Sophos XDR and EDR 4.0 are now available, bringing powerful Extended Detection and Response (XDR) as well as significant enhancements to Endpoint Detection and Response (EDR).
Introducing Sophos XDR
Sophos XDR goes beyond endpoints and servers, also pulling in rich Sophos Firewall and Sophos Email data (Sophos Mobile and Cloud Optix XDR-integration is coming soon) with 30 days of storage in the Sophos Data Lake. Which means organizations get even more detailed insight into their environments when performing threat hunting or IT operations tasks.
Users get both the broad, big picture view of their cybersecurity environment with the ability to deep dive into areas of interest for granular detail. It’s the best of both worlds.
Here are just a few Sophos XDR use cases:
|IT Operations||Threat Hunting|
You can see more examples in the EDR/XDR use cases PDF.
Details on availability
Sophos XDR and the Sophos Data Lake are available for Windows and Linux now. macOS support is planned for H2CY21. MSP Flex availability is scheduled for late June.
How do I sell Sophos XDR?
Sophos XDR (CXDR) is an overlay license that enables 30 days of data collection from any Sophos XDR-ready product.
XDR-ready products feed data to the Sophos Data Lake and require their own separate license, for example Intercept X Advanced with EDR (CIXAEDR), Intercept X Advanced for Server with EDR (SVRCIXAEDR), Sophos Firewall (XG/XGS) with Xstream Protection or Sophos Email Advanced (CEMA).
For further details on requirements, exclusions, and example licensing scenarios, please read the Sophos XDR Licensing Guide.
For sales tools and additional resources, visit the Sophos Partner Portal.
Note that only Intercept X Advanced with EDR and Intercept X Advanced for Server with EDR can use Sophos XDR without having another XDR-ready product. See the license guide for further details.
Customers with an XG Series or virtual appliance and TotalProtect Plus/FullGuard/FullGuard Plus/EnterpriseGuard Plus can also use Sophos XDR at launch. These customers will be automatically migrated to Xstream Protection in the July timeframe.
Offline Access with the Sophos Data Lake
A key component of both XDR and EDR, the Sophos Data Lake stores critical data from XDR and EDR enabled devices, enabling access to that data even when devices are offline. For example, look back for unusual activity on a device that has been destroyed or taken without authorization. It’s an important part of cybersecurity visibility giving organizations the ability to see their entire environment and quickly drill down to granular areas of interest. Data retention periods are 7 days (EDR) and 30 days (XDR). That’s in addition to the up-to 90 days of on-disk data stored on devices.
EDR gets even better – again!
The latest version of EDR (4.0) brings some incredible enhancements, which are available to existing EDR users.
Sophos Data Lake
EDR customers will have the ability to get data up to 7 days in the past from their endpoints and servers, even if those devices aren’t currently online, in addition to the up-to 90 days of on-disk data they have currently. Note that customers have to enable the Sophos Data Lake. The Sophos Data Lake is available for Windows and Linux now, macOS support is coming H2CY21.
Users can schedule queries to run overnight so key data is ready and waiting for assessment in the morning and they have the information needed to perform critical threat hunting and IT operations tasks. Initially scheduled queries are available for the Sophos Data Lake with on-device Live Query following.
Users can work even faster with enhancements to workflows and pivoting that help them get to key information faster and enable them to take actions and respond even faster.
Tools to help
- XDR web page
- Intercept X web page
- Intercept X for Server web page
- Sales resources on the partner portal
Sophos News articles: