On May 5, we are announcing some exciting product updates including the launch of Sophos XDR (Extended Detection and Response) and significant enhancements to Sophos EDR (Endpoint Detection and Response). General availability is planned for May 19.

What’s new?

Introducing Sophos XDR
Sophos XDR goes beyond endpoints and servers, also pulling in rich Sophos Firewall and Sophos Email data (Sophos Mobile and Cloud Optix XDR-integration is coming soon) with 30 days of storage in the Sophos Data Lake. Which means organizations get even more detailed insight into their environments when performing threat hunting or IT operations tasks.

Users get both the broad, big picture view of their cybersecurity environment with the ability to deep dive into areas of interest for granular detail. It’s the best of both worlds.

Here are just a few Sophos XDR use cases:

IT Operations	Threat Hunting
Identify unmanaged, guest and IoT devices Why is the office network connection slow? Which application is causing it? Look back 30 days for unusual activity on a missing or destroyed device	Extend investigations to 30 days without bringing a device back online Use ATP and IPS detections from the firewall to investigate suspect hosts Compare email header information, SHAs and other IoCs to identify malicious traffic to a domain

You can see more examples in the EDR/XDR use cases PDF.

Sophos XDR includes a data lake retention period of 30 days (7 days with EDR). Sophos XDR and the Sophos Data Lake will be available for Windows and Linux at launch (May 19). macOS support is planned for H2CY21. MSP Flex availability is scheduled for late June.

How do I sell Sophos XDR?
Sophos XDR (CXDR) is an overlay license that enables 30 days of data collection from any Sophos XDR-ready product.

XDR-ready products feed data to the Sophos Data Lake and require their own separate license, for example Intercept X Advanced with EDR (CIXAEDR), Intercept X Advanced for Server with EDR (SVRCIXAEDR), Sophos Firewall (XG/XGS) with Xstream Protection or Sophos Email Advanced (CEMA).

For further details on requirements, exclusions, and example licensing scenarios, please read the Sophos XDR Licensing Guide.

For sales tools and additional resources, visit the Sophos Partner Portal.

Note that only Intercept X Advanced with EDR and Intercept X Advanced for Server with EDR can use Sophos XDR without having another XDR-ready product. See the license guide for further details.

Offline Access with the Sophos Data Lake
A key component of both XDR and EDR, the Sophos Data Lake stores critical data from XDR and EDR enabled devices, enabling access to that data even when devices are offline. For example, look back for unusual activity on a device that has been destroyed or taken without authorization. It’s an important part of cybersecurity visibility giving organizations the ability to see their entire environment and quickly drill down to granular areas of interest. Data retention periods are 7 days (EDR) and 30 days (XDR). That’s in addition to the up-to 90 days of on-disk data stored on devices.

EDR gets even better – again!
This latest version of EDR (4.0) brings some incredible enhancements, which will (at GA) be available to existing EDR users.

Sophos Data Lake
EDR customers will have the ability to get data up to 7 days in the past from their endpoints and servers, even if those devices aren’t currently online, in addition to the up-to 90 days of on-disk data they have currently. Note that customers have to enable the Sophos Data Lake.

Scheduled queries
Users can schedule queries to run overnight so key data is ready and waiting for assessment in the morning and they have the information needed to perform critical threat hunting and IT operations tasks. Initially scheduled queries are available for the Sophos Data Lake with on-device Live Query following.

Enhanced usability
Users can work even faster with enhancements to workflows and pivoting that help them get to key information faster and enable them to take actions and respond even faster.

 

Tools to help

Web content

• XDR web page
• Intercept X web page
• Intercept X for Server web page
• Sales resources on the partner portal

Documents

• XDR license guide – Detailed licensing guide for Sophos XDR (if you have to pick one asset, choose this one!)
• XDR beginners guide – Short overview of the XDR concept (partner portal link)
• XDR/EDR use cases
• XDR/EDR datasheet
• What’s New in XDR/EDR
• Intercept X datasheet
• Intercept X for Server datasheet
• Intercept X license guide
• Intercept X for Server license guide
• Endpoint buyers guide (partner portal link)
• Gartner XDR Whitepaper

Videos

• Sophos XDR overview
• Sophos XDR: Driven by data
• Technical Demo

Training

• SophSkills – May 12: APJ | Americas | EMEA
• Technical SophSkills – May 13:  APJ | Americas + EMEA
• Competitive Intel SophSkills – May 19:  APJ | Americas | EMEA

Email campaigns will be available at product GA.

Feedback has been great
These new features have been extensively tested in the early access program and feedback has been fantastic.

“Just ran a test query and I must say it’s super fast.”

“Pivoting is beautiful!”

“I am absolutely loving the data lake queries.”