Sophos Intercept X Brings an End to Ransomware

IT security vendor Sophos is aiming to knock ransomware out of enterprise networks. Its Intercept X product protects files from the malicious spontaneous encryption processes favored by the cybercriminals behind ransomware. The company built Intercept X upon technology that Sophos acquired from its 2015 purchase of SurfRight, a company specializing in next-generation security and malware detection.

Intercept X came about because Sophos quickly realized that ransomware, with its malicious impact effectively disrupting operations and harming business, has become the bane of many organizations. The latest headlines illustrate the impact ransomware has had across the world. Ransomware has grown in epidemic proportions, leaving very few businesses safe. Organizations such as government offices, hospitals, law enforcement organizations, retailers and numerous others have felt the finical pain of ransomware.

Sophos is hoping to provide the cure to ransomware with an endpoint solution that not only identifies malicious activity, but also stops that activity without the need for human intervention. What’s more, Intercept X does not require signatures, frequent updates or other external help to be effective, removing some of the biggest shortcomings of previous-generation endpoint solutions.

A Closer Look at Intercept X

Billed as an endpoint solution, Intercept X is designed to reside alongside traditional antivirus or antimalware solutions that have long held residence on desktop PCs, laptops and other endpoints. That said, Intercept X takes a unique approach to the scourge of malware, deploying what is referred to as real-time anti-exploit technology. In other words, instead of relying on vendor-provided signatures or other canned methodologies, Intercept X focuses on the behavior of processes, watching for the techniques that ransomware employs, as opposed to a specific piece of code found using a signature.

It is that telling behavior that gives Intercept X the upper hand in dealing with ransomware, especially those attacks that are labeled zero-day exploits. The behavioral analytics leverages ideologies of root-cause analysis to better understand the impact of identified malware, and further goes on to recommend best practices to protect from similar attacks on other endpoints on the network. However, the product does not eschew information from other sources. Sophos updates Intercept X whenever new exploits are discovered or existing exploits have evolved using different attack metrics. In essence, those updates serve the purpose of improving the detection process, without Intercept X having to self-discover previously unseen malicious activity.

With that in mind, it becomes readily evident that Intercept X can effectively protect an endpoint from the ills of ransomware. However, many may wonder how that can effectively protect the rest of the network.

Intercept X has the ability to interact with other endpoints on the network via Sophos Central, a unified console that rolls up endpoint protection into a management platform. For Sophos Central to be fully effective, Intercept X must be integrated with another Sophos product called EndPoint Advanced, which brings the full spectrum of endpoint protection technologies to a business network.

For businesses looking to add ransomware protection, Intercept X can run alongside any existing vendor endpoint antimalware solutions, and it works effectively as a standalone product as well, providing protection from ransomware, regardless of what files or applications the ransomware is targeting. Intercept X accomplishes that protection using automated tools, such as root cause analytics, advanced detection, data obfuscation and malware removal.

One of the primary capabilities offered by Intercept X is called CryptoGuard, which provides anti-exploit techniques by blocking ransomware as soon as it attempts to encrypt data. CryptoGuard functions by monitoring for any type of encryption activity performed on any file. When activity is detected, CryptoGuard makes unencrypted backups of the target files and stores those files in a safe place, where ransomware cannot attack them. CryptoGuard then does a behavioral analysis of the encryption activity, and if the process is discovered to be malicious, CryptoGuard shuts down the offending process and returns the target files to their original state.

Because encryption is the primary tool used by ransomware, detecting and preventing encryption is the most critical capability of any anti-ransomware product, and CryptoGuard accomplishes that chore with no fuss and no muss.

Hands on With Intercept X

Sophos offers a 30-day free trial of the Intercept X product, which proves to be one of the easiest ways to evaluate the products capabilities, features and support. Intercept X is only one piece of the Sophos family of products and is administered and controlled by Sophos’s cloud based management console, aptly named Sophos Central. From Sophos Central, users can choose to download products, such as Intercept X, as well as create and manage user accounts, generate reports, secure other devices, and so on.

Administrators should think of Sophos Central as the home base of Sophos’s products, even if they are just using a single product, such as Intercept X, which can be downloaded and installed directly from Sophos Central. Installation of Intercept X is a simple process and requires little more than a few mouse clicks to succeed. Administrators have the option of pushing the installer down to target endpoints and executing the install using policies or scripts.

Once installed, Intercept X is pretty much hands-off for the end user, offering a simple local console that indicates that the system is protected and the status of any threats. End users can initiate a scan of their endpoint and look at log of events. That keeps things simple for users, while shifting management burdens and more advanced capabilities off to administrators.

As mentioned before, management takes place from the cloud using Sophos Central, with the primary dashboard giving a view into the overall health of protected systems. From the dashboard, administrators can drill down into the products’ additional capabilities, such as managing endpoints, performing root cause analysis, creating policies, generating reports, and several other chores, depending upon the Sophos products deployed.

One of the most important capabilities here is the ability to define policies, which dictate how users, endpoints and servers can interact across the Sophos ecosystem. Sophos Central also offers a plethora of system settings, which can impact everything from endpoint protection to email security to data leakage protection. Once again, many of those settings are only relevant if you are using the full suite of Sophos’s security products. Administrators of Intercept X will focus mostly on the settings attributed to endpoint protection, which will allow them to setup exclusions, bandwidth limitations, update caches and so on.

Sophos Intercept X Conclusions

Sophos Intercept X accomplishes exactly what it was designed for, which is preventing ransomware from taking hold on an exposed system. Full protection from every type of exploit or malware requires integration with other Sophos products or managing Intercept X separately from an existing endpoint security solution. For those that have already invested in a competitor’s endpoint security solution, Sophos Intercept X proves to be relatively painless to add, giving those that need ransomware protection an effective shield.

Intercept X works behind the scenes and has a hardly noticeable performance impact on endpoints, meaning that end users will probably be unaware that product was deployed, unless of course, an attack takes place. If that happens, those same end users will be thankful that Intercept X was there to protect their valuable data files.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant. He has written for leading technology publications including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur, Forbes and BNET. Ohlhorst was also the executive technology editor for Ziff Davis Enterprise’s eWeek and former director of the CRN Test Center.

Frank Ohlhorst
Frank Ohlhorst
Enterprise Technology Analyst and Author. Frequent Contributor to eWeek, PCMag, The-Tech-Prophet.Com, ENP and several other online publications.

Top Products

Related articles