Sophos announced on Oct. 9 that it is adding advanced endpoint detection and response features to its Intercept X security platform.
Intercept X Advanced with EDR benefits from deep learning artificial intelligence capabilities that help organizations with threat hunting and advanced malware detection. The new feature also benefits from an integration with SophosLabs threat intelligence to help understand threats and what actions should be taken to remediate them.
“With Intercept X, we’ve had a lot of success on the protection side,” Dan Schiappa, senior vice president and general manager at Sophos, told eWEEK. “What we found from a lot of customers is that they were still looking to add an EDR product.”
Sophos originally launched Intercept X in September 2016 as an advanced endpoint protection technology that can block malware threats, including ransomware. EDR technology is a category of cyber-security functionality that goes beyond protection, with data monitoring, analysis and threat hunting features.
Schiappa said the EDR capability is an optional module for the core Intercept X platform that is being made available to customers as additional licensed add-on. The EDR module benefits from artificial intelligence that Schiappa said makes the technology more intuitive for users. Intercept X Advanced with EDR also provides a data feed from SophosLabs that gives organizations additional context around malware.
“We now create a visualization so you can see a file, how it’s been measured, and compare that visualization to other files that were convicted and other files that were declared as benign,” he said. “This helps analysts very easily look at a file that is labeled suspicious that may have never seen before and helps guide them to a decision.”
Some of the EDR module’s AI capabilities come from Invincea, which is a company that Sophos acquired for $120 million in February 2017. Schiappa said Sophos has absorbed and integrated the former Invincea technologies into multiple products across the Sophos portfolio.
“What we got from Invincea was primarily the deep learning neural networking capability for malware conviction,” he said. “We do apply a portion of that AI piece in the EDR, but otherwise this is a completely organic product.”
EDR can often be used in Security Operations Centers (SOC) as an integrated component of a threat hunting operation that include Security Information and Event Management (SIEM), IT Service Management (ITSM) and trouble ticketing activities. Schiappa said that in the initial release of Intercept X Advanced with EDR there are some connection points to SOC operations, with the plan being to have a deeper integration in future releases.
The core Intercept X technology has evolved since it was first released in 2016.
Schiappa explained that the way Intercept X works is that it does not scan for malware; rather, it looks for the specific techniques that hackers use to exploit any type of vulnerability. He added that Intercept X has continuously added new techniques into the detection engine to help detect new types of attacks. For example, Schiappa said Intercept X has a Master Boot Record (MBR) protection capability, which could help to block attacks like the NotPetya ransomware attack.
“We’re trying to stay out front of hacker techniques, and so we can continue to add them to Intercept X,” Schiappa said. “Then, of course, we just always evolve. We developed a new AI model that is getting smarter and smarter all the time.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.