Synchronized security in Sophos Central

To ensure high efficiency of information security tools, the connection of its components plays an important role. It allows to block not only external, but also internal threats. When designing a network infrastructure, every means of protection is important, be it an antivirus or firewall, so that they function not only within their class (Endpoint security or NGFW), but also have the ability to interact with each other to jointly combat threats.

A bit of theory

Not surprisingly, today's cybercriminals have become more entrepreneurial. They use a variety of network technologies to spread malware:

Phishing by emailing means that the malware “crosses the threshold” of your network using known attacks, or “zero-day attacks”, followed by privilege escalation, or lateral movement across the network. The presence of a single infected device can mean that your network can be used for the selfish purposes of an attacker.

In some cases, when it is necessary to ensure the interaction of information security components, when conducting an information security audit of the current state of the system, it cannot be described using a single set of measures that are interconnected. In most cases, many technological solutions that focus on countering a particular type of threat do not provide for integration with other technological solutions. For example, endpoint protection products use signature and behavioral analysis to determine whether a file is infected or not. To stop malicious traffic, firewalls use other technologies, including web filtering, IPS, sandbox, etc. However, in most organizations, these information security components are not related to each other and work in isolation.

Trends in the implementation of technology Heartbeat

A new approach to ensuring cybersecurity implies protection at every level, in which the solutions used at each of them are interconnected and have the opportunity to exchange information. This leads to the creation of a Synchronized Security (SynSec) system. SynSec is an information security process as a single system. In this case, each information security component is connected to each other in real time. For example, the Sophos Central solution is implemented according to this principle.
')

Security Heartbeat technology provides communication between security components, ensuring the joint operation of the system and its monitoring. Sophos Central integrates solutions of the following classes:

• Endpoint Protection - classic signature antivirus;
• Server Protection - specialized antivirus for servers;
• Intercept-X - antivirus of a new generation (without signatures and with artificial intelligence technologies);
• Sophos XG Firewall - Next-Generation Firewall;
• Mobility Management (EMM) - managing mobile devices and controlling access to corporate email and files;
• Data Protection (Encryption) ;
• Secure Wi-Fi - access points managed both from the cloud and locally via Sophos UTM / Sophos XG;
• Web Security - the classic solution for filtering web traffic;
• E-mail Security - cloud / local anti-spam / antivirus solution;
• Phish Threat - raising awareness of employees, conducting test phishing mailings;
• Cloud Optix - audit of cloud infrastructures.

It is easy to see that Sophos Central supports a fairly wide range of information security solutions. In Sophos Central, the concept of SynSec is based on three important principles: detection, analysis and response. For a detailed description of them we will dwell on each of them.

SynSec Concepts

DETECTION (detection of unknown threats)
Sophos products managed by Sophos Central automatically share information with each other to identify risks and unknown threats, which includes:

• network traffic analysis with the ability to identify high-risk applications and malicious traffic;
• detection of users with high risk by correlating analysis of their actions in the network.

ANALYSIS (instant and intuitive)
Real-time incident analysis provides instant insight into the current situation in the system.

• Display the complete chain of events that led to the incident, including all files, registry keys, URLs, etc.

RESPONSE (automatic incident response)
Setting security policies allows you to automatically respond to infections and incidents in a matter of seconds. This is ensured by:

• instant isolation of infected devices and stopping the attack in real time (even within the same network / broadcast domain);
• restricting access to the company's network resources for non-compliant devices;
• Remote launch of a device scan when outgoing spam is detected.

We looked at the main protection principles on which Sophos Central’s work is based. We now turn to the description of how SynSec technology manifests itself in action.

From theory to practice

To begin with, we will explain how device interaction is established on the basis of SynSec using Heartbeat technology. The first step is to register Sophos XG with Sophos Central. At this stage, he receives a certificate for self-identification, an IP address and port through which end devices will communicate with him using Heartbeat technology, as well as a list of end device IDs that are managed through Sophos Central and their client certificates.

Shortly after Sophos XG is registered, Sophos Central will send information to the end devices to initiate Heartbeat communication:

• a list of certification authorities used to issue Sophos XG certificates;
• a list of device IDs that are registered with Sophos XG;
• IP address and port for interaction on the Heartbeat technology.

This information is stored in the computer in the following way:% ProgramData% \ Sophos \ Hearbeat \ Config \ Heartbeat.xml and is updated regularly.

Communication using the Heartbeat technology is done by sending endpoint messages to magic IP address 52.5.76.173:8347 and back. The analysis revealed that the packets are sent with a period of 15 seconds, as stated by the vendor. It is worth noting that Heartbeat messages are processed directly by the XG Firewall - it intercepts packets and tracks the status of the endpoint. If you capture packets on a host, traffic will be similar to communication with an external IP address, although in fact the endpoint interacts directly with the XG firewall.



Let a malicious application get onto the computer in some way. Sophos Endpoint detects this attack, or we stop receiving Heartbeat from this system. The infected device automatically sends information about the infection of the system, causing an automatic chain of actions. XG Firewall instantly isolates the computer, preventing the spread of attacks and interaction with C & C servers.

Sophos Endpoint automatically removes malware. After deleting it, the end device synchronizes with Sophos Central, then the XG Firewall restores access to the network. Root Cause Analysis (RCA or EDR - Endpoint Detection and Response) provides a detailed view of what happened.


Assuming that corporate resources are accessed using mobile devices and tablets, is it possible in this case to provide SynSec?

For such a scenario, Sophos Central provides support for Sophos Mobile and Sophos Wireless . Suppose a user attempts to violate a security policy on a mobile device protected by Sophos Mobile. Sophos Mobile detects a security policy violation and sends notifications to the rest of the system, causing a pre-configured response to the incident. If a “deny network connection” policy is configured in Sophos Mobile, then Sophos Wireless will restrict network access for this device. The Sophos Central toolbar on the Sophos Wireless tab displays a notification that the device is infected. At the time when the user tries to access the network, a screen saver will appear on the screen informing you that access to the Internet is limited.



The endpoint has several Heartbeat status states: red, yellow, and green.
Red status occurs in the following cases:

• active malware detected;
• An attempt to launch malware has been detected.
• malicious network traffic detected;
• Malware has not been removed.

Yellow status means that inactive malware is detected on the endpoint or a PNP (potentially unwanted program) is detected. Green status indicates that no of the above problems have been identified.

Having reviewed some of the classic scenarios for the interaction of protected devices with Sophos Central, we proceed to the description of the graphical interface of the solution and the review of the main settings and the supported functionality.

Graphical interface

The control panel displays the latest notifications. Also in the form of diagrams displayed summary characteristics of the various components of the protection. In this case, a summary of the protection of personal computers is displayed. This panel also provides a summary of attempts to visit dangerous resources and resources with inappropriate content, email analysis statistics.


Sophos Central supports the display of notifications in order of importance, which will prevent the user from skipping critical security alerts. In addition to the concisely displayed summary of the status of the protection system, Sophos Central supports event logging and integration with SIEM systems. Sophos Central for many companies is a platform for both the internal SOC, and to provide services to its customers - MSSP.

One of the important features is the support of the update cache for endpoint clients. This saves the bandwidth of external traffic, since in this case updates are downloaded once to one of the endpoint clients, and then other end devices download updates from it. In addition to the feature described, the selected endpoint can relay security policy and information reports to the Sophos cloud. This feature will be useful if there are end devices that do not have direct access to the Internet, but require protection. Sophos Central has an option (tamper protection) that prohibits changing the computer's protection settings or deleting the endpoint agent.

One of the components of endpoint protection is the new generation antivirus (NGAV) - Intercept X. With the help of deep machine learning technologies, antivirus can detect previously unknown threats without using signatures. The detection accuracy is comparable with signature counterparts, but unlike them, it provides proactive protection, preventing zero-day attacks. Intercept X is able to work in parallel with signature antivirus software from other vendors.

In this article, we briefly talked about the SynSec concept, which is implemented in Sophos Central, as well as some of the features of this solution. We will talk about how each of the protection components, integrated into Sophos Central, works in the following articles. You can get a demo version of the solution here .