Scribd
Upload
15 views5 pages

SophosXDR 1

Uploaded by

amr habib
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
15 views5 pages

SophosXDR 1

Uploaded by

amr habib
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/360236183

Sophos central XDR solution

Article · April 2022

CITATIONS READS
0 47

1 author:

Shreyash Sharma
International Institute of Information Technology
17 PUBLICATIONS 0 CITATIONS

SEE PROFILE

All content following this page was uploaded by Shreyash Sharma on 28 April 2022.

The user has requested enhancement of the downloaded file.


Sophos central XDR solution

Introduction

Sophos provides us with an Extended threat detection system for maintaining the
endpoint security of the system and responding to suspicious activities
depending on signature based and behavioral based detection. This solution
provides us various endpoint security like

1) Endpoint protection
2) Server protection
3) Mobile
4) Encryption
5) Wireless
6) Email Security
7) Firewall Management
8) Phish threat
9) Cloud optics
10) MDR

First we will cover Alert management and and device security depending on logs
and reports including all the users and the health check up of there system.
security analysts should make profile for both internal and external types of
attacks so that we can understand threats like credential and privilege misuse . A
database of known global attacks should be available with there signatures and
behaviors recorded so that we can identify or analyze any suspicious activity.
All organizations have different toolkits for security and sophos XDR is able to
integrate with those systems effectively which will generate accurate reports so
it’s helpful to have third party support . To analyze the attacks which were slow
we need to store analytics and logs of previous activities , organization should
provide enough space and resources for this logs.
Dashboard

Dashboard contains the Alert summary and recent suspicious activities observed
in the network system. This may include Most recent attacks , the user activity
and unprotected systems. We can also check the policy control in which sophos
provides a detailed overview that who violated which policies. We can also check
the email gateway to check how many legitimate and suspicious emails we
observed which also includes malwares , Phishing etc.
In above image we can see CryptoGuard which means sophos detected
encryption and stopped the process.

Alerts
In alerts action we can group all the detections like Privilege escalation , Malware ,
Ransomware. Sophos also provides us description about the detections like
Date of detection , user associated , Device.
This section also shows us the process path , process version, fingerprint of malware
and the critical path for the exploitation.

Managing Users and Devices

In this section we can observe the health of all devices and associated users with
it including the ip address and OS. All the devices are under Intercept X
Advanced with XDR and MTR protection. If there is any issues related to
integration we can update the system and all the services will be connected.we
can also check all the policies related to the devices like
View publication stats

1) Encryption
2) Application Control
3) Data loss prevention
4) Peripheral Control
5) Update Management
6) Web Control

Analysis of current system


In this section we are gonna see some analysis of current sophos demo
environment system and how the security posture of the system can be
maintained.

After observing the Dashboard we can see 2 critical alerts which are related to
Frank Castle (Win7 Desk 3)
1) CryptoGuard detected ransomware
2) Privilege Escalation

The location of ransomware is at C:\Users\Frank.Castle\Desktop\e33dj3o.exe

After clicking on the device name we see another interface which contains
Recent events and status. Some recent events also show “Controlled
applications detected” which decides if any application should be downloaded or
blocked.
Frank castle comes under Domain Users, Sales, SophosUser Users group which
also has another member named James Johnson. This are there defined policies

You might also like