Preliminary study:Sophos Intercept X vs Adaptive Defense At the end of 2015, Sophos bought SurfRight, a company that developed only one product (HitmanPro), positioned as a “second opinion” solution against exploit-based attacks. Now, Sophos plans to launch a solution based on HitmanPro at the end of 2016: Intercept X. Intercept X will be positioned as an EDR (Endpoint Detection & Response) solution.

Unlike Endpoint Protection products, EDR solutions are characterized by covering four basic aspects of endpoint security, necessary to properly defend networks against any type of threat: (1) Detecting security incidents; (2) Containing incidents on endpoints; (3) Investigating security incidents; and (4) Resolving incidents and restoring endpoints to the status they had before the infection took place.

To respond to those needs it is necessary to continuously monitor processes in order to detect potentially malicious behaviors as soon as possible -either known or unknown- regardless of their type. Additionally, it is also necessary to know the origin of threats, the actions taken, the infection vector and their traceability.

This document aims at proving that Sophos Intecept X alone does not meet the requirements to be considered an EDR solution. Additionally, we will examine the technologies implemented and their capability to detect any type of malware, security incidents and attackers.

2

Scope Sophos Intercept X Panda Adaptive Defense Arguments Sophos disadvantages/Adaptive Defense advantages

DETECTION OF SECURITY INCIDENTS

Detection technology

DETECTION MODEL- Based on known exploit patterns. - Scans processes locally searching for exploits.

DELIVERY- Locally stored knowledge. No knowledge is hosted in the cloud.

CAPABILITIES- No scanning of or protection against known malware. Focused on exploits.- Limited to protecting against ransomware and malware that use exploits.

DETECTION MODEL - Based on classifying all processes (trusted and malicious). - The information obtained after continuously monitoring the processes run on endpoints is sent to the cloud, where Machi-ne Learning techniques in Big Data environments exploit it and integrate it into Panda’s knowledge base. DELIVERY - The knowledge is hosted in the cloud, where it evolves and is constantly updated. The components used to monitor proces-ses and efficiently send knowledge to the cloud reside locally on computers. CAPABILITIES - Designed to protect against ransomware, APTs and, in general, any malicious process known or unknown. Only trusted processes and activities are allowed to run, whereas untrusted items are blocked, regardless of the technique used to compromise the system.

- Incomplete detection technology (it is just a subset of Adapti-ve Defense’s anti-exploit technologies). - Doesn’t classify all processes, but only those that match its known/downloaded anti-exploit patterns. - The monitoring data is used for forensic analysis, it cannot be leveraged to carry out automated malware scans or classifica-tion in the cloud. - Prone to generating false positives and false negatives: If the malware uses unknown exploits it won’t even be detected. - Locally stored monitoring data with clear limitations to re-construct the actions taken by APTs and long-running malware. - Locally stored knowledge, isolated from the rest of the protec-tion systems.

- Thanks to its cloud-based monitoring, Adaptive Defense classifies 100% of running processes, accurately determining whether they are goodware or malware. - Stores all monitoring data in the cloud, which allows the so-lution to reconstruct the actions taken by any type of malware, including APTs. - No false positives or negatives.

Complete protection

A security service specialized in exploits ONLY and positioned as anti-ransomware.

Compatible with third-party antivirus solutions, required if complete protection is needed.

- Complete detection service capable of identifying any type of attack regardless of its nature (known/unknown). The moni-toring model allows the solution to detect malicious software of any kind: viruses, Trojans, ransomware, exploits, botnets, network worms, etc. - Independent from and compatible with the installed antivirus.

Intercept X is a complement that requires the installation of a traditional antivirus to deliver complete protection. The product doesn’t detect a large percentage of viruses (*). - Multiple solutions means different resource requirements, a larger likelihood of errors, more maintenance, and more difficult integration to ensure security.

Adaptive Defense protects computers with maximum assurance on its own, without the need for a third-party antivirus solution.

(*)Tested at the lab with version 11.5.0 without a traditional antivirus installed. The conclusion was reached that protecting computers with just Intercept X is very insufficient. The solution detects a very low percentage of malware.

3

INCIDENT CONTAINMENT

Malicious applications and other attacks

Blocks processes that take advantage of known exploits.

- Flexible protection through3 protection modes: monitoring, hardening and lock. - Different mechanisms to mitigate the inconvenience of having items blocked until they are accurately classified as trusted or malicious. - Blocks applications compromised by fileless malware, exploits, non-executable files, etc.

Intercept X doesn’t block unknown processes or processes that use unknown exploits. Protection focused on defending against ransomware that exploits known vulnerabilities.

Adaptive Defense can block all unknown processes as demanded by administrators: it provides complete protection against ranso-mware and any other type of malware, including APTs.

Vulnerability assessment

Not available. By means of the Advanced Reporting Tool module. Vulnerabilities are the main point of entry for attacks that take advantage of them. Preventing the presence of vulnerable applications on endpoints is a good way to mitigate many attacks.

ANALYSIS

Forensic analysis

- High-level diagrams showing the actions taken by malware processes ONLY - Oversimplified action tables

- Detailed diagrams showing all actions taken by malware. - Detailed action tables. - Sends process activity telemetry to Panda’s cloud for classi-fication, allowing the solution to detect unknown threats and/or threats compromising trusted applications.

Intercept X does not show a timelime of malware actions. The information provided is far less detailed. It doesn’t indicate when a certain action took place, on which item, or the exact parameters of the action.

Adaptive Defense shows a much more detailed timeline, allowing for much deeper and more complete forensic analyses to avoid future risk situations and restore compromised system to their previous status.

Visibility of Endpoints activities

Doesn’t collect information from non-compromised processes, so it doesn’t provide complete visibility into the activity and processes running on endpoints.

Adaptive Defense leverages both the information obtained from the continuous monitoring of all processes as well as cloud-gene-rated security data. Advanced Reporting Tool allows administrators to obtain other va-luable data from endpoints (programs installed and run, vulnerable programs, bandwidth usage per application, endpoint or user), and trigger alerts in response to anomalies.

Adaptive Defense optionally provides an Advanced Reporting Tool, with key actionable IT management data at endpoint level.

REMEDIATION

Remediation tools

- Sophos Cleaner - Rollback of files modified by ransomware viruses.

Cloud Cleaner. -Intercept X keeps a copy of all files modifies by processes just in case a specific process is identified as malware. This has a nega-tive effect on computer performance and hard disk usage. - Sophos Cleaner and Cloud Cleaner are equivalent tools for on-demand/offline infection removal.

Adaptive Defense is far less vulnerable to ransomware as it prevents the execution of any unknown processes or processes classified as malicious.

4

Scope Sophos Intercept X Panda Adaptive Defense 360 Arguments Sophos disadvantages/Adaptive Defense advantages

CLOUD-BASED MANAGEMENT

Cloud service - No investment in security infrastruc-tures, the entire service is hosted in the cloud. - Easy-to-use console. It doesn't require specialized technical personnel. - Immediate startup.

- No investment in security infrastructures, the entire service is hosted in the cloud. - Easy-to-use console. It doesn't require specialized technical personnel. - Immediate startup.

The benefits and functionalities provided by both products are equivalent.

COMPATIBILITY ABD INTEROPERATIBILITY WITHIN THE ORGANIZATION

Platforms Compatible with Windows 7, 8 and 10 workstations (32-bit & 64-bit).

- Compatible with Windows XP SP2, Vista, 7, 8 and 10 workstations (32-bit & 64-bit). - Compatible with Windows Server 2008 and 2012.

Intercept X cannot be installed on Windows servers and offers more limited support for Windows workstations than Adaptive Defense.

Adaptive Defense is compatible with the most popular Windows workstation and server platforms.

Integration with existing SIEM systems

Doesn’t allow for integration with the company’s SIEM to perform a holistic analysis of security incidents.

Generates activity logs recording all processes that take place on endpoints, and enriches them with cloud-generated security data. These logs are compatible with most SIEM products on the market

Adaptive Defense allows for integration with most SIEMs on the market.

SYNERGIES WITH SECURITY PRODUCTOS FROM SAME VENDOR

Technology and product integration

Despite being integrated in the global console Sophos Cloud, Intercept X works independently from the EPP solution Endpoint Protection Advanced.

Sophos Security Hearbeat shares security intelligence between Endpoint Protection Advanced and Sophos Firewall OS.

Adaptive Defense 360 implements both traditional EPP technologies and EDR technologies in a pipeline or layered process structure, where the results obtained in a particular layer are collected in order to be processed and enriched in the next layer.

Intercept X’ creates information silos that can’t be leveraged, which translates into worse protection against unknown malware, as well as a larger number of false positives. Hearbeat does not share information between Intercept X and Firewall OS

Adaptive Defense 360 maximizes the synergies among the different layers, extending knowledge and effectively managing the classification of all processes run on the customer’s network.

PRICE OF THE COMPLETE CLOUD-BASED SECURITY SOLUTION

The price of Sophos Intercept X for 1 year starts at $40 (€36) per seat and changes based on the volume purchased and the contract duration. The price of Sophos Endpoint Protection - Advanced for 1 year starts at $63 (€57) per seat and changes based on the volume purchased and the contract duration.

The complete solution Adaptive Defense 360 offers a more com-petitive price and, with it being a single EPP + EDR solution, achie-ves better synergies among the different modules that make it up, offering a comprehensive security service with maximum assuran-ce and minimum inconvenience.