The purpose of this datasheet is to provide Sophos customers with information they need to understand how our offering affects their privacy considerations. In this document, we provide information about MDR data handling practices, including personal information collection, use and storage.
Built on our Intercept X Endpoint technologies, Sophos MDR fuses machine learning technology and expert analysis for improved threat hunting and detection, deeper investigation of alerts, and targeted actions to eliminate threats with speed and precision.
INFORMATION PROCESSED BY SOPHOS MDR
Sophos processes the following types of information as part of the MDR service:
- Sophos Intercept X Advanced with XDR Telemetry and/or Sophos XDR Sensor Telemetry
In addition, MDR customers may optionally configure additional Sophos and third-party integrations as part of their service. Sophos processes the following types of information as part of the MDR service only when optionally configured by the customer:
- Sophos XG Firewall Telemetry
- Sophos Email Telemetry
- Sophos Cloud Optix Telemetry
- Telemetry from configured third-party integrations
Security events from Sophos and third-party data sources are used to generate MDR detections, and some detections generate MDR Cases. These cases are assigned to an analyst for investigation. Sophos’ case management system tracks and audits all actions taken by the analyst. Integrated systems communicate with Sophos infrastructure using encrypted channels. Depending on the case complexity, an analyst may need to acquire more evidence from the endpoint to aid in the investigation and perform response actions to neutralize an active threat.
During the course of delivering the service and in the course of an investigation, Sophos may have access to the following information:
- Full user information—including user credentials used to login to the endpoint
- All files contained on the licensed endpoint
- Network data associated with the licensed endpoint
- All data contained within security events generated by configured third-party integrations
Depending on the case, where a specific file is part of suspicious activity, MDR analysts may open the file. However, in most instances, the MDR analyst will not open the file, but instead submit the file to SophosLabs for analysis purposes. In the majority of cases, these files are binary, PE files (Portable Executables) which do not contain private data.
MDR analysts will only process suspicious files for the purposes of providing evidence to support a case or send to SophosLabs for further analysis.
Sophos Engineering monitors the effectiveness of the product, planning future roadmap strategy and retirements, product development and enhancement, troubleshooting, generating statistics and reports.
WHERE IS SOPHOS MDR DATA PROCESSED
Telemetry from Sophos first-party products and Microsoft telemetry ingested via the Microsoft Graph Security API are processed in the region in which the customer account is provisioned. This region is selected at the time of on-boarding.
At the present time, additional telemetry ingested from configured third-party integrations is temporarily processed in the United States, before being stored long term in the region in which the customer account is provisioned. The optional data sources that are temporarily processed in the United States include:
- Third-party Endpoint Integrations:
- Blackberry CylanceOPTICS
- Broadcom Symantec Endpoint Security
- CrowdStrike Falcon
- MalwareBytes Endpoint Protection
- MalwareBytes Nebula
- SentinelOne Singularity Endpoint
- Trend Micro Apex Central
- Trend Micro Deep Discovery Analyzer
- Trend Micro Deep Discovery Inspector
- Trend Micro Deep Security Agent
- Third-party Email Integrations:
- Mimecast Email Security Cloud Gateway
- Proofpoint Targeted Attack Protection
- Third-party Firewall Integrations:
- Check Point Infinity
- Check Point Quantum Firewall
- Cisco Firepower
- Cisco Meraki
- Fortinet FortiAnalyzer
- Fortinet FortiGate
- Palo Alto Networks Panorama
- Palo Alto Networks PAN-OS
- SonicWall Network Security Manager (NSM)
- Sonicwall SonicOS
- Third-party Identity Integrations:
- Cisco Duo
- Manage Engine ADAudit Plus
- Third-party Network Integrations
- Skyhigh Security Secure Web Gateway
- Thinkst Canary
- Third-party Cloud Integrations
- AWS Cloud Trail
- AWS Security Hub
SOPHOS RAPID RESPONSE
Sophos Rapid Response offers lightning-fast assistance with identification and neutralization of active threats, delivered by an expert team of incident responders globally
The Sophos Rapid Response service supports analysis of third-party log data, such as firewall logs, system logs, etc. to aid in triage and define remediation actions. These logs may contain private data, including but not limited to IP addresses, MAC addresses, Hostnames and UserIDs. This data is stored in dedicated customer folders, which can be accessed only by authorized Rapid Response incident responders. Data is deleted when the Rapid Response term ends.
PURPOSE OF INFORMATION PROCESSED BY SOPHOS MDR
Sophos processes the information noted above for the purpose of performing the service in accordance with the Sophos Service Agreement.
Sophos first-party data processed by MDR is hosted in Box and AWS data centers in the region(s) selected by the customer at the time of Sophos Central account creation. Some third-party integration data is processed in Azure data centers in the United States. Visit our Sub-processor listing to find out more about sub-processors engaged by Sophos.
Sophos applies its retention policies to delete and purge data that is no longer needed for the purpose for which the personal data was originally collected.
By default, Sophos Central and MDR retain Sophos telemetry, third-party telemetry and Detections for 90 days. Customers who optionally choose to purchase the Central Data Storage – 1 yr Pack will have Sophos telemetry, third-party telemetry and Detections data retained in the Data Lake for 365 days. (Sophos Central alert, report, threat graph and audit data continue to be stored for the default 90 days). After these time frames, the data is deleted. Additionally, Sophos Central will store licensed Sophos endpoint telemetry and network telemetry from licensed XG firewalls using Central Firewall Reporting in Sophos Central for 7 days, or a longer timeframe based on the data retention option the customer has purchased. This data is available to be used by the customer to perform their own queries and investigations independently from the MDR or Rapid Response services. All customer data is deleted upon termination of the service.
Upon termination of the MDR service, access to the customer’s MDR interface in Sophos Central is disabled after a 30-day grace period. After this period, the MDR specific data, such as cases, reports, and detections, will be permanently deleted and unrecoverable, however a copy of detections associated with previous cases will be retained for 2 years on an AWS instance which is separate from Sophos Central.
Sophos secures your information by authenticating access via username and password based on managed Active Directory group membership coupled with multi-factor authentication.
The Sophos MDR platform has achieved SOC2 Type II certification and PCI DSS v3.2 attestation to demonstrate its strong security practices, policies and internal controls environment.
For information about the security protections used in the data centers where Sophos MDR data resides, visit the AWS Security Documentation Center.
OUR COMMITMENT TO PRIVACY
Sophos is committed to complying with data protection rules and protection of personal data processed by Sophos MDR. Sophos will access data only to enable it to provide the services you have signed up for and in the case of Sophos MDR, to identify security threats or to investigate suspicious activities that are indicative of attacks.
MDR customers have access to the Sophos Central customer portal to administer, configure and manage their estate and access information from licensed and configured Sophos solutions and third-party integrations.
Access to information processed is restricted to Sophos engineers, and the MDR Operations team. When a support ticket is raised, the Sophos support team will access your account for purposes of troubleshooting and resolving issues.
Customer data is anonymized and may be accessed by SophosLabs or Sophos AI teams for threat research purposes to improve our ability to detect new threats. It is possible a file submission of suspicious files that may incidentally contain personal information. If these files are convicted as malicious, then they are treated as malware and will be blocked globally going forward. If suspicious files containing personal information are not convicted and are cleared as non-malicious, they are permanently deleted within 30 days.
MDR Operations has system level privileges on licensed endpoints, including ability to start and stop software, delete and read files and otherwise take any actions deemed necessary for the purpose of providing the service, according to the customers’ threat response mode preferences set in Sophos Central.
The information contained in this privacy data sheet may change at any time and is only meant for general awareness. This MDR Privacy Data Sheet is not meant to constitute legal advice, warranty of fitness for a particular purpose or compliance with any applicable laws.
Last updated October 2023