Video: Sophos Endpoint: Leveraging Next Gen Technology | Duration: 2936s | Summary: Sophos Endpoint: Leveraging Next Gen Technology | Chapters: Introduction and Welcome (7.2s), Modern Ransomware Landscape (93.385s), Proactive Threat Prevention (258.585s), CryptoGuard Anti-Ransomware Demonstration (746.995s), Additional Security Engines (1125.65s), Network Security Solutions (1924.12s), Server vs. Endpoint (2254.33s), EDR and PowerShell Control (2347.28s), Concluding Remarks (2765.71s), Concluding Appreciation (2927.942s)
Transcript for "Sophos Endpoint: Leveraging Next Gen Technology": Hello, everyone. Thank you so much for joining us today. We're just gonna give everyone a couple seconds to join in and get settled. Meanwhile, I'm gonna do the introduction. So welcome to today's webinar. It's Sofos Endpoint, leveraging next gen technology. And we're joined by our Sofos sales engineers, Angel Ramos and Ryan Lockerbie. Thank you so much for joining us today, and I'm super excited to hear about the session. Before we dive in, I just have a quick a a couple notes. If you have any questions at any point, please use the q and a tab below on the right side. It will be on your webinar console, and we'll get to as many as we can throughout the session. And we'll also have a q and a section at the end of our webinar, so make sure to stick around for that. Today's session is being recorded, and we'll send out the link via email later this week. And also exciting news, we'll pick our solo stove winner from one of our live attendees. So make sure to stick around till the end, and we'll announce the winner in the follow-up email. So with that, I'll hand things over to Ryan to kick things off. Thank you so much. Yeah. Thank you very much, guys. Yeah. Welcome. I appreciate you guys all joining us here today for the Sophos endpoint webinar. We'll be doing these going forward probably monthly on a cadence to go over different products, things that are coming out new, discussing the threat landscape, and things like that. So today's focus is gonna be on the Sophos endpoint, specifically on anti ransomware technology that Sophos leverages today. So today, we're gonna go over the threat landscape and kinda discuss what modern ransomware looks like today, proactive versus reactive, and interception is always gonna be better than response. And how do we achieve that today with with CryptoGuard? We're gonna do a live CryptoGuard demo where I will pull up a virtual machine and detonate zero day ransomware on the system to demonstrate how CryptoGuard does the file rollbacks before we go over another engine called Intellix that gives shared threat telemetry across multiple attack surfaces. And then we'll leave some time for q and a at the end there. So to move on to the threat landscape, why we're talking about this today is a lot of this comes in through business email compromise. And regardless of the final impact being ransomware or whatever it is, it is extremely impactful on the financial side of things. Cybersecurity has gotten significantly more complex. It's gone more from a, you know, nice commodity, to have for the for the larger organizations to do something that is absolutely necessary and part of your infrastructure for every business nowadays. And the attack the attacks have adapted to to combat those tools as well. And that's how we get to remote ransomware. This is something we're talking about today because this is one of the most powerful, tools that we have on the market, for actually ransoming, systems that are already currently using endpoint protection. They realized really quickly that trying to attack an endpoint directly on that endpoint gets picked up by the anti ransomware engines pretty well. So they've shifted to mounting the drive to a rogue device on the network. That is what remote ransomware means, where the encryption process happens on a secondary device so that the endpoint protection can't see it. And according to Microsoft in 2024, all successful seventy percent of all successful ransomware attacks on Windows were in 2024 were remote ransomware. So this is a novel technique that's been adapting to kind of try and stay one at one team one step ahead of the blue team at all times. Right? So this is normally triggered from an IoT device or rogue device on the network. Right? 92% of all of them came from something that was unmanaged, and it has been a 65% increase year over year from 2024 in remote ransomware that we've seen in the wild. So this is a very, very modern threat vector that is definitely being utilized in the industry right now. Move on here. Alright. Thanks, Ryan. Alrighty. So with those numbers, seeing how ransomware and just really any type of attack continuously evolve, it is important to always take a proactive stance as opposed to a reactive stance. We take a prevention first approach. So right up front, SOFO standpoint is going to stop 99.99% of any and all threats, including ransomware, including that remote ransomware, thereby minimizing the attack surface. The less time that a threat actor is in your environment, the less they can move around, gain a, you know, a deeper foothold, and just cause more problems. Most of the time, we're gonna kick them out right at the gate. If anything were to proceed, we have mechanisms in place to uncover zero day threats through the use of AI, very, very, very deep detection logic. We are the largest AI native open platform as well. So AI is a huge part of what goes into our detection logic. We're able to step away from just the classic signature based detections. We can take how something is interacting with your machine, its behavior, what it might look like. We have our own database, so decades in the making that we can cross reference at any point, keeps us sharp ahead of the curve, and almost, more importantly, reduces our false positive detection rate. This platform is scalable and incredibly adaptive to your needs. So we offer a platform with multiple areas of coverage, whether we're talking endpoint, your endpoints and servers, maybe your email environment, maybe your firewall, the edge of the network. We will be there to help protect. We also will play very well with a ton of third party softwares and services out there. So leveraging our extended detection and response, our XDR dashboard, we can open up the ability to connect to these services, things like Microsoft, Google, Okta, Veeam, a bunch out there. We want to gather that data and be your one stop shop and consolidate it all in one place. The way that we achieve this is through synchronized security. So our products are able to intelligently speak with one another and basically harden your defenses all across the board when we detect any kind of anomalous behavior. If an endpoint appears to be compromised or maybe is identifying something new, your firewall's gonna be made aware. Your firewall can take action layer three and above, automatically kill that traffic with a firewall rule. Meanwhile, a Sophos switch can take the MAC address and perform an automatic quarantine, and the application itself, Sophos endpoint, can perform application level isolation on the network. These steps are all automatic. They happen within seconds. Don't require you to lift a finger. That prevention first approach is all about us minimizing attack surface, stopping a threat as soon as we become aware of it. And when you combine all of these things, it's helped us maintain a role as a leader. So in Gartner's Magic Quadrant for MDR, we've held a position of leader for sixteen consecutive years. We are consistently receiving the customer choice awards. We, you know, are very proud of our accolades. Our customers seem to be very happy. I highly encourage, if you want any further insight, to look at our most recent g two reviews and just get a feel for yourself. Talking more into the endpoint product itself. As Ryan mentioned earlier, interception is always better. Sopost endpoint was very recently named InterceptX. If we can get in front of and completely stop an attack before it can gain that foothold, we buy that valuable time, completely minimize that attack surface, and keep you safe. CryptoGuard is a baked in tool to Sophos Endpoint that is one of our secret weapons. This is a ransomware specific defense. If we see files, you know, showing the signs of malicious rapid encryption, we can identify those and roll them back without the use of a volume shadow copy, any kind of backup mechanisms on your end. This is done in an in house proprietary method that is unique to CryptoGuard and unique to Sophos. And this will also cover, again, remote ransomware attacks, which historically have shown to be incredibly difficult for other solutions to be able to identify and then take action on. And this can also extend into your MBR or your master boot record as well. Another tool under our belt is adaptive attack protection. So this is an AI fueled defense that helps us identify and take action against a hands on keyboard style attack. If we come to the conclusion that we're seeing that type of traffic or you know, the telltale signs are there, we can automatically harden the machine and do a few things. Prevent commands from passing through that have been known to or can possibly further compromise the system. We can get deeper telemetry from that box and keep administrators or our MDR team on edge with live updates, again with deeper information letting us know what's going on and helping us identify what potential threat there is. An anti exploitation. So right out of the box, Sophos endpoint comes with 60 plus proprietary and already configured, you don't need to set these up, methods for stopping all types of exploits. We do not just use a generic signature based recognition. Again, we use a ton of criteria. We are very advanced. We can take small bits of data, data over time, really anything about what we're investigating and make a very informed and educated decision and even cross reference, again, the multiple decades worth of data. From day one upon the deployment of Sophos endpoint in your environment, we actually provide a baseline configuration that we think is gonna give you the best basic stance or strong policies to hit the floor running with. By default, we cover a few different areas. Threat protection, so effectively just how are we defending the machine against various types of exploits, attacks, ransomware. And you also get baked in controls for data loss prevention, application control, peripheral control, and even mobile web browsing control. So we can extend protection and control into those areas. Again, a few of these come predesigned or preconfigured so that you don't have to spend a ton of time configuring. You're gonna have the best settings that we think are out there. But granular control is available too. If you want to fine tune any of these to what aligns best with your business needs, you can absolutely do that. And lastly, with Sophos Endpoint comes comes access to Sophos Central. So Sophos Central is the single pane of glass, the single stop for management for all things Sophos in your environment. Part of what you'll gain access to is an account health check tab. So this is a a tool that will give you continuous feedback on your security posture. It updates, you know, every day. This will give you immediate telemetry and feedback on where you could potentially strengthen your posture, maybe policies are too wide open. Maybe there's an exception that we think is a little bit too gratuitous. Regardless of what it is, we arm you with the tools to immediately identify it, give you an option to immediately resolve it or find, you know, during a maintenance window for you to do that, or just give you the context needed if you need a second set of eyes through an engagement with your local sales engineer or our support team. Again, this score changes over time. Excellent feedback for making sure you're doing what is best and keeping that posture as strong as possible. And it's it's enabled automatically. Alrighty. CryptoGuard universal ransomware protection. For Ryan, Alright. I'll I'll hand some back to you. Yeah. Excellent. Yeah. So this is, kind of a deeper dive into how CryptoGuard works under the hood. Angel touched on it a little bit. I mentioned it earlier. But this is really what sets so close apart, in the industry when it comes to anti ransomware. Years ago, we took a very different approach. We realized that bad actors were changing the way they were doing ransomware, and we needed to adapt with that. So instead of looking for signatures, we have engines for that. Instead of looking for the process tree to detect encryption processes, we have other engines for that. CryptoGuard specifically watches the file system itself. It's looking at file system modifications. And unlike the overhead required by using shadow volumes like most of the industry uses, these do not have a limitation on file type. There's no limitation on file size, and it does not require gigabytes of space to configure beforehand. This is a tiny bite sized delta file and I mean, bytes sized delta file. And all it does is track the delta, the change of the file. We don't need to roll in. We don't need to back up an entire file. We don't need to do shadow volumes. It doesn't happen every four hours. It happens in real time. And when we trigger the CryptoGuard engine to roll back after detecting malicious encryption, it will then take those Delta files, restore the files to their original state, and return everything to normal. It does like I said, no limitation on file type, no limitation on files at that type that file size. And one of the most powerful things about it is the fact that it can catch that remote ransomware we spoke about earlier. Because the whole point of the remote ransomware is to avoid the process tree being seen by the endpoint. We bypass that completely by not looking at the process tree for ransomware. We're looking behaviorally at the file system itself. Another cool feature about this is that causes it to be able to touch anything on the file system. So as long as it's mounted and we have readwrite access to that file system, CryptoGrip will roll it back, protecting shared drives or anything you have mounted on there. So this is anti ransomware across the the whole board. It does not need known signatures to work. It will work on a zero day situation. As long as there is enough entropy triggered by the engine for ransomware to occur, we will roll it back every single time with no issues with the the, you know, backup file system because shadow volume backups isn't the best way to do it. Normally snapshots every four hours or so. And then if you don't restore within that four hour window, it'll normally back up your encrypted files. So kinda defeats the purpose. So this is basically a rollback for all files of all file types, all file sizes, even on zero day systems. It's a really, really powerful anti ransomware engineer. And this is this is where Sophos really, really shines. This is also gonna protest your master brute record. So if they try and do ransomware, with rootkits, this is also gonna be looking for that kind of stuff. Alright. So let's get to the fun part here, and I'm gonna go ahead and share my screen. And we're gonna do this live. Render. Alright. So here we have our victim system. This is a Windows box. Pretty clean in here. We do have Sophos installed. It is happy to get unhappy and and keeping an eye on the system right now. It doesn't have any red health statuses. There's no malware or PUAs detected. It's just a day to day happy time except for this my documents folder. This looks benign, but this is really a bad script that links to a file in the downloads folder. This is where we're going to find a link that runs, I'll pull in here, a PowerShell script. So this is going to force encryption using the ransomware simulator we have to the encrypt on the documents path. And in here, this is the ransomware simulator that it's calling, and this is using tray true SHA two fifty six AES encryption to do one way encryption on this. It's just a hard coded passcode in here. And, basically, when we take a look at the documents folder, you can see I've got all my documents in here. Right? Access control list, inventory documents. I've got some, you know, Shakespearean works, some UI images, brochures, just general documents that you would have in your environment. And if I come over here and run this shortcut, it's gonna execute the PowerShell. And in here, it attempts to run that ransomware across the entire report here, and all of our files are completely protected. I will say faster than the human eye, it did successfully encrypt about seven files. And then that's when Sophos went, nope. That's not okay and rolled everything back to its original state. It just happens way faster than the human eye. So in here, this did successfully encrypt about six or seven files. Once we triggered, they that's ransomware. It rolled it straight back. This was written by myself. I wrote this with the help of ChatGPT before they put so many guards in it. So this is known this is no known ransomware zero day, and had that way, malware detection engines and triggering on this, process trees and triggering on this. This is pure zero day ransomware detonated in the environment. And the best part about that is now because Sophos has detected ransomware, it has also triggered computer isolation. So TCP and UDP has been terminated, whether that comes from east west migration laterally around the network or whether that happens to be, north south, right, coming over the firewall. It doesn't matter. All TCP and UDP have been terminated until it returns to a green health status. And then on top of that, PowerShell, because it is the vector in this particular case with ransomware, CryptoGuard has denied it file system access now. So until there is, the health status is restored, PowerShell has actually been disabled, from modifying the file system. And as you can see, it doesn't even work the second time. You just get permission errors. So that is the automated pow power of Sophos, CryptoGuard on our endpoint engine. And, this just for clarity's sake, inter if you hear the terminology InterceptX, Sophos Intercept X, and Sophos Endpoint are the same thing. We used to have branded names like most companies for our products, but recently, we've just decided to make it real simple for everybody. So now the Sophos products are what they are, Sophos Endpoint, Sophos Firewall, Sophos Email, so on and so forth. Alright. Now to cover over, just a couple of things. Let me go ahead and share the slide deck again. Now other than the anti ransomware engine, there are a handful of other engines also in the endpoint agent. First is gonna be web control, and I will say the web malware remediation on Sophos is proactive versus reactive like we talked about earlier. We will not wait till the file completes the download before remediating it. We can delete the dot par file and terminate the browser process, being proactive. That way, the file never even gets a tenth of a second to interact with the system in the first place. Peripheral control for blocking USBs. Right? Don't plug your iPhone into the kiosk or that kind of stuff. No USBs that you found in the in the parking lot. Application control for blocking things like Rclone, AnyDesk. Right? Things that you don't want that are commonly abused. Right? Like, I know there's a pretty large scale attack right now with, North Korea trying to use AnyDesk to breach a lot of US companies. So that would be something that if you're not using today, go ahead and block that in your application control. And then data loss prevention. Just prevent the exfiltration of data, whether it's malicious or whether it's accidental. Right? This is gonna be looking for CUI. So credit card information, swift banking round numbers, medical patient codes, pharmaceutical codes, things like that. And we will look inside the document. It's capable of doing file type, file name, and file content, for both patterns or regex, where you can look in and trigger the rule to prevent the upload. You can, you know, basically stop it from going into Teams, stop it from being uploaded to Outlook, stop it from being, you know, sent through Skype or WhatsApp and put on a flash drive. So this is gonna help you protect your CUI as well. And these are just some of the other engines that are also in the endpoint agent as well. And lastly, to go over, we're gonna go over Intellix. So Intellix is a really neat engine, and oh, it looks like we got a little misaligned on this slide. But, basically, how this works is Intellix is a malware detection engine that we've had running for a very long time now. This is kind of the data lake in the intelligence network that Andrew was mentioning earlier. So it exists in our endpoint, our server. It's in our cloud. It's in our like, cloud scanning product. It's in our firewalls, and it's in our email. It is also accessible through API and public access. It is also OEM to some vendors. And recently, Microsoft just announced that the Intellix database will be raw hooked into Copilot. So if you ask Copilot about threat intelligence, it will be raw querying the Sophos IntelliX database. And how this works to stay ahead of everything is there's basically, anytime we have, like, a list of file types that anytime they are seen on any one of these attack surfaces, The first thing that attack surface does, let's say, is a Sophos firewall, and it sees some EXE or, you know, some sort of file that that crosses that firewall for the first time. It reaches out to labs and says, labs, I don't have a known signature for this. What is it? Labs goes, hey. I've never seen it before. So the firewall will hold it in place, throw it up, detonate it in a sandbox, and figure out what it is, and then share that telemetry with the rest of the, attack surfaces in this network. So, basically, it's an ever adapting, ever evolving network of live dynamic sandbox analysis for anything crossing the surfaces. It does not have to be malicious. It just has to be unknown. Everything gets a reputation the first time you see it. So this keeps us ahead of the game, making sure that we catch any of those zero days, and we're staying ahead of it. I like to say, like, Sophos, if you nice this. Right? You hit a Sophos firewall with an EXE that's, you know, some special ransomware that you've just written at 03:00 in the morning in Japan. Cool. Now our email customers halfway around the world can stop that attack because we saw it somewhere else. And that's the power of Intellix. This keeps us ahead of the forefront and staying ahead because, I mean, at the end of the day, you you need a layered approach to security. As you've seen today with Sophos endpoint, that's kind of how we've taken it. Right? You need to have a powerful signature engine to catch things quickly, but at the same time, that's not going to keep you safe nowadays. You need behavioral logics. You need exploit mitigations. You need that ransomware looking at the file system directly. Right? Stopping things at their source instead of being so target driven now. Right? Like, you know, having to see it before, like, a signature engine. So the signature engine in here, very powerful, always updating, and, obviously, there's significantly more layers of protection layered on top to make sure that we can catch anything before it ever gets to the point where you need to put your hands on it. Yeah. So I think that's about it, from here. Angel, do you have anything else to add? I think, we might jump over to, the q and a portion. Absolutely. The rest of this time, the floor is open, and we will be the brains that you can pick. We're answering some of these in the chat as we speak, and we will pick a few to answer live here as they come in. So now is the best time to ask. Alright. So let's see. Looks like we got a couple of questions answered in here already. Would CryptoGuard protect streamed files, mounted by, like, the, like, SaaS applications? No. There I've heard there's ways that you can configure it. If the file system basically sees it and has full readwrite access, like it's a local file system, CryptoGuard will have control. Yes. Zopos does have our own MDR service. In fact, we are the largest MDR provider by customer count in the world. I think we're over 30,000 customers now. And if you do end up with the MDR service, it will end up including both our XDR toolkit and the endpoint server licensing included in that. It's not a separate SKU if you have the MDR level. How does application control work? Good question. So it's looking for the application both. You could choose. It depends on the setting you've set up, at runtime or with real time file scanning. So if you set it for real time file scanning, it'll clean it up like it's malware if it sees it on the file system. And if you set it to block at runtime, it'll just prevent the application from running. There's a list of applications in there. You can do entire categories. And then if there's anything that you can't find in that list, we have a button underneath it at the bottom. So you can basically submit any application you need added in there, the dev team gets it in there. I've seen it applications from those requests pop in in less than six days, and I've seen them pop in in six months. It just depends on the application, what they've got a code around them to Alright. Is the CryptoGuard available to EDR and XDR agents? Yes. So CryptoGuard is part of Sophos endpoint, so formerly Intercept X. If you have that installed on your machine, you will see this. The settings for CryptoGuard will already be enabled, but they are nested within your threat protection policy. If you go to your settings about halfway down the screen, be the first right under the runtime protection category. Again, unless it's been changed, it should be on by default. Is there any reporting for involve involving Intellix? Yeah. Actually, so you should have a report in your dashboard that will show you any kind of Intellix malware summaries if there was any dynamic sandbox analysis that was done on your environment. Keep in mind, it does have to see been seeded in your environment for the dynamic analysis report to be given to you because that was your dynamic analysis, whereas, normally, it'll just do a lookup and go, no. This is malicious and move on. So there if you ever do wanna play with it, though, you can simply just go to so I think it's intellix.sophos.com, and it's a live web. You can plug in any URL or file in there, and it'll allow you to basically get that full dynamic sandbox analysis with screenshots and anything. It's free and publicly available. Let's see here. Most recent question here. Does the MBR protection require additional configuration of your endpoints? No. Nothing additional. So by default, this is also something that is enabled. Nested under the CryptoGuard high level setting, the protection for MBR is already enabled. Yep. So automating the monthly report to send to our customers to show how many attacks have been blocked in devices, there is a few different reports in central that you can set up to email out to you on a schedule. You could add them in your tenant and put their email on there if you wanna directly send it from the Sophos tenant, or you could have them forward it to you and forward it out. But there are multiple reports that'll show you how many attacks have been blocked. You could even break it down by category, like how many web control violations how many times did CryptoGuard trigger, how many times did I find a potentially unwanted application, right, that kind of stuff. So, yeah, absolutely. Reporting fully supports all of that. This this this is your time, guys. Don't be shy. Ask away. So the unique technology that we use for the anti ransomware is those Delta files and the heuristic based, detections. So instead of using, hey. We know this process is known for ransomware, block it. Instead of using, hey. This is the signature for known ransomware, block it. We're looking at, hey. There are changes on the file system. The amount of changes are indicative of ransomware. Right? This is because, honestly, once you get to a certain level of intelligence, you can kind of tell what it what's going on. Right? Like, our MDR team, when you get a penetration test done, they'll only mark it, like, with the penetration test because they know what a penetration test is. It looks very different from a real world actor. Right? So after a certain level of intelligence, you don't have to just trigger alerts on anything you see with low confidence. You can very clearly make a determination as to whether something's malicious or not. And that's what the CryptoGuard engine does. I think it's had a few revisions over the years, but the CryptoGuard engine for the behavioral detection for ransomware has been in Sophos endpoint for over ten years. So it's had a lot of refinement and a lot of tuning over the years. We've been using AI for that for over a decade. Right? So we were way early to the AI front, and CryptoGuard's one of those examples where we're just looking at basically heuristic charts of the way that this file system is being modified and using those Delta files to roll back whenever they indicate ransomware is occurring. So it's all proprietary AI code logic that we've had for over a decade. A good extension to that too, just adding on to what Ryan said, the deep learning that is also enabled by default on your machines is a very powerful component within Sophos Endpoint. So in the event that we encounter literally anything that we are unfamiliar with, I mean, if it somehow is not in our, you know, decades worth of threat intelligence data, which is refined daily, every minute of every day, we are able to start to analyze on a deeper level what exactly is happening on the machine. So this is where we can even look into, again, commands being passed, processes opening up, files being interacted with, literally anything and everything, and we will be able to make a very, very quick and educated assessment on what we're dealing with. It is how we are comprehensive against all types of zero day attacks. Okay. For oh, I'm gonna take this one. No one has a client for ESXI. You have to protect that with best practices. You need to make sure that you've got a like, good ACLs in front of it, and you've got it fully updated, and you're keeping, you know, access to the management interface locked down because there's no true antivirus you can nor any endpoint protection you can put directly on the hypervisor. And there is an act like, active attack that I've I've seen in the wild where, basically, they try and hit, some sort of firewall and compromise the firewall, and then they use that and bypass all of the endpoints and servers because they know that'll trigger an endpoint detection and just go straight for the ESXI interface and then try and encrypt all of your servers from the hypervisor level. And there's nothing that that containers can do to protect themselves from the hypervisor. So best practice for ESXI is or any hypervisor is make sure that you have very, very good controls, jump server, good ACLs on that network. I wouldn't leave the management interface hanging around with any other servers or endpoints on that network at all. Additional point on that for our XDR users. So once you've opened up the platform to integrate, whether with third party services or with some Sophos in house integrations that we produce, something called NDR, so network detection and response, is a tool that will analyze LAN traffic with no regard to just Sophos managed endpoints, but to literally anything that you're able to span at your switch level to that appliance, attacks to the web interface or ESXI or really any hypervisor or anything that can be exploited through a web connection, so SSH, Telnet, AD, four forty three, anything, we will be able to detect that traffic. And we can even analyze encrypted, you know, TLS traffic where someone is trying to obscure what they're doing under that that straw or that that veil, so to say. Without tearing it down, we're able to analyze characteristics of that data flow and still generate detections based off of it. So in the short version of that, if we see attacks directed towards a web interface or an attack surface of that nature, that appliance, so NDR, will be able to give us the insight and bring it in front of our eyes. When can we expect DNS protection integrated with endpoint for remote users who are not behind the Sophos firewall? Very, very soon. Very soon. Very, very soon. Like, ask me within the next month again. Very soon. So that that one's coming very soon. That's gonna be coming as part of the new offering, that's supposed to be dropping soon. Keep eyes out for that. I don't wanna give too much away, but there's something really exciting coming down the pipeline very soon that that will address that specific concern. Another one that's a really good one in here. Are there any plans to provide preconfigured settings for specific CMMC compliance? So Sophos does have a document. Reach out to your sales rep. They can provide you with the document that we have, which goes over all of the CMMC level one and two controls and what you need to enable, what we could help you with, what qualifies, and what you need to change to make sure that we're not touching anything CUI or anything like that. Sales, the your sales rep should have some sort of documentation on that that you can use for guidance to say, hey. This is where the firewall helps you solve this problem. This is where the endpoint solves this. You need to turn off this particular setting to make sure that we don't submit anything with CUI somewhere we shouldn't. Right? That kind of stuff. So good questions. We do have some guidance on CMMC documentation. You should reach out to your sales rep to get that. Awesome. And I see here, how about Hyper V? Do I install on the Hyper Viser OS as well as HVM? At this moment in time, Hyper V natively doesn't support the the endpoint product or really any endpoint product. You would install this on each VM, and the the gap fill from here to there would be likely a product like MDR that I mentioned earlier to be cognizant of any attacks that are headed towards the Hyper V web interface or the management interface, I should say. Yep. Yeah. That's a good point bringing up with NDR too because it's that's one of the best ways that you can catch the rogue devices in IoT. So like we talked earlier about, you know, over 90% of the ransom remote ransomware attacks that Microsoft saw were happening because of a rogue or unmanaged to point run unmanaged device on the network. Right? They got something plugged in that they shouldn't have. They've compromised an, you know, HVAC system or doorbell camera or something, and they're using that to to laterally move around. And NDR is specifically designed to catch those exact attacks, right, and mapping for reconnaissance, cobalt strike packets on the network. It's got a DPI engine in it, which is the same technology that, like, China uses to censor their Internet, right, and to look at payloads and and encrypted packets and stuff. So really powerful technology under the hood there that that really helps strive that lateral movement protection on your network. You basically just mirror all of your switch traffic over to it, and it looks specifically for everything malicious that is East West after it's gotten past your firewall. And that's that's. one of the best things you can do to protect for a hypervisor or any, IoT device for that matter, any unmanaged device. to tack a little bit more data onto that. The East West usually isn't seen as what it actually ends up being. Meaning certain traffic doesn't have to hit your firewall. It doesn't have to go layer three and route over to another VLAN necessarily. An attack can come from an unmanaged device in a, let's say, a particular VLAN or subnet and perform lateral attack. Routers or the firewall being unaware in a lot of cases. So unless one of the the potential victim has a a very excellent signaling system or alert system, that will fall on deaf ears. And we talked about minimizing attack surface. The longer that somebody is in any device, the more they're learning about your network. A quick snapshot of your default gateway, the subnet mask tells an attacker a lot more than you might realize. So NDR, again, is going to pick up that type of traffic as well as far as well as devices internally reaching out to known bad resources. C two or command and control connections are gonna be flagged. There's there's a ton of detection logic there. There are five different machine learning models that power this solution. So it is looking at everything under the sun. Yep. And to answer, NDR is not included in MDR. So network detection and response is a stand alone product for East West traffic. You do not need MDR to purchase MDR. It's just a separate product. But if you did have the MDR platform just like most of the Sophos products, it would then complement that by tying into MDR, creating cases of detections just like any other thing that's piping in there. Additional info on that as well. The partial functionality of NDR, so primarily two engines that we use, Encrypted payload analytics and domain generation algorithm are eventually moving towards and are partially existing on Sophos firewalls today. So the ability to extend, you know, that telemetry into the firewall natively is something that we can do now. And down the pipeline, I'm sure we'll have a conversation like this when that day comes, but there there are more announcements to be made as that progresses and as that is further refined. Server and endpoint, what is the difference? From a classification standpoint, how we classify it, as far as licensing and things, server is going to be anything with a server operating system. So that will be Linux or Windows Server editions. Anything endpoint is gonna be Mac or Windows desktop editions is how we license it. Now as far as protection features, pretty similar one to one on the Windows side from Windows to Windows Server. Linux is a whole different ballgame entirely, which will be a different webinar. But the server and endpoint for, Windows is basically going to equivalently be the exact same protections. The only difference is on server, we will not do automatic device isolation because that could be pretty bad. So, you know, normally, it's controlled by the admin. And then the endpoint side of the house, will not have what we call server lockdown, which is basically a way that you can once you've installed all your applications on your server and everything, you can set it to lockdown, and it will prevent basically, no more applications can be installed. The more application they can't be updated. Everything gets locked in place on that server until you, deem otherwise or put a whitelisted file folder that can run updates out of. So that's really the only difference between the two on that. As far as packaging, you'll still both of them still run CryptoGuard. Both of them are still running all of the other engines, like web control and all of that kind of stuff. Can EDR control PowerShell on the endpoints? Depends on what you're talking about. Can it disable PowerShell from doing things if it thinks it's doing something malicious? Absolutely. That's what happened in that particular script I ran earlier. PowerShell script ran to try and encrypt the file system. CryptoGuard was like, sorry. Basically, it's until the system enters a green health status again, PowerShell was disabled from file system access. So it can do that in the event to adapt to an attack or, like, Angel was saying earlier with adaptive attack protection. If we see some sort of, you know, heightened something that triggers that heightened state of awareness, while in that heightened state of awareness, if they run a command that normally would be mildly benign but could indicate, you know, something that was, you know, lateral movement or that maybe they're trying to do reconnaissance or something, will that block that command? Right? Or, you know, they try and install a low reputation application in adaptive attack mode through PowerShell, you know, doing the Git download, we'll block that because it's a low reputation file. It puts it in that heightened state of security. So there is instances where Sophos can control PowerShell at the end points. But if you're talking about from an automation standpoint, no. It's it's not like an RMM. It's definitely more of a security focused product rather than a management product. There it is worth a mention. So baked into Sophos endpoint is the anti malware scan interface or AMSI protection, which is also enabled by default. So this is a specific set of eyes looking at script based attacks. So non executable sourcing, threats, things that can exist in memory, just hidden in files. That is something that you already will have as soon as Sofos endpoint is deployed. I see a question from mister Rush. Oh, you wanna take it, You? you got it. Okay. Where can I obtain instructions on creating the allow list? So mister Rush, hopefully I'm pronouncing that correctly. There are likely two ways. I'm just not sure which allow list we are specifically referencing. But if you're in Sofos Central, and this is a tip for anywhere in Sofos Central, if you navigate to the question mark in the upper right of the screen, you'll notice a pane on the bottom right open up. Believe it is the second option, but there is always a context sensitive knowledge based article that will break down exactly what's on the screen and then kind of give instruction to any kind of text boxes or anything where we need input from you. It will be very specific on what how to go about it and do that. Alternatively, what we can do is we can follow-up. We send out a survey after these webinars. If that is still outstanding and you're having an issue with it, let us know in the survey, and I can connect with you. And we can just maybe if we need to have a quick chat about it, I can do that too. Okay. Two there's one that says, can EDR disable PowerShell using Sophos application control policy? Absolutely. Both Microsoft PowerShell and the ISC PowerShell version are both in application control. So they can be blocked at runtime or, completely cleaned up like a malware by setting it to real time file scanning detection. I will say PSExec. is automatically a potentially unwanted application and will trigger a malware detection by default because it is more often used for malicious purposes than legitimate purposes nowadays. So you will need to put an exception in if you want to use PSEXEC. A good point to add on for those newer to application control in Sofos Central, we will automatically update our categories with any new common use applications that we become aware of. So if we notice that they are pretty prevalent in our environment and they either can or can't pose a risk or we just want the ability to toggle protection specific to those, you'll notice a little tick box that says allow Sophos to keep this list up to date. Doing so will let us continuously edit that list and add on new applications. Glad to see the shout out for the SaaS the SOFA's customer success managers. I've worked with a handful of those on some deals. They are a great team. Yeah. They're they're all very awesome. They're single one of them. are super awesome to work with. Let's see here. Let's see. Any others we missed here? As as we near, you know, the top of the hour, if any other questions come to mind about, you anything that we touched on, we covered a few topics very lightly, you know, whether it's something like how does Sophos protect email, what does a Sophos firewall or a Sophos switch look like? You know, oddly enough, I I've encountered a few who didn't know we had firewalls. Right? And also in contrast to that, we have won awards for these firewalls. These are awesome, very feature rich, robust machines capable of scaling, no matter how small or how large of a deployment you need, and they directly integrate with the the, you know, the the key topic today with Sophos endpoint. And to answer your earlier question about string files, as long as the NAS drive is mounted as a true file system with read write access that CryptoGuard can touch. I will say it really does not need a known signature. The test I showed you is PowerShell. I've been on the SE who wrote his own one in Rust. I've also tested it in c plus plus Python. It is it catches every single one zero day. It's really good at what it does. It's kind of impressive. Yes. There will be a recording. Mister Lee, I will I see the question about e rating Sophos firewall. I will take that one offline and and follow-up with an answer. Alright. Hi. I won't lie. hear. I I kind of expected us to get slammed with questions, like, all the way to the end and be like, we're gonna follow-up with the rest of these, but you guys are taking it easy on us today. Clette, thank you very much for the comment there. And yes, Sophos MDR, one of its primary goals is to make your life easier. Right? Yeah. Let us us take control, let us get behind the wheel, and just be on top of the security, response detection, and remediation. Yeah. And you. that that brings up a good point because one of the things that Sophos has really driven as a philosophy is over the years, cybersecurity has got significantly more complex. And just because it has doesn't mean you have four extra hours in your day to go threat hunting. So the tools to manage your cybersecurity should not be scaling with the complexity of the attacks. Right? You should still have a tool that can simply just make your life easy, take that work off your plate so you can focus on the things that you need to do. Because, frankly, I've rarely run into anyone in IT that isn't wearing at least, like, five hats. Right? So there's always other stuff that you can be doing with your time. So the whole Sofos goal is have it ready, make it easy, lower that workload off your low plate because we have decades and decades of intelligence. So let us do the heavy lifting, and you go touch it when we tell you it's necessary. But other than that, you you worry about the things that keep your business running. Miss Raird, thank you for the comment. Hope to have you on the on the next to come as well. There this will be a recurring series. Yes. Yep. Yeah. Glad you enjoyed the firewall there. Yeah. I mean, hey. We we set it up for questions for you guys. Just just give us confidence. This is a great webinar. We can do a complement hour webinar too. Yeah. I'm okay with that. awesome too. think we can use that. Yeah. For any questions, I think we I think majority of them answered live, yeah. but for any that are outstanding, we do receive a quick synopsis of them after the webinar. Anything outstanding will be answered and we'll follow-up accordingly as well. Yep. Alright, guys. Well, I don't think we have too much else. And if you guys don't have any more questions for us, I guess, we'll give you guys a little bit of time back. But, again, I hope you guys enjoyed the time that you came here for today. I hope this was valuable. You guys learned something or at least just enjoyed the the presentation. And if you guys ever need anything, you guys know where to find us. It has been a pleasure. Thank you all. Thank you.