Sophos Endpoint Protection: EPP, EDR, and XDR Explained

Sophos Endpoint Protection

Key features

Sophos Endpoint Protection is an endpoint protection product that includes:

• Advanced anti-malware
• Website browsing protection and filtering
• Application control
• Device control
• Data loss prevention (DLP)
• Client firewall
• Application and device control
• Host-based intrusion prevention system (IPS)
• Email protection including anti-spam and anti-phishing
• Patch management
• Mobile device management (MDM), including anti-theft, inventory management, and policy enforcement
• Mobile applications control and email management on mobile devices

Solution architecture

Sophos Endpoint Protection requires administrators to install Sophos Enterprise Console on a server in their on-premise data center, to simplify deployment and installation of clients on all endpoints. The client functions both as an agent that communicates with the Console, but is also a standalone endpoint protection solution for remote endpoints.

The Enterprise Console supports policy creation and deployment, provides endpoint status information and events, and enables remote endpoint remediation. Administrators can also use it to manage endpoint protection clients over the web.

In addition, the solution includes a Secure Email Gateway, which performs anti-spam and antivirus, DLP, email encryption, and full disk encryption for Microsoft Exchange. The Gateway also enables web application control and advanced web filtering.

Platform support

Symantec Endpoint Protection supports most versions of Windows desktop through Windows 10, Windows Server 2003, 2012 R2, Microsoft Exchange, Mac, Linux, and Unix systems.

Supported mobile operating systems include Android, iOS, Windows Mobile, Windows Phone, and BlackBerry OS. Virtual environment support includes VMware vSphere, ESX and workstations, Citrix XenServer and Microsoft Hyper-V servers.

Related content: Read our guide to endpoint protection platforms

Sophos Intercept X Endpoint

Intercept X Endpoint is an endpoint security software product that incorporates advanced features like deep learning analysis, anti-ransomware, and fileless attack protection, to protect against advanced forms of malware. The solution comes in two editions:

• Intercept X Advanced —includes basic endpoint protection features like Sophos Endpoint Protection and next-generation malware protection.

• Intercept X Advanced with XDR —includes the above and in addition, endpoint detection and response (EDR) and extended detection and response (XDR) .

Sophos also provides managed threat response (MTR), also known as managed detection and response (MDR) . This means Sophos security experts can actively manage the device to discover threats in the environment and respond to them.

According to the Sophos website, MTR requires Intercept X Advanced with XDR. The MTR service is priced at $35 per user – in addition to the cost of Intercept X Advanced with XDR.

Intercept X integrates with the cloud-based Sophos Central platform, enabling management of Intercept X together with other Sophos products. All editions support Windows 7 or later or macOS.

Below we provide more information about the additional capabilities offered by Intercept X Advanced and Intercept X Advanced with XDR.

Deep Learning Technology

Intercept X integrates deep learning (neural networks) to make endpoint security predictive, protecting against known as well as unknown threats. Deep learning analysis can potentially outperform other machine learning algorithms in detecting unknown malware.

Anti-Ransomware

Today’s ransomware attacks typically combine a variety of advanced adversarial techniques. Advanced protection is required to identify the entire attack chain, minimizing the risk of an effective attack. Symantec Intercept X provides protection against multiple steps of the ransomware attack chain, leveraging deep learning to detect attacks in their early stages, and CryptoGuard technology to potentially roll back malicious file encryption.

Exploit Prevention

Sophos exploit prevention is designed to block advanced attack techniques such as fileless, malware-free, and attacks that exploit vulnerabilities. In any given attack chain, only a handful of exploits are used by attackers, and detecting them is the key to effective response. Exploit prevention can identify the specific exploit toolkits used by attackers and block them, stopping zero day attacks in their tracks.

Active Adversary Mitigations

Sophos provides targeted protection against common attack technologies used by attackers to gain a hold in a corporate environment—including credential theft and code caves. This capability is focused on non-malware techniques attackers use to compromise accounts and perform lateral movement. By detecting and blocking these behaviors, it adds another layer of protection against sophisticated attacks.

Central Management

Sophos Sophos Central is a cloud-based management platform that centralizes all Sophos solutions. It lets security teams create and deploy strategies, investigate potential threats, manage assets, view install locations, and deploy clients, from a single interface.

Synchronized Security

Intercept X integrates other Sophos solutions to provide collaboration between tools. For example, Intercept X and Sophos Firewall can work together to identify, quarantine, and remediate infected devices. Intercept X can check to ensure the threat was removed and validate there is no longer any risk of lateral movement, and the firewall restores network connectivity. This can often be done automatically, without administrator intervention.

EDR and XDR

Sophos Intercept X Advanced with XDR and EDR enables remote security operations on endpoints and active threat hunting. It leverages deep learning to save time for analysts and support investigation and response.

XDR enables the solution to aggregate data sources, including network, cloud, email, and mobile sources, as well as server and endpoint information. This correlation offers a broader view of the organization’s network security. Intercept X Advanced provides 30 days retention to review and understand how a breach attempt was initiated and conduct a real-time investigation.

Managed Threat Response

Sophos Managed Threat Response (MTR) is a fully managed service that offers 24/7 threat detection and response by Sophos experts for an additional fee. Sophos MTR helps improve threat detection, offers deeper alert analysis, and enables teams to take targeted actions when eliminating threats.

The Sophos MTR team alerts about attacks and suspicious behavior and can also take actions to investigate and eradicate the threat.

Sophos Endpoint Protection Strengths and Limitations

According to the Gartner Magic Quadrant for Endpoint Protection, 2021 , the primary strengths of Sophos Endpoint protection are:

• One of the pioneers of integrating multiple security tools (for example, endpoint protection and firewall)
• Improved threat hunting capabilities for organizations with large security teams
• Strong ransomware protection capabilities, including the ability to roll back file changes made by a successful ransomware attack

Gartner also cautions about the following limitations of the solution:

• Features in the on-premise version of the solution are more limited than the cloud-based version.
• Endpoint agent is a large download, making it impractical for some work-from-home users.
• Data exploration using the Live Discover feature uses a SQL-style query interface that is difficult to use for non-technical administrators.

Additionally, Sophos customers point out the following limitations:

• Anything but basic host remediation actions (delete/quarantine/kill) require a considerable manual effort using a command line interface on the Sophos platform.
• Default remediation actions on protected endpoints are almost nonexistent with Sophos. Admins can only choose to update the device, perform a full scan or isolate the device.
• Sophos requires significant administrative overhead due to its highly granular configuration requirements making it unsuitable to smaller security teams

Endpoint Protection—Prevention, Detection and Protection with Cynet 360

Cynet 360 is a security solution that includes a complete Endpoint Protection Platform (EPP), with built-in EDR security , a Next-Generation Antivirus (NGAV) , and automated incident response. Cynet makes it easier to adopt a modern security toolset by offering an “all in one” security model: Cynet 360 goes beyond endpoint protection, offering network analytics , UEBA and deception technology .

Cynet’s platform includes:

• NGAV —blocks malware, exploits, LOLBins, Macros, malicious scripts, and other known and unknown malicious payloads.
• Zero-day protection —uses User and Entity Behavior Analytics (UEBA) to detect suspicious activity and block unknown threats.
• Monitoring and control —asset management, endpoint vulnerability assessments and application control, with auditing, logging and monitoring.
• Response orchestration —automated playbooks and remote manual action for remediating endpoints, networks and user accounts affected by an attack.
• Deception technology —lures attackers to a supposedly vulnerable honeypot, mitigating damage and gathering useful intelligence about attack techniques.
• Network analytics— identifying lateral movement, suspicious connections and unusual logins.

Learn more about the Cynet 360 security platform.