example, you could use firewall data to identify suspicious traffic coming from an unmanaged endpoint or investigate a suspected phishing attack to see if there has been further traffic to a malicious domain.

All the data sources are integrated out of the box when you have Sophos XDR-enabled components. There’s no need to create your own custom infrastructure.

Quality of data

When conducting threat detection and response, having a lot of data is only part of the equation.

Because huge volumes of data can be overwhelming, you instead need high-quality data.

Sophos XDR has more high-quality data, which means we deliver stronger signals and less noise for better detection. This is because Sophos XDR is built on top of Intercept X, the world’s best endpoint protection.

Intercept X filters out a lot of the noise that ends up causing alert fatigue for analysts, allowing them to help focus on what’s truly important.

To further improve data quality, Sophos XDR provides additional context to put the data into perspective. This includes additional intelligence from SophosLabs and the Sophos AI team.


Sophos XDR is available today. Visit Sophos.com/XDR to learn more.

http://feeds.feedburner.com/sophos/dgdY