Software

Review: Sophos Intercept X Stops Threats at the Gate

Security solution keeps endpoints safe from malware and ransomware.

Dr. Jeffrey Sheen currently works as the supervisor of enterprise architecture services for Grange Mutual Casualty Group of Columbus, Ohio.

Traditional anti-malware products scan both memory and disk for particular threat signatures, which are updated daily (or even more often). But if a new threat appears before the pattern files are updated, these solutions won’t be able to detect or prevent the attack.

In an effort to keep ahead of hackers, SophosLabs analyzes more than 400,000 new malware samples every day. The challenge is that the vast majority of malware is unique to individual organizations, so updating a pattern file is an inefficient, ineffective block for these attacks.

To fix that, Sophos Intercept X sits on top of traditional security software solutions to augment protection. The software prevents malware before it can be executed and stops threats, such as ransomware, from running. When ransomware does get into the network, the tool provides a root cause analysis to help users understand the forensic details.

Defeat Ransomware with Automatic Monitoring and File Rollbacks

Intercept X uses deep learning to detect new (and previously unseen) malware and unwanted applications. Deep learning is modeled after the human brain, using advanced neural networks that continuously learn as they accumulate more data.

It’s the same kind of machine learning that powers facial recognition, natural language processing and even self-driving cars, all inside an anti-malware program.

Sheen

Ransomware has grown at a fast clip since the success of the WannaCry malware infection in May 2016. Ransomware installs itself on a computer and then encrypts important files, making them inaccessible to their owner. The owner then receives a message from the attackers that, in an exchange for currency, they will decrypt the files.

Sophos Intercept X blocks these attacks by monitoring the file system, detecting any rapid encryption of files and terminating the process. It even rolls back the changes to the files, leaving them as if they had never been touched — and denying the cybercriminals a payoff.

Integrated Protections Give Admins Better Visibility

The software offers several additional protections. WipeGuard uses the same deep learning features to protect a computer’s Master Boot Record. (Ransomware attacks on the MBR prevent the computer from restarting — even restores from backups are impossible until the cybercriminals get their money.)

Safe Browsing includes policies to monitor a web browser’s encryption, presentation and network interfaces to detect “man in the browser” attacks that are common in many banking Trojan viruses.

Sophos Root Cause Analysis contains a list of infection types that have occurred in the past 90 days. There’s even a Visualize tab that connects devices, browsers and websites to track where the infection occurred and how it spread.

This doesn’t mean users must take action immediately, but it could help them investigate the chain of events surrounding a malware infection and highlight any necessary security improvements.

One caveat: If users haven’t patched their software (especially Java and Adobe applications), Intercept X may detect false positives. Be sure to update all software to the most current versions — always a best practice — to avoid these accidental alerts.

Make Management Easier Through Sophos Central Dashboard

Endpoint protection is wonderful, but managing all those endpoints can be a chore. In addition to the usual laptops and desktops, security managers must pay attention to servers, mobile devices, email and web browsing. The potential threat surface can be overwhelming.

Sophos Central streamlines endpoint management, especially when deployed alongside other Sophos products. From the console, admins can manage Intercept X and endpoint protection either globally or by device. Web protection provides enterprise-grade browsing defense against malicious pop-ups, ads and risky file downloads. The mobile dashboard also shows device compliance, self-service portal registrations, platform versions and management status.

Server security protects both virtual and physical servers. The Server Lockdown feature reduces the possibility of attack by ensuring that a server can configure and run only known, trusted executables.

Sophos wireless, encryption and email products also tie in to the console, and Sophos Wi-Fi access points can work alongside endpoint and mobile protection clients to provide integrated threat protection.

That lets admins see what’s happening on wireless networks, APs and connecting clients to get insight into the inappropriate use of resources, including rogue APs.

The Sophos Encryption dashboard provides centrally managed full-disk encryption using Windows BitLocker or Mac FileVault. Key management becomes a snap with the SafeGuard Management Center, which lets users recover damaged systems.

Sophos email protection provides a safeguard against spam, phishing attempts and other malicious attacks through the most common user interface of all: email.

Sophos Central isn’t just for admins. Self-service is an important feature today, with user demands and IT budgets in constant conflict.

Users can log in to the Sophos self-service portal to customize their security status, recover passwords and get notifications. In most IT departments, password recovery is the No. 1 help desk request, and eliminating those calls means technicians can spend more time on complex tasks.

Sophos Intercept X

OS: Windows 7, 8, 8.1 and 10, 32-bit and 64-bit; macOSz
Speed: Extracts millions of file features in 20 millisecondsm
Storage Requirement: 20MB on the endpoint
Server Requirement: Sophos Central supported on Windows 2008R2 and above

Antiv3D/Getty Images