Customer Profile
As the frequency of cyber-attacks continues to rise, a renewed security philosophy was needed. AUTOCONT came up with a solution to ensure automatic data collection and advanced data analysis. We are thus able to detect threats early, all in an admin-friendly environment.
Baseline and project objectives
Prior to deploying the solution, stations and servers were protected by a standard anti-malware solution with an on-premise admin console. Due to the increasing number of cyber attacks and their increasing complexity, it was necessary to change the security protection philosophy and deploy an EDR/XDR security solution. This will allow the IT department to perform advanced event analysis and respond quickly to detected threats, even when the compromised environment is no longer fully available.
The goal of the project was to provide automated data collection from endpoints with the possibility of future extension to third party sources. At the same time, it was a requirement to find an administrator-friendly solution that would not burden the administrator unnecessarily thanks to the abundance of pre-prepared or easily completed analytical queries.
Benefits
- Fully cloud-based solution
- Does not require hardware and admin server management time
- Advanced incident analysis
- Needed information can be retrieved directly from endpoints
- Event collection from third party products (Firewalls, Email Gateway)
- Pre-defined queries for XDR database
- Possibility to connect to AUTOCONT Security Operation Center
- Cloud Sandbox, Zero-day protection
- Live Response - remote investment tool including Powershell usage
- XDR Sensor can also be operated with AV product from another manufacturer
Solution
The Sophos InterceptX Advanced with XDR solution proved to be the most suitable for the situation. It is based on two components, the Sophos Central cloud console for managing the entire solution and the Sophos Endpoint Agent. A single multi-platform agent on the endpoint not only protects and detects, but also sends suspicious files to the cloud sandbox or useful, telemetry data to Sophos Central, where it is stored in a single "DataLake" repository.
This includes information about user password changes, successful or unsuccessful logins, information about network communication of unusual processes, newly created services or commands and parameters in CMD, etc. Before storage, the data can be enriched with additional information from services such as VirusTotal or Whois, or geolocation data.
DataLake allows SophosLabs' team of specialists to perform advanced analysis on such consolidated data, making it easier to detect the initial stages of an attack. For example, based on user permission changes, suspicious communications to malicious IP addresses, attempted script execution or newly scheduled tasks in the Task Scheduler.
Used technologies
- Sophos InterceptX Advanced with XDR
- Sophos Central
- Sophos Endpoint Agent
- Sophos Datalake
- Sophos Intelix Cloud Sandbox
DO NOT HESITATE TO
CONTACT US
Are you interested in more information or an offer for your specific situation?