Uncover and stop a breach before it can impact your business When responding to an active threat, it is imperative that the time between the initial indicator of compromise and full threat mitigation be as brief as possible. Sophos Incident Response Services provide lightning-fast assistance in identifying and neutralizing active security threats.

Sophos Compromise Assessment Delivered by an expert team of incident response specialists, the Sophos Compromise Assessment is the most effective means of identifying ongoing or past attacker activity in your environment, enabling your organization to take swift, decisive action. It answers the question, “Have I been breached?”.

The Compromise Assessment is focused on verifying suspicious activity and confirming indicators of compromise (IoCs) through a targeted investigation of potentially compromised assets. The result is a fast, thorough assessment that helps your organization manage risk and compliance while maintaining operational efficiency. The assessment investigates a complete spectrum of attacker activities, such as: • Lateral movement • Anomalous or malicious files • Credential theft • Data exfiltration • Unverified scripts

Sophos Compromise Assessment Methodology The Sophos IR Services team maintains direct communication with your organization through each phase of the Compromise Assessment. Phases include:

1. Initial Coordination Call to exchange information about the potential threat and to identify key points of contact, and deployment scope.
2. Deployment of Investigation Tools to help guide installation of the Sophos platform and to conduct a thorough assessment of device health.
3. Threat Investigation and Risk Assessment to confirm if a threat is found and active and to conduct an immediate Active Threat Call with key points of contact to discuss the risk of a widespread security incident.
4. Summary Call and Written Report to provide technical documentation and a non-technical executive summary detailing evidence of attacker activity, risk exposure, and guidance on eliminating the threat and addressing the root cause.

All four phases of the Sophos Compromise Assessment are typically completed within 7 days of the Initial Coordination Call. If an active or previous breach is confirmed during the assessment, quickly moving to a Sophos Rapid Response engagement is recommended where the team will immediately act to triage, contain, and neutralize the threat.

Sophos Rapid Response Sophos Rapid Response is a full-scale incident response service that will triage, contain, and neutralize active threat across your entire IT environment. A team of 24/7, remote incident responders will quickly act to eject the adversary from your environment and recommend real-time preventative actions to address the root cause. It answers the questions, “I’ve been breached, what do I do now?”.

Rapid Response Methodology The Sophos IR Services team maintains direct communication with your organization through each phase of the Rapid Response engagement. Phases include:

1. Initial Coordination Call to exchange information about the scale and impact of the attack, establish communication preferences, and confirm what (if any) remediation steps have already been taken.
2. Deployment of Investigation Tools and Triage to identify indicators of compromise or adversarial activity, investigate activities, and collaborate on the response plan.
3. Neutralize the threat and stop any further damage to assets or data, preventing any further exfiltration of data
4. Monitor threat activity by transitioning to Sophos MDR to prevent a reoccurrence.
5. Summary Report to provide a formal summary of the investigation, root cause analysis, as well as recommendations for how to mitigate a reoccurrence of similar threats in the future.

As part of the Rapid Response service, the moment the incident is resolved and the immediate threat is neutralized, you transition to Sophos MDR, providing around the-clock proactive threat hunting, investigation, detection, and response for 45 days. Should the threat return or a new threat emerge, we will be there ready to respond at no additional cost to you.