Sophos Exec: Endpoint Detection And Response Tools Make It Easy To Act On Threats

‘Being able to say what's happening in the security space lends you credibility and arms you with the capability to guide customers to the right decision,’ says Sophos Principal Product Manager Karl Ackerman.

Endpoint detection and response is a welcome addition to the cybersecurity toolbox, but the products need to be easier to understand and take action with, said Sophos’ Karl Ackerman.

Endpoint security for a long time was centered around antivirus, which aimed to keep adversaries off an organization's devices and off their network, according to Ackerman, principal product manager at Oxford, U.K.-based Sophos. But businesses have increasingly reached the conclusion that their antivirus products end up missing certain things, Ackerman said.

As a result, Ackerman told attendees at XChange August 2019 Sunday that endpoint detection and response (EDR) has exploded in popularity over the past half-decade thanks to its ability to holistically understand what's happening on the endpoint and notify security professionals when they need to take action.

[Related: Sophos Buys Managed Detection And Response Vendor Rook Security]

EDR tools sit on the endpoint and record data that's either addressed directly on the endpoint or sent to the cloud somewhere to determine whether any of the behavior observed is anomalous and threatening. The tools should provide enough information so that an IT administrator can make an informed decision around whether or not any anomalous behavior spotted also should be considered malicious, he said.

Unlike adversaries going after consumers, Ackerman said threat actors targeting businesses typically want to move laterally through a company's environment and establish persistence so that they can collect whatever information they're looking for and take action. Good EDR products have sufficient visibility so that end users can know definitively whether or not they're been breached, he said.

"That gives you credibility as the expert and the person who's able to consult the small business and help them through this space," Ackerman said.

Over the past half-decade, Ackerman said the use of malware against businesses has evolved from lone wolves looking to make a buck to skilled teams sitting in places like China, Russia, North Korea or India who have set profit expectations from the get-go. At the same time, some adversaries have forsaken malware in favor of pursuing the identity of a user who's already authorized in the environment.

"Those kinds of attacks that don't use malware are really what EDR is hunting for—the activity in an environment that wouldn't have been stopped otherwise," Ackerman said.

Effective EDR tools have the ability to understand what's happening in the environment from an endpoint or PC point of view, Ackerman said, and give an administrator the ability to see that graphically rather than as just a 10,000-line log file. Specifically, Ackerman said EDR tools can tell companies where malicious code came from, why it's unusual, and the types of files it's interacting with.

"Being able to say what's happening in the security space lends you credibility and arms you with the capability to guide customers to the right decision," Ackerman said.

And unlike antivirus products, Ackerman said well-designed EDR tools make it easy to take actions such as killing a process, deleting a file, or resetting a registry key if an issue has been detected. EDR offerings seek to contain the problem, isolate infected devices from the rest of the network, shut off communications with an adversarial command and control site, and start remediation, Ackerman said.

The level of access provided by the EDR tool should allow a less experienced IT administrator to address a legitimate observation they've made without doing broader harm to the customer's ecosystem, Ackerman said.

MSPs need cybersecurity tools that IT generalists can use without causing harm to themselves, according to Danny Lopez, virtual CIO at San Diego-based solution provider centrexIT. Level 1 and Level 2 help desk employees shouldn't be provided with a level of access that makes it possible for them to open up IT ecosystems to vulnerabilities, Lopez said.

Lopez estimated that roughly 80 percent of centrexIT's cybersecurity efforts for customers today are focused on prevention, but he would like to see the company get more information on helping customers remediate issues after the fact.

"I think it [the Sophos EDR offering] is competitive, and I'm happy to see it moving in the right direction," Lopez said.

The biggest service solution providers can provide to customers is being able to understand the tools in their ecosystem and ensuring that they're configured correctly, Ackerman said. Security products are typically deployed with high security settings as the default to stop suspicious activity, but overwhelmed IT administrators sometimes resort to excluding certain parts of their ecosystem from being scanned.

"Most organizations today get breached not because they didn't have good security products, [but] because they didn't know how to use them," he said.

The foundation of any good EDR product, Ackerman said, is having robust protection capabilities to stop malware from getting into a customer's environment, prevent phishing emails from being opened, and detecting when an adversary is attempting to gain a toehold in the organization. Traditional EDR vendors have tried to move into the protection space in recent years, Ackerman said.

"The best EDR starts with the best protection," Ackerman said.

Mark Grundy, president of CorKat Data Solutions, a Loveland, Colo.-based MSP and Sophos Platinum partner, said he sees Sophos as the undisputed end-to-end top security stack provider.

“Every client we bring on as an MSP gets a Sophos firewall and endpoint,” said Grundy. “We won’t support a client unless they adopt Sophos firewall and endpoint. They don’t get a choice.”

Since CorKat Data Solutions standardized on Sophos five years ago, none of its customers have been hit by a significant breach, said Grundy.

Sophos’ biggest competitive adantage is its “synchronized security” stack from the firewall to the access point to the endpoint, said Grundy. “All those things work together so if there is a suspicious event anywhere on the network, we can isolate it,” he said. “That makes our team more efficient. We don’t have to chase things down.”

Sophos’ strong security stack is helping drive CorKat Data Solutions’ MSP sales growth of 238 percent over the last two years, said Grundy. “The only way to scale is to be efficient,” he said. “The fact that we are not supporting four different firewalls and 10 different kinds of antivirus and that all of the Sophos stuff works together makes us much more efficient.”

Sophos is always driving the “bleeding edge” in the fast-changing cybersecurity breach environment, said Grundy. “The have it from end to end,” he said. “The things other companies are trying to get into, Sophos is already doing."

Steven Burke contributed to this story.