Security vendor Sophos Ltd. has shipped a major new update of its Intercept X product with neural networking-based deep learning capabilities and enhanced exploit protections.
Introduced in September 2016, Intercept X is a next-generation endpoint security solution equipped with anti-ransomware and anti-exploit features that are designed to block never-before-seen attacks before they execute. The original edition, which has been available in a subscription-priced version targeted at MSPs since November 2016, also included root cause analysis functionality that helps companies diagnose successful breaches and a module called Sophos Clean that hunts down and eliminates spyware and other forms of deeply embedded malware.
The new edition adds malware detection functionality powered by a deep learning engine armed with neural networking technology. While machine learning systems can study tens of millions of virus samples, according to Sophos, Intercept X’s deep learning component can process hundreds of millions.
That makes the new feature, which takes up just 20 MB of storage space, a good counterpart to the malware sample repository maintained by the Sophos Labs research unit, which contains hundreds of millions of files and gains roughly 300,000 more every day.
In testing Sophos conducted over a six-week period, Intercept X was 150 to 400 percent better on a week-over-week basis at detecting previously unidentified strains of malware than traditional endpoint security solutions, and 10 to 60 percent better than competing systems with built-in machine learning. The system was no more likely than its competitors to produce false positive readings.
“If you are having too many false positives, IT administrators are running around white listing stuff and employees are not as productive because something that they’re using for their job has now been triggered as malicious,” observes Dan Schiappa, senior vice president and general manager of products at Sophos. “It just becomes a lot of noise in the system.”
New exploit protections in the updated edition of Intercept X include active adversary mitigations that guard against credential theft, “code cave” attacks, in which malicious code hides within legitimate programming, and application procedure calls of the sort used recently in the WannaCry and NotPetya viruses.
Other enhancements include protections against process privilege escalation and remote reflective DLL injection, a technique attackers can use to move between processes. New application lockdown functionality isolates software acting in unusual ways, such as a browser attempting to execute a Microsoft PowerShell script.
“We’re able to understand the typical behaviors of an application and ensure that it doesn’t operate outside those behaviors,” Schiappa says.
Also new to Intercept X in the latest edition is “synchronized application control” functionality that allows endpoints to collaborate with the Sophos XG Firewall on preventing software from evading firewall-level security policies. Companies with a signature-based policy against use of unauthorized video chat software, for example, could employ that feature to block a system trying to slip past the firewall undetected by disguising itself as something else.
“Because there’s a tight connection between the two [products], we can accurately tell the firewall specifically what that app is,” Schiappa states. Sophos last updated XG Firewall in October.
The new Intercept X release is available today at a standard MSRP of $20 to $40 per user for one year, with discounts for higher-volume and longer-term orders. Existing users, who have begun receiving it today, get the software at no additional charge.
The update arrives on the same day as new research from Sophos illustrating how badly businesses need help with exploits and ransomware. The study of more than 2,700 IT decision-makers from midsize businesses in 10 countries found that more than 50 percent of organizations have no anti-exploit protection.
Over half of surveyed companies were struck by ransomware last year, furthermore, even though more than 75 percent of those businesses had up-to-date endpoint security software at the time. Factoring in ransom payments, downtime, labor, hardware and network costs, and other expenses, the median financial impact of those breaches was $133,000. Five percent of survey participants suffered $1.3 to $6.6 million in total costs.
According to Schiappa, figures like those reflect the mounting dangers of a threat landscape in which underworld entrepreneurs selling ransomware and exploits as subscription-based services must continually invent effective new techniques to keep their customers satisfied.
“If I’m a hacker and I’m paying money to a subscription and they’re giving me stuff that keeps getting blocked, I’m going to stop paying that money,” he says. “What you’re seeing is just a massive leap in innovation and speed in innovation from the bad guys.”
Next-generations solutions like Intercept X that can block attacks too new to appear in black lists, he continues, are an essential supplement to traditional endpoint security systems. In fact, about 90 percent of Intercept X users run the system alongside the more traditional Sophos Central Endpoint Advanced, Schiappa says, and another 10 percent use Intercept X alongside a competitor’s endpoint security system.