{"id":2714,"date":"2021-02-15T08:34:47","date_gmt":"2021-02-15T08:34:47","guid":{"rendered":"https:\/\/partnernews.sophos.com\/en-us\/?p=2714"},"modified":"2021-02-15T08:34:47","modified_gmt":"2021-02-15T08:34:47","slug":"getting-the-most-out-of-intercept-x-advanced-with-edr","status":"publish","type":"post","link":"https:\/\/partnernews.sophos.com\/en-us\/2021\/02\/products\/getting-the-most-out-of-intercept-x-advanced-with-edr\/","title":{"rendered":"Getting the most out of Intercept X Advanced with EDR"},"content":{"rendered":"

If there\u2019s one thing that the new normal (sorry, not sorry) has taught us in 2020, it\u2019s that employees working from home present several challenges when it comes to securing the estate. The industry has been raising awareness about the \u2018vanishing perimeter\u2019 for years. All it took was a global pandemic to pull the rug out from under the feet of so many businesses, and hey-presto the traditional perimeter has well and truly disappeared \u2013 end-user devices are the new perimeter.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

In this article, we\u2019re going to take a look at how Intercept X with Endpoint Detection and Response (EDR) can add value to your customers and allow them to take back control of their\u00a0new perimeters.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

EDR layers in tools that allow IT to investigate suspicious (but not 100% convicted malicious) behaviour without the need for experienced, highly skilled cyber threat-hunting expertise. We first released CIXAEDR a couple of years back, however it\u2019s fair to say that the uptake hasn\u2019t been as significant as we\u2019d have hoped.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

The unfortunate reality is that there is a large portion of customers out there who employ IT, generalists. They either can\u2019t afford to employ (or struggle to retain) cybersecurity experts who would benefit from EDR. There is also unfortunately still a culture with many customers who, in their ideal world, would prefer to \u2018set-and-forget’ when it comes to endpoint security. For example, we\u2019ve seen instances where customers might go months (and in some cases even years!) without having logged into their Sophos Central dashboard.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Needless to say, this is not best practice, and if you work for an MSP then you should be having conversations with these customers around how you can help them with the heavy lifting of managing their cybersecurity risk. If you can\u2019t offer your services to help, the good news is that Sophos have a Managed Threat Response (MTR) service – more on MTR later.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Below is a roundup of the \u2018EDR Tips\u2019 that we\u2019ve covered in the monthly Sync with Sophos update series. <\/span><\/p>\n

\u00a0<\/span><\/p>\n

*EVENT PLUG ALERT* If you\u2019re not currently registered to attend this recurring webinar, it is held on the first Friday of every month at 10 am (GMT).\u00a0Please register\u00a0<\/span>here<\/span><\/a>\u00a0\u2013 it would be great to see you there!<\/span><\/span><\/p>\n

\u00a0<\/span><\/p>\n

Useful Tools for Malware Investigation and Remediation<\/span><\/strong><\/p>\n

\u00a0<\/span><\/p>\n

If you already investigate suspicious behaviour, you might be familiar with some of the tools discussed\u00a0<\/span>here<\/span><\/a>. This article gives some really useful examples of how you can leverage EDR Live Discover and Live Response to make using these tools even easier.<\/span><\/span><\/p>\n

\u00a0<\/span><\/p>\n

Hunt for Vulnerabilities and Indicators of Compromise (IoCs) Related to Specific Cyber Threats<\/span><\/strong><\/p>\n

\u00a0<\/span><\/p>\n

Intercept X Advanced with EDR provides the ability to answer some of the difficult questions that C level execs need to know the answers to. For example \u201cI read about this hack recently. What\u2019s our risk exposure here?\u201d or \u201cSophos is telling us that an issue has been dealt with. How did the threat end up in our system in the first place, and can we be sure it\u2019s been fully resolved?\u201d<\/span><\/p>\n

\u00a0<\/span><\/p>\n

You or your customers want to know if an estate is exposed to a particular exploit, for example, the SigRED Windows Server DNS wormable\u00a0<\/span>vulnerability<\/span><\/a>\u00a0from 2020, or perhaps you would like to see if the SHA256 hashes associated with the\u00a0<\/span>SolarWinds Orion hack<\/span><\/a>\u00a0exist anywhere on your network.<\/span><\/span><\/p>\n

\u00a0<\/span><\/p>\n

Going back to that vanished perimeter with more employees than ever working from home, CIXAEDR makes it easier to understand what\u2019s going on within your estate, regardless of where the machines are or whether they are connected to a VPN \/ behind the firewall. Currently, this is only available for online machines and \u2018query-able\u2019 by Central, however, an Early Access Program for our XDR DataLake technology has just opened. This will sync useful endpoint data with Sophos Central so that it can be queried even when the host is offline. You\u2019ll see some more info on XDR in future articles.<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Use the JOIN Function to Query Data Across Multiple Sources<\/span><\/strong><\/p>\n

\u00a0<\/span><\/p>\n

Between the proprietary Sophos EDR and the underlying OSQUERY schema data tables, there are approximately 300 tables of information available to query using Intercept X Advanced with EDR. The most effective queries will combine data from multiple tables.\u00a0Check out some useful videos that guide you through creating your own Live Discover EDR queries\u00a0<\/span>here<\/span><\/a>.<\/span><\/span><\/p>\n

\u00a0<\/span><\/p>\n

Query Windows Events and Security Groups with Live Discover\u00a0<\/span><\/strong><\/p>\n

\u00a0<\/span><\/p>\n

This is pretty self-explanatory, however, any number of the following behaviours within a network could be indicative of some malicious activity:<\/span><\/p>\n

\u00a0<\/span><\/p>\n