Enhanced Linux and container security for Sophos Intercept X for Server

We are pleased to announce that Intercept X Advanced for Server with XDR now includes enhanced visibility for Linux hosts and container workloads. The new functionality is available for all Intercept X Advanced for Server with XDR and Server MTR customers at no additional cost.

Included as part of the Sophos XDR Detections dashboard, the new detections leverage analytics around attacker behavior, from initial access (including application and system exploitation) to privilege escalation, defense evasion, data collection, exfiltration, and many others.

Example new detections include:

Container escapes: Identifies attackers escalating privileges from container access to move across to the container host
Cryptominers: Detects program names or arguments commonly associated with cryptocurrency miners
Data destruction: Alerts that an attacker may be trying to delete indicators of compromise that are part of an ongoing investigation
Kernel exploits: Highlights if internal kernel functions are being tampered with on a host

These new detections will appear automatically in the dashboard if detected. Access the dashboard by logging into Sophos Central -> Threat Analysis Center -> Detections.These host and container threat detections are automatically converted into an investigation, with an AI-prioritized risk score for each detection. Scores are then color-coded by risk level, enabling security teams to quickly identify where they should focus to increase efficiency. Integrated Live Response further establishes a secure command line terminal to hosts for rapid remediation.

Helping organizations stay ahead of the threat-behavior curve, Sophos Managed Threat Response, the Sophos MDR service, can work in partnership with your in-house security teams or Sophos MSPs, monitoring your on-premises or cloud environments 24/7/365 to respond to Linux security incidents before attackers can get a foothold.

Deployment

These features are ideal for SOC teams that need powerful threat hunting and remediation capabilities and DevSecOps teams that need deep insight into their mission critical workloads with minimal impact to performance. We will provide multiple deployment options: a lightweight agent, available today, that is downloaded and managed from Sophos Central.

Go to Server Protection -> Protect Devices -> Download Linux Server Installer. (Note you don’t need to reinstall the agent to benefit from this new functionality.)

And coming soon: a Linux threat sensor fine-tuned for performance, using APIs to integrate runtime threat detections into your existing threat response tools. This will provide maximum visibility of workloads with minimal impact on performance.