An Introduction to

Sophos Synchronized
Security

Sophos Central Endpoint and Server Protection

Version: 4.0v1

[Additional Information]

Sophos Central Endpoint and Server Protection

CE0515: An Introduction to Sophos Synchronized Security

December 2022
Version: 4.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or
by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks
mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their
respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no warranties,
conditions or representations (whether express or implied) as to its completeness or accuracy. This document is
subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at The
Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

An Introduction to Sophos Synchronized Security - 1

 An Introduction to Sophos Synchronized Security
RECOMMENDED KNOWLEDGE AND EXPERIENCE
In this chapter you will learn how
Sophos Synchronized Security ✓ What Sophos Central is and the protection
features included in endpoint and server
allows products to communicate protection
with each other intelligently to
respond to threats.

DURATION 10 minutes

In this chapter you will learn how Sophos Synchronized Security allows products to communicate with
each other intelligently to respond to threats.

An Introduction to Sophos Synchronized Security - 2

 What is Synchronized Security?
Discover Identify
Continuous discovery of devices, networks,
Who wants access to my environment
apps, data, and workloads

Firewall Cloud Optix Wireless Email Sophos Server Encryption Mobile Endpoint
Central

Respond Analyze
Adaptive policy, automated enforcement Correlation and analysis of events

Sophos Synchronized Security is cybersecurity as a system. Security products working together in real-
time.

Traditionally, cybersecurity makes use of separate protection products to identify malicious files and to
detect and stop malicious traffic. These products work well in isolation, however, are disconnected
from each other. This approach results in an IT team manually correlating data between systems which
can take time and often means threats are missed.

Sophos Synchronized Security automates detection, isolation, and remediation results which enables
attacks to be neutralized quickly. It creates new ways to connect security products that protect your
organization.

An Introduction to Sophos Synchronized Security - 3

 Additional information in
the notes
Why Synchronized Security?

35%
53% 41%
Malicious
Phishing Email Data Breach
Code

35% 21%
30%
Software Credential
Ransomware
Exploit Theft

Cyber attacks often include multiple elements, for example, a phishing email could install malicious
code that takes advantage of a software exploit to install ransomware. To help understand the types of
threats being initiated, we asked organizations who had been victims of cyber attacks what types of
threats they experienced. The results showed:
• Over 50% of attacks were introduced using phishing emails
• Over 40% were due to a data breach
• 35% were a result of malicious code or exploits
• 30% were infected with ransomware
• 20% experience credential theft

When added up, these numbers add up to more than 100% which demonstrates that attacks typically
use multiple attack elements.

[Additional Information]
This information was taken from our white paper about endpoint security which is available here:
https://secure2.sophos.com/en-us/security-news-trends/whitepapers/gated-wp/uncomfortable-
truths-of-endpoint-security.aspx

An Introduction to Sophos Synchronized Security - 4

 Synchronized Security Overview

Discover Analyze Respond

• Identify unknown threats
• See ALL network traffic
• Identify risky users, apps
and malicious traffic
• Automatically respond to
• Real-time incident analysis
infections and incidents
• Cross-estate reporting
• Isolate compromised
• See the full chain of events
endpoints
for an incident
• Restrict access on trusted
• Correlate network traffic
networks for non-compliant
devices
• Initiate endpoint scans

Synchronized Security takes a full system approach. Security products connect with each other in real-
time, working together to combat advanced threats.

There are three pillars to the synchronized security system:

Discover. Sophos Central products automatically share information to reveal hidden risks and unknown
threats. It enables administrators to see all network traffic, the identification of risky applications, and
the correlating behaviour across multiple activities.

Analyze. Real-time incident analysis and cross-estate reporting delivers instant insights. This allows
administrators to view the full chain of events for an incident.

Respond. Sophos Central automatically responds to incidents allowing compromised devices to be

isolated protecting the entire estate and allowing time for threats to be investigated and remediated.

An Introduction to Sophos Synchronized Security - 5

 Synchronized Security Heartbeat

Communication between protected devices and Sophos Central

▪ A regular heartbeat. A few bytes every 15 seconds

▪ Event information
▪ Device health status
▪ Threat source information

Communication between Sophos Central products is facilitated by the Sophos Security Heartbeat
which creates a secure two-way tunnel of communication.

The Security Heartbeat allows for intelligent communication between Sophos products allowing for a
coordinated response to threats. The Security Heartbeat includes:

• A regular heartbeat (a few bytes every 15 seconds) that identifies the device and communicates
that the device is active and protected
• Communication of event information
• Communication of the device health status
• Communication of threat information

An Introduction to Sophos Synchronized Security - 6

 Security Heartbeat Status

GREEN Endpoint agent is running. No risk and no action required

YELLOW Endpoint agent is running. Medium risk and action may be

required

RED Endpoint agent may not be running, and devices may not be
protected. High risk and action is required

Here you can see what each heartbeat status means.

If a computer has a GREEN status, this means that the endpoint agent is running and the computer is
protected. No potentially unwanted applications, active or inactive malware has been detected.

If the computer has a YELLOW status, the endpoint agent is running so the computer is protected,
however, inactive malware or a PUA has been detected. It can also indicate that the endpoint agent is
out of date.

When a computer has a RED status, it can indicate that the endpoint agent may not be running, so the
computer may not be protected. Alternatively, it could mean that active malware has been detected
or malware has not been cleaned up. It could also mean that malicious network traffic has been
detected, or communication to a known bad host has been identified.

An Introduction to Sophos Synchronized Security - 7

 Synchronized Security Examples

Sophos Synchronized Security integrates with all

Sophos Central products

Let’s have a look at some examples

Sophos Synchronized Security integrates with all Sophos Central products, let’s have a look at some
examples.

An Introduction to Sophos Synchronized Security - 8

 Security Heartbeat with Sophos Firewall
Cannot drop traffic based on MAC address and not
protected by Sophos Firewall Sophos Firewall blocks access to other networks and
shares the MAC address of the device with a red
health status with healthy devices
Switch
Router

Sophos Firewall Internet

Switch Router
Device with Switch
red health status
Protected Protected

What would happen if malware was detected on a device that is part of a network protected with
Sophos Firewall and Synchronized Security enabled?

• If malware is detected, the Security Heartbeat sends event information along with the device
health status to Sophos Firewall
• Sophos Firewall shares the MAC address of the device with other devices on the network
• Healthy devices drop traffic from the device with the red health status. This will only work on local
network segments. If traffic is passing through a router, traffic will not be dropped
• When traffic passes through the Sophos Firewall, the firewall can prevent the device with a red
health status from connecting to other devices which protects healthy devices from a possible
infection
• Sophos Firewall only blocks the traffic from the red health status device, all other devices will have
network access
• Once the endpoint agent has cleaned up malware on the device, the Security Heartbeat sends the
updated health status to the Sophos Firewall
• Sophos Firewall allows the device to access hosts and networks as normal
• Sophos Firewall also updates all devices removing the MAC address of the compromised device
from the list of devices with a red health status

An Introduction to Sophos Synchronized Security - 9

 Endpoint and Sophos Firewall
1. Malware Detection 2. Cross Estate Communication 3. Device Isolation
Sophos Endpoint detects a Device status shared with the Sophos Firewall
malware attack security system isolates the device

Security Heartbeat™

6. Access Restored 5. Status Update 4. Clean-up

Sophos Firewall restores Clean status communicated Automatic clean-up
network access via Security Heartbeat on the device

This diagram shows what happens when a device is protected with Sophos Central protection and a
Sophos Firewall is in use.

1. Endpoint protection detects malware

2. The device health status is communicated via Security Heartbeat with the Sophos Firewall
3. The Sophos Firewall isolates the device on the network
4. Automatic remediation of the device ensures that the threat is cleaned up
5. Once the device is clean, the health status is updated and reported by Security Heartbeat
6. The Sophos Firewall then restores network access

The automatic incident response takes seconds with no human interaction required.

An Introduction to Sophos Synchronized Security - 10

 Server and Sophos Firewall
1. Malware Detection 2. Cross Estate Communication 3. Device Isolation
Sophos Server detects a Server status shared with the Sophos Firewall
malware attack security system isolates the Server

Security Heartbeat™

6. Access Restored 5. Status Update 4. Clean-up

Sophos Firewall restores Clean status communicated Automatic clean-up
network access via Security Heartbeat on the Server

If the endpoint protection is switched for server protection, the same events will happen should
malware be detected on a protected server.

Please note that for servers, an administrator will need to provide approval for any actions taken.

An Introduction to Sophos Synchronized Security - 11

 Endpoint Protection and Sophos Email
1. Compromised Mailbox 2. Mailbox Isolation 3. Communication
Sophos Email detects a The mailbox is isolated Isolation status
compromised mailbox shared with
endpoint

Security Heartbeat™

6. Mailbox Restored 5. Clean-up 4. Device Scan

Mailbox sender The endpoint automatically The endpoint
privileges restored cleans up the detection identifies and scans
all known devices to
the mailbox

Here we can see a scenario where a device is using Sophos Email.

1. Sophos Email detects a compromised mailbox which is being used to send outbound spam emails
2. The mailbox is automatically isolated by Sophos Email
3. The status is shared via Security Heartbeat
4. The endpoint protection identifies and scans all known devices associated with the mailbox for
malware
5. Endpoint protection automatically cleans up any malware found
6. The mailbox is then restored

An Introduction to Sophos Synchronized Security - 12

 Zero-Touch Lateral Movement Protection
1. Threat Detected 2. Cross Estate Communication

Security Heartbeat™

An attacker will typically want to move across your network in order to gain better access to your data.
This is called lateral movement.

Synchronized Security provides lateral movement protection.

1. If a protected device detects a threat, the health status of that device is set to red
2. The health status is shared with the Sophos Firewall using Security Heartbeat

An Introduction to Sophos Synchronized Security - 13

 Zero-Touch Lateral Movement Protection
1. Threat Detected 2. Cross Estate Communication 3. Infection
Isolated from the
Network and LAN

Security Heartbeat™

5. Device health status shared 4. Infection Cleaned Up

3. The Sophos Firewall isolates the device from both the network and the LAN
4. Endpoint protection automatically cleans up the threat
5. The now healthy device shares the updated health status with Sophos Firewall

An Introduction to Sophos Synchronized Security - 14

 Zero-Touch Lateral Movement Protection
1. Threat Detected 2. Cross Estate Communication 3. Infection
Isolated from the
Network and LAN

Security Heartbeat™

5. Device health status shared 4. Infection Cleaned Up

6. The connection to the network and the LAN is restored

This process happens in seconds by sharing information and using dynamic policies that respond to
incidents and events.

An Introduction to Sophos Synchronized Security - 15

 Knowledge Check

Take a moment to check your knowledge!

An Introduction to Sophos Synchronized Security - 16

Question 1 of 2
When malware is detected, what device information does Sophos Firewall share with other devices on the
network?

MAC Address IP Address

Host Name User Information

An Introduction to Sophos Synchronized Security - 17

Question 2 of 2

What is the interval in seconds between each Security Heartbeat? (enter numerical value)

___________

An Introduction to Sophos Synchronized Security - 19

 Chapter Review

Sophos Synchronized Security automates detections, isolation and remediation results

which enables attacks to be neutralized quickly.

There are 3 pillars to the Synchronized Security system; discover, analyze and respond.

Communication between Sophos Central products is facilitated by the Sophos Security

Heartbeat.

Here are the three main things you learned in this chapter.

Sophos Synchronized Security automates detection, isolation and remediation results which enables
attacks to be neutralized quickly.

There are three pillars to the Synchronized Security system; discover, analyze and respond.

Communication between Sophos Central products is facilitated by the Sophos Security Heartbeat
which creates a secure two-way tunnel of communication.

An Introduction to Sophos Synchronized Security - 21

An Introduction to Sophos Synchronized Security - 22