Sophos is coming out with Intercept X, its new name for endpoint protection that’s based on technology acquired when it bought SurfRight last year to broaden its endpoint strategy.
The product uses behavior-based screening to detect malicious behavior on endpoints rather than signature-based protection that requires constant updating and can lag behind attackers’ efforts to create new versions.
The software looks at the behavior of processes, specifically watching for 24 techniques that malware uses as part of attacks, says Dan Schiappa, senior vice president of the Enduser Security Group at Sophos. That boosts the chances of finding zero-day attacks that use a common set of techniques.
He says there are just one or two additional techniques that crop up per year, and the platform is updated to address those. That way attackers can’t simply mask a malware signature to avoid defenses.
Intercept X includes anti-ransomware that makes cleartext copies of files that are being encrypted and that can block processes that are encrypting files if it determines they are acting like ransomware. The feature is called CryptoGuard, and obfuscates where the copies are.
The endpoint software performs root-cause analysis of exploits in order to determine what endpoints were affected by the attack. It also recommends what actions customers should take to beef up defenses against similar attacks in the future.
To help make sure remediation is complete, the product includes a feature called Sophos Clean that roots out hidden malware remnants that might lie dormant for a later attack.
The platform issues a security heartbeat with other Sophos devices on the network such as firewalls so, for example, if an attack is detected on an endpoint, the firewall can block it, or block communications between a compromised endpoint and a command and control server.
Likely customers are mid-sized companies with limited IT staff who want to offer something more intelligent that can catch attacks based on behavior, says Eric Ogren, an analyst with 451 Group.
Tying in the heartbeat feature from Sophos’s existing Sophos Central Endpoint product strengthens Intercept X, Ogren says. The feature gives feedback to the network-based security and sets up possible enforcement of controls by other security devices, he says.