Extended Detection and Response (XDR) is designed to give organisations a holistic view of their cybersecurity posture and IT environment, with the ability to quickly pivot to deep investigation when further investigation is required.
XDR adds even more data and context than EDR (Endpoint Detection and Response) to both increase visibility and give the user more insight during an investigation.
This results in faster and more accurate incident detection and response.
Additional data sources can include firewall, email, cloud and mobile information.
For example, adding in firewall data makes it simple to correlate a malicious traffic detection by the firewall with a compromised endpoint, or to see which application is causing the office network connection to run slowly.
“One of the most valuable ways to use XDR is to begin with the ‘macro’ spotlight that gives you the tools to quickly scan across your entire environment and highlight suspicious activity, anomalous behaviour and other IT issues.”
“When an issue is identified you can then hone-in on a device of interest, pulling live data or remotely accessing the device in order to dig deeper and take remedial action,” says Ross Anderson, Sophos Product Development Manager at Duxbury Networking.
“XDR takes the idea of EDR and extends it. It goes beyond the endpoint and server, incorporating data from other security tools such as firewalls, email gateways, public cloud tools and mobile threat management solutions.”
“XDR is an emerging technology so data sources and functionality varies between vendors, but this diagram gives a good starting point to understand what XDR adds onto EDR,” says Anderson.
Adding more Sophos XDR-enabled products provides more access to more visibility and context.
With data from each product flowing into the Sophos Data Lake, it is easy to quickly find critical information and ensure the most complete view of one’s network.
The best way to explain the real world benefits of XDR is to look at how the functionality can help organisations in their day to day IT operations and threat hunting capabilities.
|IT operations||Threat hunting|
|Identify unmanaged, guest and IoT devices.||Extend investigations to 30 days without bringing a device online.|
|Why is the office network connection slow? Which application is causing it?||Use ATP and IPS detections from the firewall to investigate suspect hosts.|
|Look back 30 days for unusual activity on a missing or destroyed device.||Compare email header information, SHAs and other IoCs to identify traffic to a malicious domain.|
“Sophos XDR gives you access to both data stored in the cloud and directly on the device.”
“Which means you always have the most up-to-date data possible.”
“Customers get 30 days of cloud storage in the Sophos Data Lake, in addition to 90 days of data that is stored directly on the device for real-time and historical searches,” says Anderson.
Sophos XDR products include:
- Intercept X. Stop the latest cybersecurity threats to your endpoint devices such as ransomware, file-less attacks, exploits and malware even when they have never been seen before. Perform detailed IT operations and threat hunting tasks.
- Intercept X for Server. Keep your servers safe from the latest cybersecurity threats. It includes all the protection capabilities of Intercept X, with additional control features for servers such as file integrity monitoring, application whitelisting and detailed insight into your organisation’s cloud environment.
- Sophos Firewall. Block suspicious traffic, identify risky behaviour and neutralise advanced threats at your organisation’s perimeter. Automatically isolate compromised devices to stop lateral threat movement and identify exactly what’s going on in your network.
- Sophos Email. Keep your email safe from zero-day malware, unwanted applications and ransomware with powerful deep learning and behavioural protections. Time-of-click protection scans email links before delivery and when you click, blocking delayed attacks.
- Cloud Optix. Get a complete view of your cloud environment. Visualise your cloud assets and network traffic, access a prioritised list of security issues with guided remediation solutions and optimise spend across multiple cloud services.
- Sophos Mobile. Spend less time managing and securing your organisation’s mobile devices. Easily create policies, and compliance rules, then quickly deploy them across your entire estate. Keep devices and corporate data secure from the latest mobile threats.