Sophos Endpoint Protection

Antivirus systems have progressively become the granddaddy of cybersecurity. As the world moved on, AVs stuck to their tried and trusted formula. Younger concepts have risen to the forefront and grabbed media attention over the past decade – all ready to point out the shortcomings of the AV formula.

‘Intrusion detection’ became a bigger headline than ‘malware detection’. AI has taken over as the next big thing in cybersecurity. Everyone will tell you that nowadays, blocking malware is the wrong way to secure an endpoint, it is the monitoring of events that really counts.

AV can’t protect a network from advanced persistent threats. It doesn’t prevent log file tampering and it doesn’t pay attention to the malicious use of valid software. However, antivirus systems are not completely useless and they still play a role today in protecting endpoints.

When you read down to the end of the thrusting presentations of shiny new vulnerability scanners and threat hunters, you will notice that these industry disruptors can detect problems but they can’t actually do anything about them. You still need an AV and that’s the premise of the Sophos Endpoint Protection strategy.

All about Sophos Intercept X Endpoint Protection

The Sophos Intercept X Endpoint Protection system takes the best of the past and adds on the best of the present cybersecurity strategies. The AV is still there and it centers on a threat database, which is regularly updated with new malware signatures from the central Sophos Labs. This is the traditional AV method and Sophos held onto it.

In order to address all of those critics who point out what AV cannot do, Sophos added intrusion detection to its Endpoint Protection package. This is an approach that has been adopted by many of Sophos’s old rivals in the traditional AV market, such as McAfee and Symantec.

Sophos threat analysis details

Sophos describes this IDS element as a HIPS – a host-based intrusion prevention system. However, the package’s activities include traffic monitoring. Traffic detection under normal circumstances would be the remit of a network-based intrusion detection system. As a computer-focused defense system, you wouldn’t expect the software to be looking at the activities on the network. So, that may be why Sophos shies away from calling the system a SIEM. It limits its traffic monitoring to the activities on the network card and doesn’t poll other nodes to coordinate the hunt for malicious traffic patterns.

For an endpoint protection system, Sophos’s software has a surprising tendency to keep looking outwards. This package is also to replace your client firewall so there is a lot of incoming traffic monitoring in there as well as system event and process monitoring.

There is also plenty of web traffic monitoring in this endpoint system, which is really the responsibility of network firewalls. Obviously, Sophos isn’t suggesting than anyone throws away their network’s boundary defenses. In fact, one of the strengths of the system is that is can coordinate with your firewall to share threat intelligence and implement blocking tactics. This is a failsafe second-line defense against malware and suspicious activists that managed to get past the network’s defenses.

Sophos history

The success of Sophos lies in its successful marketing niche. The company started up in 1985 at a base just outside of Oxford, UK in the small town of Abingdon. The company’s age makes it one of the originators of system protection software. However, its location was a distinct disadvantage. While US rivals took advantage of a vast home market, high-budget US-government research sponsorship and access to tech-hungry capital investors, European IT security producers had to grow sales through much smaller home markets.

Sophos addressed the threat of being squeezed out of the market by rapidly expanding American operations in two ways. It took over a smaller player in the US antivirus market and established a dual base, masking its foreign identity in the lucrative US market. The second winning strategy lay in its target market. While the US giants addressed the home buyer and the corporate market, Sophos chose to pitch to SMEs. This gave the company a distinct identity that prevented it from being shouted down by the majors.

The founders of Sophos brought investors onboard by selling off part of their ownership. The company continued to expand by acquisition and licensing deals. Although Sophos had built a good AV product, it lacked a firewall to compliment it. Rather than invest millions in development and spend years on producing its own firewall, it bought a license to rebadge the Outpost Firewall from Russia’s Agnitum.

Takeovers helped Sophos grow to the point that it was valued at $3.9 billion when it was sold to investment house Thoma Bravo in October 2019.

Sophos Endpoint Protection Editions

Sophos produces a range of endpoint defense systems, of which Sophos Endpoint Protection is just one. The company released Intercept X at the beginning of 2018. Intercept X is an AI-driven protection system. Sophos Endpoint Protection bundles Internet X Advanced with EDR, Server, and Sophos Mobile.

The Sophos Endpoint Protection software is marketed in two editions: Standard and Advanced. The Standard edition includes a subset of the features that are in the Advanced package.

Sophos Endpoint Protection software

Endpoint Protection Standard

The traditional elements of the Standard edition are its client firewall and its anti-malware files scanning that checks out programs before they are allowed to run on the device. Besides the network entry point, Endpoint Protection scans other points of infiltration, including attached devices, such as USB memory sticks, and web pages.

The system scans new programs and also any files that the user wants to download onto the device. The system not only checks the files that arrive but assesses the credibility of their sources. Downloads, applications, and web pages get blocked if their sources appear on the Sophos URL blacklist. This is part of a distributed threat intelligence database that gets downloaded from Sophos HQ much in the same way that the malware signature database does.

The system monitors the behavior of running processes and checks on the activities recorded in log files. It is able to kill suspicious processes, remove known malware, and update firewall rules to prevent further attacks from an identified malicious source.

Endpoint Protection Advanced

The Advanced edition has all of the functions that are available in the Standard version. In addition, the Endpoint Protection Advanced includes malicious traffic detection, data loss prevention procedures, and patch assessment.

Sophos Endpoint Protection system requirements

Sophos Endpoint Protection runs on Windows and Windows Server, though it can also manage devices that have Linux and Mac OS operating systems.

Sophos Endpoint Protection competitors & alternatives

Sophos is a solid, reliable product that benefits from the producer’s long history of success in the cybersecurity market. However, the system is not the only product in the market. Endpoint Protection is the touchstone of cybersecurity and every security software producer feels it needs to address this sector in order to be taken seriously. Thus, there are lots of competitors of Sophos to browse.

Here is our list of the best alternatives to Sophos Endpoint Protection:

  1. Crowdstrike Falcon An innovative endpoint protection system with crowdsourced threat signatures.
  2. McAfee Endpoint Security A close competitor to Sophos that uses the same combination of trusted AV with innovative IDS.
  3. Trend Micro Apex One The joint biggest seller in endpoint protection.
  4. Symantec Endpoint Protection The other biggest endpoint protection system.
  5. Malwarebytes Endpoint Protection Another leading solution that takes the “AV plus” approach.

McAfee Endpoint Security and Symantec Endpoint Protection are probably the closest products on the market to Sophos Endpoint Security. Symantec Endpoint Protection is the most successful of the three with the other two chasing Symantec’s market dominance.

Trend Micro Apex One is the joint leader in terms of sales in the endpoint security market alongside Symantec Endpoint Protection. The two jostle for the number one slot with Trend Micro being a fraction ahead of the other one month and Symantec nosing ahead another month. Jointly, both are along way ahead of the competition with around 20% of the market each. McAfee Endpoint Security is in the number three position with just above 13% market share.

See also: Symantec Endpoint Protection Review

Trend Micro and McAfee offer their products from the Cloud as a Software-as-a-Service model. Sophos has the equivalent, which is called Central Endpoint Protection.

Of the smaller contenders in the market, Crowdstrike Falcon probably has an edge on the older players in the market. Its system shifts all processing up to the cloud, which is a very welcome move for clients that want to get memory-strapped mobile devices protected as well.

Malwarebytes Endpoint Protection has also shifted its endpoint protect system up to the cloud, showing the way forward for cybersecurity systems like Sophos, which blends a suite of security software solutions into a suite of utilities.

Working with Sophos Intercept X Endpoint Protection

Choosing a new security system for any part of your IT infrastructure is a time consuming and stressful task. Whichever product you choose, you will be taking a leap in the dark. The fear factor is probably one of the main reasons that new entrants into the field find it difficult to breakthrough. The brand recognition advantage of names like Symantec, Trend Micro, McAfee, and Sophos gives those older providers a marketing edge.

While the big producers have the advantage of age, they don’t have a monopoly on innovation. So, each one of the long-term winners, like Sophos have to keep innovating in order to keep at the head of the market. It is noticeable that the Sophos website is dominated by its presentation of Intercept X, hobbling the marketability of its Endpoint Protection system by not even including it on the site’s menu.

One of the best ways to familiarize yourself with a new product before you decide to buy is through testing the candidate software first. Fortunately, you can get a 30-day free trial of Sophos Endpoint Protection so you can put it through its paces before committing money to it.