Sophos MDR

The foundation of the company’s XDR solution, and of Sophos MDR, is the Sophos Central Platform (see Figure 1). This also underpins many others Sophos solutions, and provides integration between them, as well as common integration interfaces (as shown) to third-party security and other business solutions.

The range of service capabilities available via Sophos MDR
is extensive, but the choice for customers of which to buy is made relatively simple by just two bundles being offered (see Figure 2).

Fig 2 – Services packages for Sophos MDR

The main features of the ‘Essentials’ package are integration with non-Sophos security products, threat hunting, threat response (including stopping active attacks), and direct call-in during active incidents. Customers may optionally add a ‘Sophos Incident Response Services Retainer’, which provides immediate 45-day availability of incident response services, an approach which is intended to cater for suddenly-changed circumstances (e.g. discovery of a data breach) without a setup overhead. The ‘Essentials’ package is also marketed as ‘Sophos MDR for Microsoft Defender’, aimed at customers using Microsoft Defender for many aspects of security protection, for whom Sophos-proprietary detection rules and threat intelligence are applied, adding layers of defence to deal with advanced attacks that bypass Microsoft security tools.

The Sophos MDR Complete package (the option chosen by the overwhelming majority of customers) accesses further capabilities: root cause analysis, as a diagnostic follow-up to avoid incidents recurring; incident response that follows through to fully eliminate threats; a dedicated Sophos team member with responsibility for a customer’s incident response services; and a breach protection warranty.

Fine-tuned flexibility can be specified within both packages to match customers’ vision of how much interactive response is required between their own teams and Sophos. According to Sophos, detailed requirements in this area can change, particularly as the maturity of a customer’s security practice increases.

Sophos Managed Risk became an addition to the Sophos MDR portfolio during 2024. Using solutions from Tenable, it addresses the threat from unpatched vulnerabilities within the customer’s attack surface. This is subject to continuous risk monitoring involving Sophos’s vulnerability experts. Remediation of vulnerabilities is prioritised according to customer-specific risk factors, and the service includes access to alerts about new critical vulnerabilities.

A particularly important aspect of the capabilities within Sophos MDR is its wealth of third-party integrations. Many examples of these can be seen at the bottom of Figure 1 but many more are available, helping customers to reduce adoption costs as well as cater more easily for ongoing change across their organisation. Sophos MDR for Microsoft Defender caters for integration with the different ranges of telemetry that customers get due to Microsoft’s different license types, and is able to enhance the data where necessary by correlating it with data from other sources, as well as potentially enriching telemetry with Sophos threat intelligence. A unique selling point for Microsoft customers is that Sophos allows ingestion of Microsoft security data free of charge.

Another range of recent enhancements is under the umbrella of ‘AI for security operations’, with five specific functions added initially:

• AI Triage for MDR Operations, which analyses incoming cases against a checklist, aggregating the treatment of duplicates and saving 30%+ of effort in early results.
• AI Case Summary, which can produce automated case summaries where required, including detection activities, entities involved, and suggested next steps.
• AI Command Analysis, which analyses and clarifies command lines used on endpoints, saving analyst time incurred due to the complexity and lack of obvious context in such data.
• AI Search, which enables analyst to query the extensive data within Sophos Central Platform, using natural language so that queries are more accessible.
• AI Assistant, which provides AI support for investigation and intelligence gathering, with natural language data queries.

Even quite large organisations are significantly challenged in operating their own security practices. The range of different skill sets required for different processes is extensive, and demand for skilled resources is very high, resulting in staff retention being a significant problem that is detrimental to maintaining strong protection of the organisation. Mid-sized organisations face the same range of threats, and similar needs that span a variety of security solutions – however, they have even less change of success in setting or scaling up their own security workforce.

Sophos provides a platform approach suitable for both types of customer organisation. The advantage of this is its provision of a common core for the many capabilities supported, and both data sharing and integration between processes being easier. Many competing security vendors are trying to provide such advantages via transformation of their own solutions – but Sophos has an advantage of a mature set of offerings that fit the platform model.

The bottom line

Sophos evidences the success of its MDR offering with steady customer growth over 5 years, from 10 in number to 26,000+. Global delivery is assured by hundreds of the company’s experts in threat intelligence, analysis, data engineering, data science, threat hunting, adversary tracking, and incident response across seven global SOCs. Its objective is to continue scaling up to support 100,000 customers, adding further advanced features and leading levels of service.

The acquisition of Secureworks adds a number of capabilities for key next steps. Sophos should be able to incorporate SIEM, SOAR and log retention capabilities from Taegis, all of which match larger customers’ needs. Additionally Sophos gains an Identity Threat Detection and Response capability to add to its service range, as well as support for network telemetry (rather than agent-based) from operational technology (OT), which meets customer requirements in manufacturing, healthcare, and retail markets.