Professional Documents
Culture Documents
CE0515 4.0v1 An Introduction To Sophos Synchronized Security
CE0515 4.0v1 An Introduction To Sophos Synchronized Security
Sophos Synchronized
Security
[Additional Information]
December 2022
Version: 4.0v1
© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or
by any means without the prior written consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks
mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their
respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no warranties,
conditions or representations (whether express or implied) as to its completeness or accuracy. This document is
subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at The
Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
DURATION 10 minutes
In this chapter you will learn how Sophos Synchronized Security allows products to communicate with
each other intelligently to respond to threats.
Firewall Cloud Optix Wireless Email Sophos Server Encryption Mobile Endpoint
Central
Respond Analyze
Adaptive policy, automated enforcement Correlation and analysis of events
Sophos Synchronized Security is cybersecurity as a system. Security products working together in real-
time.
Traditionally, cybersecurity makes use of separate protection products to identify malicious files and to
detect and stop malicious traffic. These products work well in isolation, however, are disconnected
from each other. This approach results in an IT team manually correlating data between systems which
can take time and often means threats are missed.
Sophos Synchronized Security automates detection, isolation, and remediation results which enables
attacks to be neutralized quickly. It creates new ways to connect security products that protect your
organization.
35%
53% 41%
Malicious
Phishing Email Data Breach
Code
35% 21%
30%
Software Credential
Ransomware
Exploit Theft
Cyber attacks often include multiple elements, for example, a phishing email could install malicious
code that takes advantage of a software exploit to install ransomware. To help understand the types of
threats being initiated, we asked organizations who had been victims of cyber attacks what types of
threats they experienced. The results showed:
• Over 50% of attacks were introduced using phishing emails
• Over 40% were due to a data breach
• 35% were a result of malicious code or exploits
• 30% were infected with ransomware
• 20% experience credential theft
When added up, these numbers add up to more than 100% which demonstrates that attacks typically
use multiple attack elements.
[Additional Information]
This information was taken from our white paper about endpoint security which is available here:
https://secure2.sophos.com/en-us/security-news-trends/whitepapers/gated-wp/uncomfortable-
truths-of-endpoint-security.aspx
• Automatically respond to
• Identify unknown threats • Real-time incident analysis
infections and incidents
• See ALL network traffic • Cross-estate reporting
• Isolate compromised
• Identify risky users, apps • See the full chain of events
endpoints
and malicious traffic for an incident
• Restrict access on trusted
• Correlate network traffic
networks for non-compliant
devices
• Initiate endpoint scans
Synchronized Security takes a full system approach. Security products connect with each other in real-
time, working together to combat advanced threats.
Discover. Sophos Central products automatically share information to reveal hidden risks and unknown
threats. It enables administrators to see all network traffic, the identification of risky applications, and
the correlating behaviour across multiple activities.
Analyze. Real-time incident analysis and cross-estate reporting delivers instant insights. This allows
administrators to view the full chain of events for an incident.
Communication between Sophos Central products is facilitated by the Sophos Security Heartbeat
which creates a secure two-way tunnel of communication.
The Security Heartbeat allows for intelligent communication between Sophos products allowing for a
coordinated response to threats. The Security Heartbeat includes:
• A regular heartbeat (a few bytes every 15 seconds) that identifies the device and communicates
that the device is active and protected
• Communication of event information
• Communication of the device health status
• Communication of threat information
RED Endpoint agent may not be running, and devices may not be
protected. High risk and action is required
If a computer has a GREEN status, this means that the endpoint agent is running and the computer is
protected. No potentially unwanted applications, active or inactive malware has been detected.
If the computer has a YELLOW status, the endpoint agent is running so the computer is protected,
however, inactive malware or a PUA has been detected. It can also indicate that the endpoint agent is
out of date.
When a computer has a RED status, it can indicate that the endpoint agent may not be running, so the
computer may not be protected. Alternatively, it could mean that active malware has been detected
or malware has not been cleaned up. It could also mean that malicious network traffic has been
detected, or communication to a known bad host has been identified.
Sophos Synchronized Security integrates with all Sophos Central products, let’s have a look at some
examples.
What would happen if malware was detected on a device that is part of a network protected with
Sophos Firewall and Synchronized Security enabled?
• If malware is detected, the Security Heartbeat sends event information along with the device
health status to Sophos Firewall
• Sophos Firewall shares the MAC address of the device with other devices on the network
• Healthy devices drop traffic from the device with the red health status. This will only work on local
network segments. If traffic is passing through a router, traffic will not be dropped
• When traffic passes through the Sophos Firewall, the firewall can prevent the device with a red
health status from connecting to other devices which protects healthy devices from a possible
infection
• Sophos Firewall only blocks the traffic from the red health status device, all other devices will have
network access
• Once the endpoint agent has cleaned up malware on the device, the Security Heartbeat sends the
updated health status to the Sophos Firewall
• Sophos Firewall allows the device to access hosts and networks as normal
• Sophos Firewall also updates all devices removing the MAC address of the compromised device
from the list of devices with a red health status
Security Heartbeat™
This diagram shows what happens when a device is protected with Sophos Central protection and a
Sophos Firewall is in use.
The automatic incident response takes seconds with no human interaction required.
Security Heartbeat™
If the endpoint protection is switched for server protection, the same events will happen should
malware be detected on a protected server.
Please note that for servers, an administrator will need to provide approval for any actions taken.
Security Heartbeat™
1. Sophos Email detects a compromised mailbox which is being used to send outbound spam emails
2. The mailbox is automatically isolated by Sophos Email
3. The status is shared via Security Heartbeat
4. The endpoint protection identifies and scans all known devices associated with the mailbox for
malware
5. Endpoint protection automatically cleans up any malware found
6. The mailbox is then restored
Security Heartbeat™
An attacker will typically want to move across your network in order to gain better access to your data.
This is called lateral movement.
1. If a protected device detects a threat, the health status of that device is set to red
2. The health status is shared with the Sophos Firewall using Security Heartbeat
Security Heartbeat™
3. The Sophos Firewall isolates the device from both the network and the LAN
4. Endpoint protection automatically cleans up the threat
5. The now healthy device shares the updated health status with Sophos Firewall
Security Heartbeat™
This process happens in seconds by sharing information and using dynamic policies that respond to
incidents and events.
What is the interval in seconds between each Security Heartbeat? (enter numerical value)
___________
There are 3 pillars to the Synchronized Security system; discover, analyze and respond.
Here are the three main things you learned in this chapter.
Sophos Synchronized Security automates detection, isolation and remediation results which enables
attacks to be neutralized quickly.
There are three pillars to the Synchronized Security system; discover, analyze and respond.
Communication between Sophos Central products is facilitated by the Sophos Security Heartbeat
which creates a secure two-way tunnel of communication.