Jun 21 2019

Review: Threats Meet Their Match with Sophos Intercept X

Software defeats ransomware with automatic monitoring and file rollbacks.

Traditional anti-malware products scan both memory and disk for particular threat signatures, which are updated daily (or even more often). But if a new threat appears before the pattern files are updated, these solutions are unable to detect or prevent the attack.

In an effort to keep ahead of the criminals, SophosLabs analyzes more than 400,000 new malware samples every day. The challenge is that the vast majority of malware is unique to individual organizations, so updating a pattern file is an inefficient, ineffective block for these attacks.

To fix that, Sophos Intercept X sits on top of traditional security software solutions to augment protection. The software prevents malware before it can be executed and stops threats, such as ransomware, from running. When ransomware does get into the network, the tool provides a root cause analysis to help users understand the forensic details.

MORE FROM FEDTECH: Get more details about how attackers are entering networks faster than ever.

Deep Learning Helps Detect and Block Ransomware

Intercept X uses deep learning to detect new (and previously unseen) malware and unwanted applications. Deep learning is modeled after the human brain, using advanced neural networks that continuously learn as they accumulate more data. It’s the same kind of machine learning that powers facial recognition, natural language processing and even self-driving cars, all inside an anti-malware program.

Ransomware has grown at a fast clip since the success of the WannaCry malware infection in May 2016. Ransomware installs itself on a computer and then encrypts the important files, making them inaccessible to their owner. The owner then receives a message from the attackers that, in an exchange for currency, they will decrypt the files.

Sophos Intercept X blocks these attacks by monitoring the filesystem, detecting any rapid encryption of files and terminating the process. It even rolls back the changes to the files, leaving them just as if the malware had never touched them — and denying the cybercriminals the payoff they want.

Software Offers Valuable Security Insights

The software offers several additional protections. WipeGuard uses the same deep-learning features to protect a computer’s Master Boot Record. (Ransomware attacks on the MBR prevent the computer from restarting. Even restores from backups are impossible until the cybercriminals get their money.)

Safe Browsing includes policies to monitor a web browser’s encryption, presentation and network interfaces to detect “man in the browser” attacks that are common in many banking Trojan viruses. Sophos Root Cause Analysis contains a list of infection types that have occurred in the past 90 days.

There’s even a Visualize tab that connects devices, browsers and websites to track where the infection occurred and how it spread. This doesn’t mean users must take action immediately, but it could help them investigate the chain of events surrounding a malware infection and highlight any necessary security improvements.

One caution with Intercept X: If users haven’t patched their software, especially Java and Adobe applications, it may detect false positives. Be sure to update all software to the most current version — always a best practice — to avoid receiving these accidental alerts.

MORE FROM FEDTECH: Learn new ways to think about federal cloud security.

Streamlined Endpoint Protection Makes a Manager’s Job Simpler

Endpoint protection is wonderful, but managing all those endpoints can be a chore. In addition to the usual laptops and desktops, security managers must pay attention to servers, mobile devices, email and web browsing. The potential threat surface can seem overwhelming.

The Sophos Central console streamlines that management, especially when deployed alongside other Sophos products. From the console, admins can manage Intercept X and endpoint protection either globally or by device. Web protection provides enterprise-grade browsing defense against malicious popups, ads and risky file downloads. The mobile dashboard also shows device compliance, self-service portal registrations, platform versions and management status. 

Server security protects both virtual and physical servers. The Server Lockdown feature reduces the possibility of attack by ensuring that a server can only configure and run known, trusted executables.

Sophos wireless, encryption and email products also tie in to the console, and Sophos Wi-Fi access points can work alongside endpoint and mobile protection clients to provide integrated threat protection. That lets admins see what’s happening on wireless networks, APs and connecting clients to get insight into inappropriate use of resources, including rogue AP detection. 

The Sophos Encryption dashboard provides centrally managed full disk encryption using Windows BitLocker or Mac FileVault. Key management becomes a snap with the SafeGuard Management Center, which lets users recover damaged systems. Sophos email protection provides a guard against spam, phishing attempts and other malicious attacks through the most common user interface of all: email.

Sophos Central isn’t just for admins, either. Self-service is an important feature today, with user demands and IT budgets in constant conflict. Users can log in to the Sophos self-service portal to customize their security status, recover passwords and get notifications. In most IT departments, password recovery is the No. 1 help desk request, and eliminating those calls means technicians can spend more time on complex tasks.

Sophos Intercept X

OS: Windows 7, 8, 8.1 and 10 32-bit and 64-bit; macOS
Storage Requirement: 20MB on the endpoint
Server Requirement: Sophos Central supported on Windows 2008R2 and above

DKosig/Getty Images

More On


Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT