Introducing Sophos Network Detection and Response (NDR)

ProductsManaged Detection and Response (MDR)Sophos NDR

Sophos NDR identifies rogue assets, unprotected devices, insider threats, and novel attacks to accelerate threat detection and response.

We recently launched Sophos Network Detection and Response (NDR) and it’s already providing real-world value for organizations looking to elevate their defenses against sophisticated attackers and zero-day threats.

Sophos NDR continuously monitors network traffic to detect suspicious activities that may be indicative of attacker activity, leveraging a combination of machine learning, advanced analytics, and rule-based matching techniques.

It detects a wide range of security risks, including rogue devices (unauthorized, potentially malicious devices that are communicating across the network), unprotected devices (legitimate devices that could be used as an entry point), insider threats, zero-day attacks, and threats involving IoT and OT devices.

Plus, when combined with other security telemetry, Sophos NDR enables threat analysts to paint a more complete, accurate picture of the entire attack path and progression, enabling a faster, more comprehensive response.

Sophos NDR is an add-on integration for Sophos MDR, our market-leading managed detection and response service that today serves over 14,000 organizations worldwide. Later this year, we’ll also be making Sophos NDR available with Sophos Extended Detection and Response (XDR) for those organizations that prefer to conduct their own threat hunting activities – more on this in a future post.

The importance of network detection and response

NDR is an essential part of an effective defense-in-depth strategy. Why? Because the network is the one place a stealthy, committed adversary cannot hide.

Attackers go to great lengths to avoid being detected and Defense Evasion is well known MITRE ATT&CK Tactic at the system level. Exploits can hide out of sight of EDR solutions, and adversaries can disable and delete system logs. But they still have to traverse the network.

As adversaries continue to evolve their tactics, techniques, and procedures (TTPs) to bypass security controls, NDR is fast becoming a security imperative.

Sophos NDR: unparalleled network threat detection

Sophos NDR is powered by five real-time threat detection engines that use patented multi-layered technologies to detect even the stealthiest of attacks.

Sophos NDR detection engines. Click to enlarge.

The Data Detection Engine is an extensible query engine that uses a deep learning prediction model to analyze encrypted traffic and identify patterns across unrelated network flows.

Deep Packet Inspection uses known indicators of compromise to identify threat actors and malicious tactics, techniques, and procedures across encrypted and unencrypted network traffic.

Encrypted Payload Analytics detects zero-day C2 servers and new variants of malware families based on patterns found in the session size, direction, and interarrival times.

Domain Generation Algorithm identifies dynamic domain generation technology used by malware to avoid detection.

Session Risk Analytics is a powerful logic engine that utilizes rules that send alerts based on session-based risk factors.

These five engines monitor east-west (internal) traffic and north-south (outgoing/incoming) traffic to detect and flag anomalies indicative of threat activity. Alerts generated by Sophos NDR include:

  • Network scanning activity
  • Unexpected SSH sessions to never-before accessed systems
  • Suspected beaconing activity
  • Suspected C2 connections
  • Communication on non-standard ports
  • Malware present in encrypted traffic
  • Encoded PowerShell execution
  • Abnormal volumes of data sent

Leveraging Sophos NDR telemetry to stop advanced threats

Network security telemetry is a powerful threat hunting resource on its own, and especially useful when combined with signals from across the full security ecosystem.

Sophos MDR Detection Pipeline. Click to enlarge.

Sophos MDR leverages alerts from Sophos and third-party network, endpoint, firewall, email, identity, and cloud solutions to accelerate threat detection and response.

Alerts are processed through the Sophos MDR Detection Pipeline where they are transformed into normalized schema, mapped to the MITRE ATT&CK® framework, and enriched with third-party intelligence. Related alerts are grouped in clusters which are then prioritized and escalated to detection specialists for investigation and response.

Let me walk you through a couple of example scenarios where Sophos MDR leverages telemetry from Sophos NDR in conjunction with insights from other technologies.

Scenario 1

  1. Email solution detects a message containing a malicious attachment
  2. Endpoint protection detects a suspicious file download
  3. Endpoint protection detects that an unknown process launched an interactive shell
  4. Sophos NDR detects a suspected Command and Control (C2) connection
  5. Endpoint protection detects suspected credential harvesting
  6. Sophos NDR detects suspected lateral movement using SSH

By correlating the email, endpoint, and NDR alerts, Sophos MDR can quickly ascertain that there has likely been a successful phishing attack that has resulted in credential theft and lateral movement. Armed with this insight, we can step in to swiftly contain, neutralize, and remediate the attack, minimizing impact.

Scenario 2

  1. Sophos NDR detects a device communicating on the internal network
  2. Endpoint protection has no known device under management

Combining data points from these two separate technologies enables us to identify that there is an unmanaged device communicating on the network. At this point, we investigate further to determine whether it’s the result of an internal user policy violation or an adversary-managed system, and then take appropriate action.

Already using an alternative NDR solution? No problem.

We understand that organizations already have security solutions in place. The challenge for many companies is how to manage, interpret, and respond to the information they provide. All too often, we speak with IT teams that are drowning in alerts or unable to digest the complex telemetry.

With the Sophos MDR add-on integration packs, our analysts can leverage telemetry from the third-party security tools your customers are already using (including NDR solutions from Darktrace and Thinkst Canary) to detect and respond to advanced, human-led attacks. With our experts managing their security operations, they can elevate their defenses and increase return on their existing investments.

Learn more

Check out the Sophos Partner Portal to access the Sophos NDR service brief and a sales deskaid and all the service, sales, and marketing resources available for Sophos MDR.

We’ve also created promotional emails that you can send to your customers and prospects to introduce the new offering.

If you’d like to hear what customers have to say about Sophos MDR, take a look at the independent reviews on Gartner Peer Insights and check out why we’re the #1 rated MDR service by G2 Peer Reviews.