Sophos NDR – Eliminating network blind spots

In my last few articles, I wrote about Sophos Managed Detection and Response (MDR). Starting with the renaming of MTR to MDR, moving on to the new and powerful add-ons to additionally integrate third-party telemetry data.

Those who have read these two articles will surely have understood that Sophos MDR is an indispensable service to protect your company from network attacks and cybercrime. But in truth, this is only the beginning.

Don’t get me wrong – with Sophos MDR, you’ve actually already done a lot for the security of your network! The Sophos agent is (hopefully) running on every computer and server, and your Sophos firewall is connected via Synchronized Security and sending logs to the data lake. Furthermore, you have entrusted monitoring and response to the Sophos MDR (Sophos X-Ops) team, which is on guard 24/7. Well done! 👏

Blind spots in focus

Although the combination of the firewall and Sophos Managed Detection and Response is an absolute dream duo for securing the company network, questions still remain that rob a conscientious IT administrator of sleep:

• How can I protect our IoT devices, POS terminals, printers, thin clients, smart TVs, etc. that cannot have a Sophos agent installed?
• How can I monitor network traffic behind our firewall?
• How can I monitor and analyze the behavior of internal users?
• How can I keep track of data movement on the network?
• How do I manage to regularly take stock of the assets in our network?
• How can I detect new or unauthorized systems on our network?
• How do I gain insight into the encrypted traffic on our network?

These are all important questions, and Sophos Network Detection and Response (NDR) can actually answer them all. NDR adds a crucial factor to the line of defense. With the firewall, you control traffic entering and leaving the corporate network, and with Intercept X Advanced and the MDR service, you can detect suspicious behavior on endpoints and servers (on which Sophos Agent is installed). But what about the traffic within the entire environment?

Attackers will do anything to avoid detection, and avoiding detection is a well-known tactic in the MITRE ATT&CK® framework at the system level. Exploits can hide from EDR solutions, for example, and attackers can disable and delete system logs. However, there is no getting around the fact that an attacker has to move around the network. And that’s exactly what Sophos’s NDR sensor will log, no matter how quietly or carefully the attacker proceeds. He leaves his mark on every action.

What is Sophos NDR?

Sophos Network Detection and Response (NDR) is offered as a virtual appliance that passively monitors all network traffic through a span port. Everything recorded through this port goes through real-time threat detection based on five core algorithms provided with NDR.

If a threat is detected using these five core algorithms, it is forwarded to the Sophos Data Lake, classified and evaluated. Cases are generated and analyzed and validated by the Sophos threat response team. The NDR sensor information can also be correlated with information from other sensors, such as identity, email, and network and firewall functions.

The five NDR core algorithms

Let’s take a closer look at what powerful five algorithms Sophos NDR provides us with:

Encrypted Payload Analytics (EPA)

This engine can detect malware even in encrypted traffic, where it can otherwise often remain hidden.

Domain Generation Algorithm (DGA) 

This engine helps detect communications with command-and-control (C2) servers and other malicious domains, all without any known threat intelligence.

Session Risk Analytics (SRA) 

Identify anomalous features in network traffic, such as self-signed certificates or the use of non-standard ports. Together with other unexpected/suspicious activity, these characteristics indicate high risk that should be investigated.

Data Detection Engine (DDE)

This engine is designed to help detect systems on the network that are not managed by Sophos. On the one hand, this helps identify gaps in the coverage of authorized devices, as well as unauthorized, potentially malicious systems or devices.

Deep Packet Inspection (DPI) 

Deep packet inspection can be used to search the network for specific indicators of compromise. This could be a communication to a command-and-control server (C2) or a suspicious IP address that has no business being on your network.

What you need for Sophos NDR

Sophos NDR currently only comes as an MDR integration. This means that you need an active MDR license to be able to set up NDR at all. Since mid-July, XDR customers have also had the opportunity to try out NDR for free via the Early Access program.

As explained above, the Sophos NDR sensor (log collector) runs on a virtual machine (VM). Data is collected there and forwarded to the Sophos Data Lake. Currently, Sophos NDR supports “VMware ESXi 6.7” or later and “Microsoft Hyper-V 6.0.6001.18016 (Windows Server 2016)” or later.

Try Sophos NDR

Have I convinced you of the qualities and advantages of the Sophos NDR solution with this blog post, or at least made you curious? Customers with an MDR or XDR license have been able to register for Sophos’s Early Access Program since mid-July to try NDR for free. The EAP is scheduled to be unlocked from July to November 2023, according to Sophos.

If you are not yet using XDR or MDR licenses and would like to try Sophos NDR, simply order them easily from our online store:

• Intercept X Advanced with XDR
• Intercept X Advanced for Server with XDR
• Managed Detection and Response Essentials
• Managed Detection and Response Complete
• Managed Detection and Response Essentials
• Managed Detection and Response Complete

The exact steps to add NDR as an integration in Central, configure the image, download it and deploy it to the VM can be found in the following guide from Sophos: Set up Sophos NDR