Sophos is moving aggressively to put more “X” in its eXtended Detection and Response solution.
Unveiled in May, Sophos XDR is designed to provide a more complete view of threat activity by consolidating and cross-referencing input from endpoint, email, network, cloud, and mobile security products. Two acquisitions this month, the vendor says, augment that vision by adding more information from more sources to the analytical picture.
The first of those transactions, announced three weeks ago, involved Capsule8, a maker of detection and response software for Linux servers and containers. Sophos plans to use Capsule8 technology to buttress existing Linux defenses in its Intercept X endpoint protection solution at a time when exploits specifically aimed at Linux-based infrastructure are mounting.
“Windows has historically always been lower hanging fruit for an attacker because it was relatively easier for them to compromise Windows machines,” observes Sophos CTO Joe Levy, noting that Sophos and other vendors have long devoted the bulk of their attention to Windows servers as a result. “Attackers are beginning to realize that due to the relative negligence of Linux, there might actually be a better opportunity for them to go after those targets.”
With businesses rapidly migrating workloads into Linux-based cloud environments, moreover, there are much such targets to pursue. “Every business is just running more Linux now,” Levy says. “We felt that it was a good time for us to make a commensurate kind of an investment in being able to defend Linux as we have Windows.”
To add further firepower to its XDR arsenal, Sophos last week announced the acquisition of network detection and response vendor Braintrace. According to Levy, that company’s Dragonfly virtual appliance will give the company a rich new stream of network traffic data.
“They’ve built a set of flow analyzers that operate on a series of [machine learning] models that are just really good at detecting malicious traffic inside flows, even if the flow is encrypted,” he says. Braintrace software is also good at discovering and mapping previously overlooked devices, he adds.
“Something that we see commonly is that customers don’t always know how many assets they have,” Levy says, noting that unknown assets are unmanaged as well and often poorly protected as a result.
“Attackers are really, really good at finding this when it happens, and they will invariably go for the weakest link,” he observes. “Then they will use that as a point from which they can launch an attack on the rest of the network.”
Dragonfly will play a critical role in the Adaptive Cybersecurity Ecosystem (ACE) that Sophos introduced in May alongside its XDR system. Known during a multi-year gestation process internally at Sophos as “Project Darwin,” ACE is designed to help the company share data and coordinate response activity with third-party security solutions as well as its own.
“We know that any complete XDR offering needs to operate not just within its own vendor ecosystem, but broadly across everything that customers have deployed in their IT environments,” Levy says. When fully integrated with Sophos XDR sometime next year, Dragonfly will not only scrutinize local network traffic but collect telemetry from ACE-compatible solutions and upload it into the Sophos threat intelligence “data lake.”
At present, the list of vendors participating in ACE is heavy with makers of managed services software like ConnectWise, Datto, Kaseya, Liongard, and N-able, along with SOAR and SIEM vendors like Sumo Logic and Splunk. Former Capsule8 CEO John Viega will be 100% focused on recruiting more integration partners going forward in his new role as vice president of alliances.
“He’s going to be leading the charge of building out all of these industry relationships,” Levy says, adding that his overriding objective will be quality rather than quantity.
“I’m not just looking to accumulate as many partners as we possibly can,” he notes. “I want to make sure that these are solving practical security problems for our customers, so we’re going to have a very sort of measured approach to the way that we do this.”
XDR, which was Gartner’s number one security and risk trend for 2020, has been a red-hot segment of the security market this year. Fortinet rolled out an XDR solution in January, for example, and Trend Micro updated its XDR platform the following month. More recently, Barracuda Networks acquired SKOUT Cybersecurity to add XDR to its portfolio and Bitdefender added what it calls “eXtended EDR” (XEDR) technology to its GravityZone suite.
According to Levy, all of that activity is designed to compensate for a historic overinvestment in solutions designed to block attacks before they occur. “About five years ago or so, I think the mindset began to shift and we sort of dropped this conceit that we can have perfect protection,” he says. “Detection is a must because you can’t rely on the absoluteness of any kind of protection.”
Sophos XDR won’t be the only Sophos offering to draw on Capsule8 and Braintrace technology. Both the Managed Threat Response (MTR) service the company introduced in 2019 and the incident response service it added last year will utilize input from those systems as well.
Levy points to MTR as another example of Sophos using targeted acquisitions to broaden its capabilities. That offering leans heavily on software and personnel the company acquired in 2019 from Rook Security and DarkBytes.