Sophos Endpoint Slide Library

June 2024
 Acronym Demystification

2
 Sophos Detection and Response Solutions

3
 Sophos Detection and Response Solutions

Endpoint
Protection

4
 Sophos Detection and Response Solutions

Endpoint Detection and

Response

Endpoint
Protection

5
 Sophos Detection and Response Solutions

Extended Detection and

Response

Endpoint Detection and

Response

Endpoint
Protection

6
 Sophos Detection and Response Solutions

Extended Detection and Managed Detection and

Response Response

Endpoint Detection and

Response

Endpoint
Protection

7
 Sophos Detection and Response Solutions

Extended Detection and Managed Detection and

Response Response

Endpoint Detection and Network Detection and

Response Response

Endpoint
Protection

8
 Sophos Detection and
Response Solutions

9
 Sophos Detection and Response Solutions

Defend against sophisticated novel threats and advanced active adversaries

Superior outcomes delivered as a service 24/7 by highly-skilled experts

Tools for practitioners: Investigate and respond to complex multi-stage threats across
all key attack surfaces that technology alone can’t block

Tools for practitioners: Investigate and respond to complex threats on endpoints and
servers that technology alone can’t block

Strong protection is critical. Stopping more threats upfront reduces the investigation and
response workload for IT and security teams

10
 Sophos Detection and Response Solutions

Defend against sophisticated novel threats and advanced active adversaries

Superior outcomes delivered as a service 24/7 by highly-skilled experts

Tools for practitioners: Investigate and respond to complex multi-stage threats across
all key attack surfaces that technology alone can’t block

Sophos XDR license Tools for practitioners: Investigate and respond to complex threats on endpoints and
includes EDR features servers that technology alone can’t block

Strong protection is critical. Stopping more threats upfront reduces the investigation and
response workload for IT and security teams

11
 Sophos Detection and Response Solutions

Add-ons for MDR and XDR: Extend visibility with Sophos Network Detection and
Response and a comprehensive ecosystem of third-party Integration Packs

Defend against sophisticated novel threats and advanced active adversaries

Superior outcomes delivered as a service 24/7 by highly-skilled experts

Sophos XDR license Visibility

Tools for beyond
Investigate the endpoint.
practitioners:
and respond Investigate
Investigate
to complexand
threatsand
andrespond
respond to to complex
potentially
complex threats
multi-stage
malicious across
activity
threatsonacross
includes EDR features multiple
all
endpoints attack
key attack surfaces
andsurfaces
servers leveraging
that
that telemetry
technology
technology alone fromblock
alonecan’t
can’t integrated solutions
block

Strong protection is critical. Stopping more threats upfront reduces the investigation and
response workload for IT and security teams

12
 Sophos Endpoint
Overview

13
 Endpoint Security That Works for You and With You
Sophos Endpoint adapts your defenses in response to an attack

Hunt, investigate and stop threats, with detection and response

XDR tools designed for security experts and IT administrators
EDR

Adaptive and Defenses dynamically scale up with additional blocking actions

Automated when a human-led attack is detected, stopping the attacker in
Responses their tracks

AI-first protection with anti-exploitation technology monitors

Block Malicious Activity application behavior to block ransomware and other malicious
activity

Block malicious content and web-based threats, control access

Reduce Threat Exposure to applications, websites and peripheral devices, and ensure
optimal configurations

14
 Sophos Endpoint
Strong protection is critical. Stop more threats upfront and reduce workload

Sophos Strengths / Differentiators

Adaptive Attack Protection

Shield’s up: Defenses increase in response to attack

Universal Anti-ransomware
Robust protection against local and remote attacks

Strongest Protection By Default

Install and go. No configuration needed

Consistent AAA Ratings 2024 MarketScape Leader Customer’s Choice EPP MQ Leader
15
 Reduce Threat Exposure

16
 Blocking Web Threats
Stop threats before they arrive, both in and out of the office
Web Protection
Blocks access to phishing and other
Security Training Under Pressure malicious sites
It’s increasingly difficult for end users to spot a
malicious link or website.
Analyses files, web pages, and IP
addresses
Continuously updated for freshness and
accuracy

Powered By Leading Threat Intelligence

SophosLabs global team of threat
experts
Real-time intelligence from the Sophos
Managed Detection & Response threat
hunting specialists

17
 Controls Web Control
Customer-configured monitoring and
blocking of categories of websites

Peripheral Control
Control access to peripherals and
removable media

Application Control
Detect and block applications that are
unsuitable for use in the office

Data Control
Monitor and restrict the transfer of files
containing sensitive data

18
 Block Malicious Activity

19
 AI-First Protection

20
 Behavioral Engine

Memory Scanning Protection

Inspect a running process for malicious
code as a part of a file-less attack

Additional Remediation Capabilities

Thorough clean-up capabilities after
protection against an attack

21
 Anti-Exploitation Technology
Application Hardening
Bolster processes against manipulation by
arbitrary code that adversaries control

Zero Trust Protection

Thorough clean-up capabilities after
protection against an attack

Signature-Agnostic Design
Does not rely on pattern matching,
machine learning, or cloud lookups

22
 Anti-Exploitation: Harden

Application Hardening Credential Hardening

Block memory regions commonly abused for heap spraying Prevent defense evasion via Heaven's Gate Prevent decryption of web browser secrets
(MFA web session cookies, passwords)
Block abuse of Windows Encrypting File System by Prevent defense evasion via unsupervised system calls
ransomware
Prevent defense evasion via WoW64 marshalling layer (Also see Isolate and Deceive for our kernel-based
Block loading of modules hosted on remote device
Prevent inter-process dynamic shellcode allocation process isolation against OS credential dumping)
Bottom-up ASLR (add entropy to relocations)
Prevent manipulation of driver signing enforcement (DSE)
Enforce Data Execution Prevention (DEP)
Prevent null pointer dereferencing
Enforce sandbox around VBScript in Internet Explorer
Prevent persistence via accessibility tools
Import Address Table filtering
Prevent privilege escalation via secondary logon handler
Mandatory Address Space Layout Randomization on modules
Prevent process environment block manipulation (PEB)
Prevent arbitrary code execution via entry-point hijack
Prevent removal of Antimalware Scan Interface registration Platform Hardening
Prevent arbitrary code execution via main thread hijack
Prevent side-loading of modules via Windows API Set DLL
Prevent control flow hijack via kernel callback table Boot record overwrite protection
Prevent token privilege manipulation
Prevent DLL search order hijack on binaries from the web Master Boot Record (MBR), GUID Partition Table (GPT)
Prevent vtable hijacking in Flash Player
Prevent dynamic code allocation from Office macro Volume Boot Records (VBR)
Validate CTF protocol caller
Prevent dynamic shellcode allocation
Validate exception chains (SEHOP)
Prevent dynamic shellcode permission
Validate stack memory protection
Prevent defense evasion via direct syscall

2323 Sophos Confidential

 Anti-Exploitation: Detect

File Analysis + Process Analysis

Ransomware protection with rollback Block backdoor implant when it wakes to check in with command-and-
File Analysis, Platform Monitoring, Process Analysis control
Ransomware protection from remote attacks with rollback Control-Flow Integrity (ROP)
File Analysis, Network Traffic Analysis, Platform Monitoring, Process Analysis Prevent code injection via reflective library
Prevent intersectional control flow
Prevent privilege escalation via token theft (sweep)
Validate API invocation (ROP)
Validate heap content integrity (HeapSpray)
Validate stack integrity (StackPivot)
Validate web browser integrity (Safe Browsing)

2424 Sophos Confidential

 Anti-Exploitation: Isolate and Deceive

Execution Isolation Decoy Object

Prevent code injection via atom table Stop module load order disrespect via deception
Prevent code execution from residual memory beyond the image size
Prevent code injection via Asynchronous Procedure Call (APC)
Prevent API invocation from stack memory
Prevent application from writing to auto-starting locations
Prevent application from executing arbitrary code via DCOM
Prevent application from executing of newly created executable content
Prevent application from loading of newly created library
Prevent application from using living-of-the-land binaries and scripts
Prevent process creation via WMI from VBA macro in Office
Prevent OS credential dumping via LSASS memory
Prevent OS credential dumping via LSASS process cloning
Prevent OS credential dumping via Security Account Manager (Registry)
Prevent process creation from dynamic memory in Office
Prevent process hollowing via memory unmapping

2525 Sophos Confidential

Anti-Exploitation: Supplementing Windows Defenses
Anti-Exploitation default enabled

Sophos 7 60

Microsoft 7

0 10 20 30 40 50 60 70

Total available mitigations

Sophos 7 60

Microsoft 7 28 4

0 10 20 30 40 50 60 70

Default on by Windows Requires manual tuning Requires manual tuning

Performance and
compatibility caution
Sophos
More:Confidential
https://sophos.com/microsoft
 Airtight Ransomware
Protection

27
 Airtight Ransomware Protection
The most robust zero-touch endpoint defense against ransomware

Ransomware Techniques Sophos Endpoint

Ransomware comes in Blocks ransomware irrespective

many forms of source
Detects malicious encryption by
File overwrite encryption analyzing file content

Blocks local and remote ransomware

Intermittent encryption attacks
Automatically rolls back affected
Remote encryption documents
(No limits to the file size and type)

Automatically blocks remote devices

Boot level encryption

Protects the master boot record

(MBR)

28
Remote Ransomware Is a Growing Threat
Adversaries compromise a Most endpoint solutions are A single compromised endpoint
device then use it to remotely ineffective as they focus on detecting can expose the entire estate to
encrypt data on other devices malicious files and processes on the ransomware, even if all the other
on the same network. protected endpoint. devices run endpoint protection.

Compromise an 2 Identify protected

1
unmanaged or device(s) they want
under protected to encrypt on the
device same network

3 Run processes Encrypt files on

to remotely 4
the protected device
encrypt
protected
devices
5 Issue ransom note
to the victim
Sophos Endpoint: Airtight Ransomware Protection

Sophos has the most robust zero-touch endpoint defense against remote ransomware.
Sophos stops ransomware attacks that other solutions miss, including remote attacks and
never-before-seen variants.

Compromise an 2 Identify protected

1
unmanaged or device(s) they want
under protected to encrypt on the
device same network

3 Run processes CryptoGuard detects

4
to remotely malicious encryption
encrypt attempt
protected
devices
5 CryptoGuard stops
6 CryptoGuard blocks the encryption and
IP of compromised rolls-back the
device affected files
 Remote Ransomware
Protection
Unique anti-ransomware
technology that blocks a popular
new encryption technique

Sophos Confidential
 There has been a sharp increase in the use of
remote encryption.
Remote Ransomware On average, 60 percent of human-operated
Protection ransomware attacks used remote encryption—
Unique anti-ransomware a sign of attackers evolving tactics to evade
technology that blocks a popular detection.
new encryption technique
-Microsoft 2023 Digital Defense Report

Sophos Confidential
 ▪ CryptoGuard detects malicious encryption by
analyzing file content, independent of where
processes run

▪ Blocks local and remote ransomware attacks

Remote Ransomware
Protection ▪ Automatically rolls back affected documents; no
Unique anti-ransomware limits to the file size/type that can be recovered
technology that blocks a popular
new encryption technique
▪ Enabled by default; full protection with nothing to
configure
 Context-Sensitive Defenses

34
 What Are Active Adversaries?

Active adversaries are highly skilled cyber criminals, often

equipped with sophisticated software and networking skills, who
gain entry to an organization’s systems, evade detection, and
continuously adapt their techniques using hands-on-keyboard
and AI-assisted methods to circumvent preventative security
controls and execute their attack.

35
 Context Sensitive Defense
COMING SOON

BEHAVIORAL ADAPTIVE ATTACK ADAPTIVE ENDPOINT CRITICAL ATTACK

PROTECTION PROTECTION ISOLATION WARNING

SCOPE INDIVIDUAL DEVICE INDIVIDUAL DEVICE INDIVIDUAL DEVICE ESTATE WIDE

BENEFITS Behavioral engine stops early Elevates protection sensitivity Prevents lateral movement and C2 Alerts customer to attack requiring
stages of active adversary attacks to prevent damage activity through network isolation immediate incident response

High-impact active adversary

TRIGGER Behavioral rules Hacking toolsets detected Isolation based on event triggers indicators, including org-level
correlations and thresholds

ANALOGY “SHIELDS ON!” “SHIELDS UP!” “SHIELDS UP!” “RED ALERT!”

36
 Adaptive Attack
Protection
Automatically increases defenses
on an endpoint when a "hands-on-
keyboard" attack is detected

37
 ▪ Activated automatically when an active
adversary is detected

▪ Elevates protection sensitivity to prevent

Adaptive Attack damage
Protection
Automatically increases defenses ▪ Blocks potentially malicious behaviors
on an endpoint when a "hands-on-
keyboard" attack is detected
▪ Can automatically isolate a device to
prevent lateral movement and C2 activity

38
 Adaptive Attack
Protection
Automatically increases defenses
on an endpoint when a "hands-on-
keyboard" attack is detected

39
 ▪ When adversaries fail to break through runtime
protection layers, they attempt to reboot into Safe
Mode where security software is not present or
minimal

Safe Mode ▪ A new Adaptive Attack Protection policy rule prevents

Protection programmatic rebooting into Windows Safe Mode
Prevents adversaries from abusing
Windows Safe Mode to evade ▪ Ability to run certain Sophos Endpoint protection
endpoint protection capabilities in Safe Mode, including CryptoGuard anti-
ransomware
 Context Sensitive Defense
COMING SOON

BEHAVIORAL ADAPTIVE ATTACK ADAPTIVE ENDPOINT CRITICAL ATTACK

PROTECTION PROTECTION ISOLATION WARNING

SCOPE INDIVIDUAL DEVICE INDIVIDUAL DEVICE INDIVIDUAL DEVICE ESTATE WIDE

BENEFITS Behavioral engine stops early Elevates protection sensitivity Prevents lateral movement and C2 Alerts customer to attack requiring
stages of active adversary attacks to prevent damage activity through network isolation immediate incident response

High-impact active adversary

TRIGGER Behavioral rules Hacking toolsets detected Isolation based on event triggers indicators, including org-level
correlations and thresholds

ANALOGY “SHIELDS ON!” “SHIELDS UP!” “SHIELDS UP!” “RED ALERT!”

41
 Critical Attack Warning
Alerts users when an attack is in
progress and offers immediate
assistance to respond

42
 ▪ Alerts you when an active adversary is
detected across multiple devices in the
environment

▪ Console and mobile alerts are sent to

all admins in Sophos Central
Critical Attack Warning
Alerts users when an attack is in ▪ Alerts provide context and details on
progress and offers immediate
assistance to respond
the attack

▪ Sophos will reach out directly and

provide support options if actions are
not taken in a timely manner

43
 Synchronized Security

44
 Manageability

45
 Sophos Central
Strong Default Policies
Strong default settings give strong
protection

Policy Flexibility
Specify by User or Device

Single Console for Sophos Products

Your security posture at a glance

46
 Security tool misconfiguration is
the No. 1 perceived security threat
Account Health Check among IT teams.
An easy way for customers to
understand their security posture
and compare themselves to peers

Sophos Confidential
 ▪ Identify misconfigurations that put the
organization at risk

▪ Fix issues with one click

Account Health Check ▪ Compare scores with peers of similar size

An easy way for customers to
understand their security posture ▪ See how your score changes over time
and compare themselves to peers

▪ Enabled automatically for all Endpoint

and Workload Protection customers

Sophos Confidential
 Account Health Check
An easy way for customers to
understand their security posture
and compare themselves to peers

Sophos Confidential
 “The vendor's product strategy benefits from the newly
introduced Account Health Check tool, which helps continuously
identify and remediate misconfigured Intercept X settings”
2023 Gartner®️ Magic Quadrant™️ for Endpoint Protection Platforms

Account Health Check

An easy way for customers to
understand their security posture “In the discipline of systematically strengthening customers'
and compare themselves to peers security posture, Sophos has a strong set of features in customer
security advisory recently enhanced with an account health-
checking feature”
IDC MarketScape: Worldwide Modern Endpoint Security for Midsize Businesses 2024 Vendor Assessment

Sophos Confidential
 Protect All Your Endpoints on All Your Platforms

51
 Licensing and Related
Products

52
 How We Sell Detection and Response Solutions
Strongest Detection Extendable 24/7 Full-scale
Endpoint and with NDR and Managed Incident
Protection Response Integrations Service Response

Sophos managed

Sophos XDR license IR Retainer

includes EDR features Add-on
Self-managed tools

IR Retainer
Add-on

53
 Workload Protection

High-impact protection with low

impact on performance
for on-premise, data center, and
cloud workloads.

54
 Sophos Mobile

A secure Unified Endpoint

Management solution that helps
businesses manage and secure
traditional and mobile endpoints.

55
 Device Encryption

Manage BitLocker (Windows) or

FileVault (macOS) from Sophos
Central.

56
 Sophos Threat Detection and Response Platform
Event Sources Threat Analysis and Correlation Threat Response

Endpoint Sophos XDR Data Lake

Firewall
24/7 Managed Detection
Email and Response Services
Sophos MDR experts hunt, investigate,
and eliminate attackers on your behalf
Cloud
Collect Contextualize Correlate
Productivity

Identity

Network Investigation and

Response Platform
Sophos XDR Provides a single platform to
Backup
Threat
Intelligence + Automated
Response + Advanced
Threat Analytics detect, investigate, and respond to threats

57
 Sophos XDR (Includes EDR)
Platform for practitioners: Investigate and respond to complex threats across all attack vectors

Sophos Strengths / Differentiators

Built on the Best Protection

Stop more threats upfront to reduce workload

Expansive Compatibility
Use Sophos products, or connect your existing solutions

Powerful for All Users

Designed for IT Generalists and Security Analysts

Leader
99% Detection Coverage 2024 MarketScape Leader #1 XDR solution
58
 Sophos MDR
Managed service: Defend against highly sophisticated threats and active adversaries

Sophos Strengths / Differentiators

24/7 Detection and Response

90% ransomware attacks occur outside business hours

Expansive Compatibility
Keep the cybersecurity software you already have

Full-scale Incident Response

Threats illuminated + root cause analysis

Inclusive Pricing $1M Breach Warranty

Leader
A top performing vendor #1 MDR solution Customer’s Choice for MDR Unrestricted Hunting Response Time SLA
59
 Proof Points
and Recognition

60
 2023 Gartner Magic Quadrant for Endpoint Protection Platforms

A Gartner Leader in
Endpoint Security (Again)
Sophos has been named a Gartner Leader in
endpoint security in 14 consecutive reports

No other vendor has been named a Gartner Leader

in endpoint security more times than Sophos

Sophos also named Gartner Customers’ Choice for

endpoint security for the second consecutive year

[Sophos] continued its focus on a protection-first strategy, enabling

more robust default protections in standard deployments to improve
ease of use. Sophos completed third-party integrations into Sophos
XDR and MDR offerings in 2023 and launched an ecosystem of
technology integrations.

61
 Sophos’s comprehensive approach
from prevention through recovery
places Sophos on the shortlist of
businesses looking for an established
and effective partner for security.

62
 SE Labs Endpoint Security Test Results - Q4 2023
SE Labs has published its Q4 (October to December) 2023 Endpoint Protection report.
Sophos achieved two AAA SE Labs test awards for the sixth consecutive report by
detecting and stopping commodity, real-world cyberattacks, and simulated targeted
attacks with 100% accuracy.

63
 Sophos is the only vendor named a
Gartner Customers’ Choice in
Endpoint Protection Platforms,
Managed Detection & Response
Services, Network Firewalls, and
Mobile Threat Defense

64
65
66
 Visit: www.sophos.com/why

67