New Sophos Managed Threat Response Tool Lowers Noise From Data

The Managed Threat Response service is intended to provide resource-constrained organizations with the necessary manpower to benefit from Sophos' detection and response capabilities

Sophos has unveiled a managed threat response service that integrates with the company's protection capabilities to ensure security teams end up dealing with the most important alerts.

The Oxford, U.K.-based company said its managed threat response (MTR) service builds off the technology acquired from Rook Security and will initially operate using input from Sophos' endpoint security products, according to Chief Technology Officer Joe Levy. The MTR offering is intended to help resource-constrained organizations benefit from Sophos' detection and response capabilities, Levy said.

"The industry has awoken to the fact that security requires a services component," Levy told CRN. "This could materially improve the overall security of our customers’ operations."

id
unit-1659132512259
type
Sponsored post

[Related: 5 Things To Watch For At Sophos Discover 2019]

The MTR service will expand from operating only on the endpoint signal to ingested data from the Sophos XG Firewall and Cloud Optix by early 2020, Levy said. From there, Levy said Sophos plans to work on having the MTR service incorporate data from Sophos' email security, mobile security and wireless security products, as well as potentially building connectors to data from third-party products, Levy said.

Sophos will initially provide the MTR service itself, Levy said, but over time plans to integrate MTR features into the company's endpoint detection and response (EDR) interface so that they'll be available to channel partners.

The company will have a standard and advanced offering of its MTR service, Levy said. The standard offering will provide detection and response capabilities, according to Levy, while the advanced offering will include asset discovery, a dedicated threat response lead, as well as connectors to all the threat data coming from places other than the endpoint.

The connectors may also be made available to customers on an a la carte basis, Levy said. A bundled offering of Sophos Central Endpoint Advanced, EDR and MTR will start at $89 per user, per year, with the price varying depending on the employee count and service levels, according to the company.

Solution providers will be able to sell MTR to customers as a one-year, two-year or three-year license, and can customize longer license deals on an as-needed basis, Sophos said.

Customers will also be able to define the extent to which they interact with the MTR service, Levy said, selecting between the following: notify, where Sophos tells the customer when an issue is discovered and the customer rectifies it itself; collaborate, where Sophos and the customer team up on investigation and remediation; and authorize, where Sophos takes care of the remediation all on its own.

Although some customers with large in-house security staff might choose “notify” and handle the response entirely on their own, Levy anticipates that most end users will go for either the “collaborate” or “authorize” options. The pricing is the same regardless of how much or how little of the response piece is handled by Sophos, according to Levy.

Partners looking to deliver the managed threat response services themselves will need to complete a certification program to ensure they're able to maximize the efficiency and utility of the platform, Levy said. Partners aiming to provide these services would also need to develop their own threat hunting capabilities so that they can conduct investigations even when an event hasn't been detected, Levy said.

Solution providers will have the option of either selling the MTR service as a SKU and having Sophos do the work for them or integrating Sophos' capabilities into their own managed service offering on top of the EDR platform, Levy said. Some specialized or sophisticated partners are able to offer a competitive managed threat service on their own, although Levy cautioned it requires a very specialized skill set.

The proliferation of products within an organization's IT ecosystem has made the environment more complex and opened up businesses to greater exposure at the points of interaction between the products, Levy said.

"With complexity comes insecurity," Levy said.

Pine Cove Consulting tried out MTR as part of Sophos' early access program, and found the deployment process to be very simple, according to Brandon Vancleeve, president of the Bozeman, Mt.-based solution provider. The report generated by the MTR product provides meaningful technical information but is written in a way that can be understood by nontechnical stakeholders, Vancleeve said.

The solution provider has long preached layered defense to its customers, but often found that manpower was lacking to deal with threats that had been identified, according to Vancleeve. Specifically, Vancleeve said small businesses and public sector customers without robust in-house IT teams struggled with engaging, hunting, or analyzing threats that had been located by security tools.

"We needed to answer the human interaction piece, but didn't have the skill sets in our area to answer that," Vancleeve said. "It's exciting for us to spin us this service and bolster what we're able to do for customers."