How four real-world truths about cybersecurity shaped our approach to XDR


Over the last couple of years, your endpoints have become exponentially more critical to protect. 

As work has become more fluid, the traditional cybersecurity boundaries have dissolved. Now each user has multiple devices, and they’re working anywhere and everywhere, accessing data that might not be stored or processed on your own infrastructure. 

Meanwhile, attacks are getting more sophisticated—often spanning multiple devices. How do you guard against a phishing or social engineering attack that first arrives by text message, then uses that information to prompt risky behavior at your desktop? 

It means the criticality of securing endpoints just got greater. And you need that broader context at a time when your defenses have to become both more flexible and more secure. 

And it’s this combination of factors that’s driving the evolution from EDR (endpoint detection and response) to XDR (extended detection and response). It gives you a more comprehensive view, where your endpoint protection benefits from signals across your whole cybersecurity ecosystem—and vice versa. 

In theory, XDR brings a valuable set of capabilities that help you secure today’s complicated workplace. But in practice, a tool is only useful if it fits the way you work. So, when we designed Sophos XDR, we stuck to a mental model based on the real world of cybersecurity and IT. 

Prevention before detection—because you only have so much bandwidth 

If you’re anything like the IT and security professionals I know, you don’t have time to look into every little issue. And with the wealth of information captured by XDR, you could easily spend all your time chasing shadows. So the signal-to-noise ratio is an absolute priority. 

And one of the main ways to boost that ratio is to keep out the obvious threats before the system even begins sending alerts. In doing so you reduce the ‘gray zone’ i.e. the potentially suspicious signals that cannot automatically be classified as good or bad and need further investigation to determine whether they are signs of malicious activity. 

As a result, the way XDR works alongside your other cybersecurity solutions is really important. 

No one is more focused on preventing attacks than Sophos. Our Intercept X endpoint protection reduces the attack surface so threats can’t reach your systems and stops attacks from running with world-leading anti-ransomware and anti-exploit technology. 

These powerful protection capabilities enable you to focus your efforts on fewer, more accurate detections. Go straight to the needle rather than hunting through the haystack. By eliminating the vast majority of issues early, you can focus your expertise on the cases where you have the biggest impact—for example, spotting the difference between a cyberattack and legitimate IT use that might create suspicious signals, like using cloud resources to build a demo. 

Yes, it’s extended detection, but what can I say—protection is in our DNA. 

Enriched signal information—because keeping up with threats is exhausting 

The more complicated your IT landscape becomes, the bigger the attack surface. Suspicious new behaviors and URLs appear every day. Aside from anything else, it’s not reasonable to expect you to keep all that threat intelligence in your head. 

So we don’t ask you to. 

Instead, when we flag something suspicious, we boost the signal with all the relevant context we can muster. We rank and color code the alerts so you always know where to look first—and suggest remediation actions, based on what the system can see. 

For an unrecognized app, that context might include using machine learning to analyze its potential behavior in advance and provide you with a risk score. We can also tell you about its reputation. Is it simply a new app from a trusted source, or something more worrying? We can see if the geographical location checks out, and connect you with any relevant analysis from third-party sources. 

If the app is signed, it’s easy to pivot and dive deeper into the source company—you can pull any thread you choose until you’re confident you have the information you need to make the right decision. 

This approach enables you to quickly and effectively investigate your (already-reduced) gray zone, and take timely, effective measures to secure your organization. 

Seamless handoff to threat hunters—because there are never enough experts 

Of course, from time to time there’ll be something you don’t know. And in an ideal world, you’d always be able to escalate something you’re not sure about to a full-time expert who lives and breathes threat hunting. 

In reality, there aren’t enough of those experts—so most businesses don’t have one, let alone a team. Sophos, on the other hand, has lots of them. Identifying new threats is a huge part of what we do. Our XDR makes it easy to use our managed services to augment your expertise as and when you need it. 

The cool part is, our threat hunters use the same systems as you. You’ll be talking to someone who’s looking at exactly the same dashboards and data points. The only difference is they’re a full-time expert in cyber threats. That means they can see your perspective instantly and give you a quick, easy answer in real time. Plus you can build your own knowledge by seeing how they do it. 

A built-in time machine—because threats might come from anywhere 

One of the challenges of a rapidly evolving threat landscape is that you never know which data point will be valuable next. For instance, who would have known that the Shadow Copy service in Windows would be an important cybersecurity indicator, until ransomware authors started switching it off to prevent their victims reverting to a backup file? 

That presents XDR developers a difficult choice. An emerging threat might require you to check anything—but your data lake can’t store everything. For most customers, the expense of keeping and analyzing that much data would be prohibitively high. 

We came up with a neat solution. We use spare resources on the endpoints to record all the local sensor data, while only the most important is stored in the data lake. That way, when a new threat makes a new data point important, it’s already recorded and easily accessible. 

Think of a crime drama, where the detectives identify a new suspect, and request the day’s CCTV footage from local establishments so they can track their movements. The cameras are running all the time, but the tapes only get watched if new information makes them important. It’s a little like that. 

Advanced endpoint security for the real world of IT 

Overall, the most important part of our mental model for XDR is one simple idea: it needs to work the way you do

As an IT or cybersecurity professional, you’ll know how fruitless it is trying to dictate how your users work. If a procedure or app doesn’t fit, they’ll simply avoid it—usually making your systems less secure in the process. 

In a way, it’s the same for us when we’re developing our solutions. You have your own preferred apps and workflows, and there’s always something new. And you might want to mix and match our technology with another provider. So we need to make it open, extensible, and accessible. It needs to work with you—however you work today and in the future. 

That’s why we’ve built Sophos XDR to fit with the way you work. Conduct your investigation and respond yourself, or have it done for you by expert threat hunters in a managed service. Or do a little bit of both; the solution will work with you. 

To find out more about Sophos XDR, speak with a Sophos representative or check out our web page. If you’re already using the Sophos Central management platform, you can activate a 30-day free trial of Sophos XDR directly within your console using the Free Trials feature. 

By Russell Humphries

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.