Sophos Integration Appliance

Overview

Sophos NDR continuously monitors network traffic to detect suspicious activities that may be indicative of attacker activity, leveraging a combination of machine learning, advanced analytics, and rule-based matching techniques.

It detects a wide range of security risks, including rogue devices (unauthorized, potentially malicious devices that are communicating across the network), unprotected devices (legitimate devices that could be used as an entry point), insider threats, zero-day attacks, and threats involving IoT and OT devices.

Plus, when combined with other security telemetry, Sophos NDR enables threat analysts to paint a more complete, accurate picture of the entire attack path and progression, enabling a faster, more comprehensive response.

To install Sophos NDR on AWS, a customer who has a Sophos Central Account and licensed to use MDR/XDR can download a cloud formation script from Sophos Central. When deployed in an AWS Account, the template will create a stack with all the required infrastructure to run Sophos NDR. Before creating the stack the user should accept a EULA on Marketplace for Sophos NDR AMI

Highlights

• Uses known indicators of compromise to identify threat actors and malicious tactics, techniques, and procedures across encrypted and unencrypted network traffic.

• Detects zero-day C2 servers and new variants of malware families based on patterns found in the session size, direction, and interarrival times. Identifies dynamic domain generation technology used by malware to avoid detection.

• Extensible query engine uses a deep learning prediction model to analyze encrypted traffic and identify patterns across unrelated network flows. Powerful logic engine utilizes rules that send alerts based on session-based risk factors.