{"id":21218,"date":"2023-02-13T05:21:14","date_gmt":"2023-02-13T13:21:14","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/02\/13\/news-14950\/"},"modified":"2023-02-13T05:21:14","modified_gmt":"2023-02-13T13:21:14","slug":"news-14950","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2023\/02\/13\/news-14950\/","title":{"rendered":"Sophos MDR: Full environment detections for faster threat response"},"content":{"rendered":"<p><strong>Credit to Author: Doug Aamoth| Date: Mon, 13 Feb 2023 12:00:54 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/Visibility.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignright wp-image-89714\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/Visibility.png?w=300\" alt=\"\" width=\"400\" height=\"282\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/Visibility.png 791w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/Visibility.png?resize=300,212 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/Visibility.png?resize=768,542 768w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><\/a>Visibility is key to stopping an advanced cyberthreat before major damage is done: if you can see intrusion attempts, unauthorized network entry, and other suspicious behaviors as they\u2019re happening, it\u2019s much easier to quickly jump in and neutralize them.<\/p>\n<p>And while advanced technology solutions &#8211; including next-gen endpoint protection and firewalls &#8211; are critical layers of defense, stopping advanced, human-led attacks requires 24\u00d77 eyes on glass.<\/p>\n<p>The good news is that most organizations are already gathering much of the raw telemetry needed to see these risks via their existing security investments.<\/p>\n<p>Endpoint, firewall, identity, email, cloud, and network solutions all provide valuable insights that enable skilled security analysts to detect and respond to sophisticated attacks.<\/p>\n<h2>Combining telemetry for faster, deeper insights<\/h2>\n<p>Each telemetry source is useful individually. However, the more signals threat analysts can bring together from across the environment, the more they see and the faster they can react. Let\u2019s look at a couple of examples of how we can combine telemetry sources to accelerate threat response.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/Telemetry.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-89715 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/Telemetry.png\" alt=\"\" width=\"931\" height=\"593\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/Telemetry.png 931w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/Telemetry.png?resize=300,191 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/Telemetry.png?resize=768,489 768w\" sizes=\"auto, (max-width: 931px) 100vw, 931px\" \/><\/a><\/p>\n<p>As we can see, the endpoint signal in the first scenario and the email signal in the second scenario are both suspicious on their own. However, together with data from the firewall, identity telemetry, and other insights, analysts can much more confidently identify data exfiltration attempts in the first scenario and Business Email Compromise in the second.<\/p>\n<h2>The defender challenge: telemetry complexity<\/h2>\n<p>Achieving actionable visibility from security telemetry is a specialist skill. While many technologies <em>generate<\/em> security alerts and insights that are useful to highly trained analysts, <em>leveraging<\/em> the information is very challenging.<\/p>\n<p>Defenders face:<\/p>\n<ul>\n<li>Huge volumes of data<\/li>\n<li>Myriad, inconsistent severity score ratings (1-10, 5-1, High\/Med\/Low, etc.)<\/li>\n<li>Different types and quantities of data from each provider<\/li>\n<li>Highly varied reporting formats<\/li>\n<\/ul>\n<p>As a result, it&#8217;s almost impossible for most organizations to correlate data and identify issues in a timely manner. IT teams end up overwhelmed by alerts, unable to identify which ones are related, and what to prioritize.<\/p>\n<h2>The Sophos MDR approach<\/h2>\n<p>At Sophos MDR, the more we see, the faster we act. We gather telemetry from across our customers\u2019 security environments, using signals and alerts from:<\/p>\n<ul>\n<li><strong>Sophos\u2019<\/strong> award-winning endpoint, email, network, firewall, and cloud security solutions<\/li>\n<li><strong>Third-party technologies<\/strong> including Amazon Web Services (AWS), Check Point, CrowdStrike, Darktrace, Fortinet, Google, Microsoft, Okta, Palo Alto Networks, Rapid7, and many others<\/li>\n<li><strong>Any combination of the two<\/strong><\/li>\n<\/ul>\n<p>Next, we convert this huge volume of security telemetry into actionable, prioritized insights for our analysts to investigate using the Sophos MDR Event Flow.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/Event-Flow.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-89716 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/Event-Flow.png\" alt=\"\" width=\"792\" height=\"279\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/Event-Flow.png 792w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/Event-Flow.png?resize=300,106 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/Event-Flow.png?resize=768,271 768w\" sizes=\"auto, (max-width: 792px) 100vw, 792px\" \/><\/a><\/p>\n<p>The telemetry goes into our data lake and is processed through the six stages of our patented detection pipeline:<\/p>\n<ul>\n<li><strong>Ingest and Filter <\/strong>\u2013 Ingest telemetry and filter unwanted noise<\/li>\n<li><strong>Clean<\/strong> \u2013 Transform data into normalized schema and map to MITRE ATT&amp;CK\u00ae<\/li>\n<li><strong>Enrich <\/strong>\u2013 Add additional third-party threat intelligence and business context information<\/li>\n<li><strong>Correlate <\/strong>\u2013 Cluster alerts based on entities, MITRE ATT&amp;CK categorization, and time<\/li>\n<li><strong>Prioritize <\/strong>\u2013 Score alerts and clusters to rank in order of prioritization<\/li>\n<li><strong>Escalate <\/strong>\u2013 Logic that escalates certain clusters into cases for investigation<\/li>\n<\/ul>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/Data-Processed.png\"><img decoding=\"async\" loading=\"lazy\" class=\"wp-image-89718 alignright\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/Data-Processed.png?w=300\" alt=\"\" width=\"400\" height=\"384\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/Data-Processed.png 663w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/Data-Processed.png?resize=300,288 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/Data-Processed.png?resize=32,32 32w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><\/a>The clean, enhanced, correlated, clustered outputs are then passed to the experts in our MDR operations team for investigation and response.<\/p>\n<p>To give you an idea of the scale at which we do this: on a typical day, we process around 31 billion events and 358 million detections. These result in 367 cases that are then investigated by the team, leading to 47 escalations and one active threat.<\/p>\n<p>Leveraging cross-environment telemetry in this way helps Sophos MDR to detect and neutralize threats faster than anyone else. Our average threat response time is just 38 minutes, which is considerably faster than other security vendors and more than five times quicker than even the speediest in-house team.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/Response-Time.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-89717 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/Response-Time.png\" alt=\"\" width=\"789\" height=\"355\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/Response-Time.png 789w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/Response-Time.png?resize=300,135 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/Response-Time.png?resize=768,346 768w\" sizes=\"auto, (max-width: 789px) 100vw, 789px\" \/><\/a><\/p>\n<h2>Learn more<\/h2>\n<p>Visibility is vital for stopping advanced, human-led cyberattacks early in the attack chain. Fortunately, every organization is already generating security telemetry that can be used by skilled analysts to detect and respond to attacks. Sophos MDR leverages this data, applying our unique Security Event Flow process and unparalleled human expertise to quickly identify and neutralize threats before damage is done.<\/p>\n<p>To find out more about <a href=\"https:\/\/www.sophos.com\/en-us\/products\/managed-detection-and-response\" target=\"_blank\" rel=\"noopener\">Sophos MDR<\/a> and how we use cross-environment detections to accelerate threat response, <a href=\"https:\/\/www.sophos.com\/en-us\/products\/managed-detection-and-response\/contact-request\" target=\"_blank\" rel=\"noopener\">speak to our security specialists<\/a> today.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2023\/02\/13\/sophos-mdr-full-environment-detections-for-faster-threat-response\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/02\/Data-Telemetry.png\"\/><\/p>\n<p><strong>Credit to Author: Doug Aamoth| Date: Mon, 13 Feb 2023 12:00:54 +0000<\/strong><\/p>\n<p>Sophos MDR leverages alerts from across the security environment to accelerate threat identification and neutralization.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[18782,24562,24552,27604],"class_list":["post-21218","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-managed-detection-and-response","tag-products-services","tag-security-operations","tag-sophos-mdr"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21218","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21218"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21218\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21218"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21218"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21218"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}