The questions will come at the end. But remember, 68% of all organizations were victimized by some kind of cyberattack last year. The pressure to have the right endpoint solution in place is greater than ever. But the congested endpoint security market is full of hype and extravagant claims. Choosing a solution that works for you is not easy. And frankly, Endpoint protection suites like Sophos Intercept X are complex products.
Sophos Intercept X is available in several versions that cover the range of use cases from SMBs to the very largest corporations. You can read about the different “flavors” here), here, and here. However, which version is best for your organization?
Let’s get going
Endpoint security, sometimes referred to simply as antivirus, may include a variety of foundational (traditional) and modern (next-gen) technologies (also stated previously). When evaluating solutions like Sophos Intercept X, it is important to look for a comprehensive mixture to stop a wide range of threats.
Foundational capabilities
• Anti-malware/antivirus: Signature-based detection of known malware. Should have the ability to inspect executables and also other code such as malicious JavaScript found on websites.
• Application lockdown: Preventing malicious behaviors of applications, like a weaponized Office document that installs another application.
• Behavioral monitoring/Host Intrusion Prevention Systems (HIPS): Protects computers from unidentified viruses and suspicious behavior. Should include both pre-execution and runtime behavior analysis.
• Web protection: URL lookup and blocking of known malicious websites. Blocked sites should include those that may run JavaScript to perform cryptomining. Should also include sites that harvest user authentication credentials and other sensitive data.
• Web control: Endpoint web filtering allows administrators to define which file types a user can download from the internet.
• Data loss prevention: If an adversary is able to go unnoticed, DLP capabilities would be able to detect and prevent the last stage of some attacks. This is when the attacker tries to exfiltrate data. This is done by monitoring a variety of sensitive data types.
Modern capabilities
• Machine learning: Regardless of the type, machine learning malware detection should detect both known and unknown malware without relying on signatures. The advantage of machine learning is that it can detect malware that has never been seen before. This should increase the overall malware detection rate. Evaluate the detection rate, the false positive rate, and the performance impact of machine learning-based solutions.
• Anti-exploit: Designed to deny attackers by preventing the tools and techniques they rely on. For example, exploits like EternalBlue and DoublePulsar were used to execute the NotPetya and WannaCry ransomware. Anti-exploit technology stops the relatively small collection of techniques used to spread malware and conduct attacks. It wards off many zero-day attacks without having seen them previously.
• Ransomware-specific: Some solutions contain techniques specifically designed to prevent the malicious encryption of data by ransomware. Often ransomware-specific techniques will also remediate impacted files. Solutions should not only stop file ransomware, but also disk ransomware used in destructive wiper attacks that tamper with the master boot record.
• Credential theft protection: Technology designed to prevent the theft of authentication passwords and hash information from memory, registry, and off the hard disk.
The questions
So, with thanks to Sophos for their expertise, here’s what you need to ask yourself before making a decision about Sophos Intercept X, or any other Endpoint Protection solution:
1. Does the product rely on foundational techniques, modern techniques, or a combination of both?
2. How does the product detect unknown threats? Does it utilize machine learning?
3. For products claiming to leverage machine learning, what type of machine learning is used? Where does the training data come from? How long has the model been in production?
4. What technology exists to prevent exploit-based and file-less attacks? What anti-exploit techniques are leveraged, and what types of attacks can they detect?
5. Does the product have technology specifically designed to stop ransomware?
6. Does the vendor have third party results validating their approach?
7. Can the product ask detailed threat hunting and IT security questions? How long is the data retention period?
8. What visibility into an attack does the vendor provide, such as root cause analysis?
9. Does the product automatically respond to a threat? Can it automatically clean up a threat?
10. Is the product able to let you remotely access devices to perform further investigation and take necessary actions?
And of course, Corporate Armor is quite happy and able to help you with your decision. We have excellent solutions available to you in every price range. We also have years of experience with Sophos, and there is a Sophos Intercept X version for organizations of every size and budget. So email us or call 877-449-0458. Thanks for reading!