Sophos has introduced a flat-rate incident response service designed to help businesses address ransomware strikes, deeply embedded malware, and other urgent threats.
Sold through partners and delivered by Sophos analysts and threat hunters, Sophos Rapid Response gives end users and channel pros an easy, affordable way to get expert short-term security assistance at predictable rates and without retainers or long-term contracts, according to Sophos CTO Joe Levy.
“We realized that there was a need in the market for having a version of incident response that was channel friendly and that was mid-market friendly,” he says.
Customers or partners can initiate a Rapid Response engagement any time cyberattacks occur. Immediately afterwards, Sophos will help the victim deploy the software stack associated with its Managed Threat Response (MTR) service, including the company’s Intercept X application and the endpoint detection and response add-on for that product. The installation process is usually finished within hours, according to Sophos.
“Speed is of the essence when it comes to these sorts of things,” Levy observes.
Triaging a threat typically takes up to 48 hours, he continues, and neutralizing it requires about 10 days on average. Sophos then monitors the customer environment for several weeks to ensure the attack is fully resolved.
Each incident response engagement lasts 45 days total. At that point, customers can either purchase an MTR subscription or have Sophos remove the MTR software. “What we see happening after most of the engagements is that the customer elects to become a Managed Threat Response customer,” says Levy, referring to a recently completed trial period for the new service.
Either way, Sophos provides a summary report about the incident after its conclusion. “We basically reconstruct a timeline of the sequence of events that led up to the attack itself [and deliver] a full description of the neutralization and remediation steps that were performed in the course of the engagement and a set of recommended actions that the customer could take to help to harden their environment and prevent these kinds of things from happening again in the future,” Levy says.
All of the work Sophos performs happens remotely, Levy emphasizes, adding that both end users and their partners appreciate that aspect of the program amidst the ongoing coronavirus pandemic. “Nobody really likes the idea of having to do things on prem,” he says.
Users, who needn’t have any prior or ensuing relationship with Sophos, pay a fixed fee for each engagement, quoted in advance, based on the number of servers and endpoints impacted by the incident.
“The customer knows exactly what it’s going to cost them, so they don’t have to deal with the kind of unpredictability that these kinds of engagements might have exposed them to in the past,” Levy notes. Rates, he adds, are designed to fit within a typical midsize company’s budget.
“We believe that we have something that’s very competitively priced based on our understanding of competing services that are available on the market today,” Levy says.
The complete package, he further asserts, offers a compelling set of benefits. “It’s fast, it’s predictable, and it’s conclusive, meaning that we will ensure in the course of the engagement that we’ve actually remediated the threat on behalf of the customer.”
Though aimed at mid-market companies and popular during beta testing with businesses in the 100 to 500 seat range, Rapid Response has customers with as many 15,000 users. “It’s designed to accommodate the needs of the smaller end of the market, just because they have historically been underrepresented in this kind of service offering, but we’ve already seen evidence that this has broad appeal to a diversity of industries and some fairly large operations,” Levy says.
Introduced a year ago and presently used by more than 1,400 companies worldwide, MTR is a turnkey outsourced service for channel pros and end users without a security operations center and in-house security analysts. Incident response assistance along the lines of what Rapid Response now provides on a one-off basis is among its included benefits.
Both MTR and Rapid Response draw on managed detection and response expertise that Sophos acquired in June of last year when it bought Rook Security. Additional service offerings staffed by former Rook employees could arrive in the future.
“There’s still quite a bit of confidence in that team when it comes to offering a broad array of services, and we continue to have conversations with our partners about what they think would be most suitable and most complementary to them,” Levy says. “I can’t offer anything concrete right now, but I will definitely say stay tuned. It’s a topic that is garnering a lot of interest and likely to see some more activity there.”
Sophos reported signs of accelerating momentum within its MSP channel last week.