Getting the most out of Intercept X Advanced with EDR

ProductsIntercept XSophos EDRTechnical News

If there’s one thing that the new normal (sorry, not sorry) has taught us in 2020, it’s that employees working from home present several challenges when it comes to securing the estate. The industry has been raising awareness about the ‘vanishing perimeter’ for years. All it took was a global pandemic to pull the rug out from under the feet of so many businesses, and hey-presto the traditional perimeter has well and truly disappeared – end-user devices are the new perimeter.


In this article, we’re going to take a look at how Intercept X with Endpoint Detection and Response (EDR) can add value to your customers and allow them to take back control of their new perimeters.


EDR layers in tools that allow IT to investigate suspicious (but not 100% convicted malicious) behaviour without the need for experienced, highly skilled cyber threat-hunting expertise. We first released CIXAEDR a couple of years back, however it’s fair to say that the uptake hasn’t been as significant as we’d have hoped.


The unfortunate reality is that there is a large portion of customers out there who employ IT, generalists. They either can’t afford to employ (or struggle to retain) cybersecurity experts who would benefit from EDR. There is also unfortunately still a culture with many customers who, in their ideal world, would prefer to ‘set-and-forget’ when it comes to endpoint security. For example, we’ve seen instances where customers might go months (and in some cases even years!) without having logged into their Sophos Central dashboard.


Needless to say, this is not best practice, and if you work for an MSP then you should be having conversations with these customers around how you can help them with the heavy lifting of managing their cybersecurity risk. If you can’t offer your services to help, the good news is that Sophos have a Managed Threat Response (MTR) service – more on MTR later.


Below is a roundup of the ‘EDR Tips’ that we’ve covered in the monthly Sync with Sophos update series.


*EVENT PLUG ALERT* If you’re not currently registered to attend this recurring webinar, it is held on the first Friday of every month at 10 am (GMT). Please register here – it would be great to see you there!


Useful Tools for Malware Investigation and Remediation


If you already investigate suspicious behaviour, you might be familiar with some of the tools discussed here. This article gives some really useful examples of how you can leverage EDR Live Discover and Live Response to make using these tools even easier.


Hunt for Vulnerabilities and Indicators of Compromise (IoCs) Related to Specific Cyber Threats


Intercept X Advanced with EDR provides the ability to answer some of the difficult questions that C level execs need to know the answers to. For example “I read about this hack recently. What’s our risk exposure here?” or “Sophos is telling us that an issue has been dealt with. How did the threat end up in our system in the first place, and can we be sure it’s been fully resolved?”


You or your customers want to know if an estate is exposed to a particular exploit, for example, the SigRED Windows Server DNS wormable vulnerability from 2020, or perhaps you would like to see if the SHA256 hashes associated with the SolarWinds Orion hack exist anywhere on your network.


Going back to that vanished perimeter with more employees than ever working from home, CIXAEDR makes it easier to understand what’s going on within your estate, regardless of where the machines are or whether they are connected to a VPN / behind the firewall. Currently, this is only available for online machines and ‘query-able’ by Central, however, an Early Access Program for our XDR DataLake technology has just opened. This will sync useful endpoint data with Sophos Central so that it can be queried even when the host is offline. You’ll see some more info on XDR in future articles.


Use the JOIN Function to Query Data Across Multiple Sources


Between the proprietary Sophos EDR and the underlying OSQUERY schema data tables, there are approximately 300 tables of information available to query using Intercept X Advanced with EDR. The most effective queries will combine data from multiple tables. Check out some useful videos that guide you through creating your own Live Discover EDR queries here.


Query Windows Events and Security Groups with Live Discover 


This is pretty self-explanatory, however, any number of the following behaviours within a network could be indicative of some malicious activity:


  •  New/ Deleted Security Groups 
  •  User Added / Removed from Security Group 
  •  New / Locked / Disabled / enabled User Accounts 
  •  Password Reset

 Note: Windows auditing of some of these events may be disabled by default.


To get your hands on some examples of these Live Discover queries, take a look here.


EDR Live Discover API 


Calling this recently released API, you can programmatically query an estate using your favourite queries, on a schedule. Get started with Live Discover here and check here for more info on the Sophos APIs.


Finally, I did say we’d get back to our Managed Threat Response service. If EDR threat hunting sounds good, but ultimately a bit too difficult for you or your customer, then MTR is for you. Our highly skilled team of cybersecurity experts provide 24/7 human-led threat hunting. They will investigate suspicious activity, not just detections, and where other vendors stop at notification our MTR team will take action. Take a look here for more information regarding our MTR service and Rapid Response for when the proverbial has hit the fan!