Endpoint data is critical to the Sophos Managed Threat Response (MTR) team. However, to have the most complete picture of a customer’s network, analysts need to go beyond the endpoint and tap into the broadest range of telemetry to provide the best protection.
To ensure MTR operators have the most crucial data at their fingertips Sophos is introducing a new MTR Network Sensor, in addition to continuing investing in the already launched MTR Connector. These offerings extend visibility to MTR operators, so attackers have fewer places to hide.
Download the datasheet to learn more about MTR Connectors and the new MTR Network Sensor.
Network Visibility: MTR Network Sensor (available in North America only)
Sophos MTR Advanced customers have the option to deploy the MTR Network Sensor in order to gain network telemetry. The network sensor is an SF SW/Virtual network appliance and is ideally suited for organizations who are unable or unwilling to deploy Sophos XG Firewall. The sensor is deployed in non-blocking mode and cannot be used as a replacement for a firewall.
The MTR Network sensor leverages the XG Firewall MTR Connector to generate MTR detections from ATP (Command & Control) and premium IDS events. Customers must enable Central Firewall Management and Central Firewall Reporting. These features come with 7 days of data storage in the Sophos Data Lake, which can be used by customers to perform queries and run reports. This is separate from the MTR detections and data retention used exclusively by the MTR team.
Network Visibility: Sophos Firewall MTR Connector
Sophos MTR Advanced customers have the ability to fully deploy Sophos XG Firewall across their environment or deploy XG Firewall in tap mode while also utilizing a non-Sophos firewall. Customers must manage their XG Firewalls in Sophos Central and use XG Central Firewall Reporting.
The Sophos Firewall MTR Connector generates MTR detections from the following network security events: ATP (Command & Control), IPS, Sophos AV (email, web, FTP), and Sophos Sandstorm (sandbox).
Cloud Visibility: Sophos Cloud Optix MTR Connector
By adding cloud telemetry, customers will receive around-the-clock security monitoring of major cloud platforms by a dedicated team of cybersecurity experts. The Sophos Cloud Optix MTR Connector provides Sophos MTR operators with the visibility needed to quickly identify critical cloud security events used in breach attempts across Amazon Web Services, Microsoft Azure, and Google Cloud Platform environments. Events from Sophos Cloud Optix generate MTR detections, including anomalous IAM user login activity, outbound network traffic connections, and other high-risk activity. Additional threat detections can be added via integration with the Amazon GuardDuty service, which analyzes CloudTrail, DNS and VPC flow logs.