To ensure the high efficiency of information security tools, the connection of its components plays an important role. It allows you to block not only external, but also internal threats. When designing a network infrastructure, each protection tool is important, be it an antivirus or a firewall, so that they function not only within their class (Endpoint security or NGFW), but also have the ability to interact with each other to jointly combat threats.
Some theory
Not surprisingly, today's cybercriminals have become more entrepreneurial. They use a variety of network technologies to spread malware:
Phishing emails cause malware to βcross the thresholdβ of your network using known attacks, either zero-day attacks followed by privilege escalation or lateral movement through the network. The presence of one infected device may mean that your network can be used for the malicious purposes of an attacker.
In some cases, when it is necessary to ensure the interaction of IS components, when conducting an information security audit of the current state of the system, it cannot be described using a single set of measures that are interconnected. In most cases, many technological solutions that focus on countering a particular type of threat do not provide for integration with other technological solutions. For example, endpoint protection products use signature and behavioral analysis to determine whether a file is infected or not. Firewalls use other technologies to stop malicious traffic, such as web filtering, IPS, sandboxing, and so on. However, in most organizations, these information security components are unrelated and operate in isolation.
Trends in Heartbeat Technology Implementation
The new approach to cybersecurity implies protection at each level, in which the solutions used at each of them are connected to each other and have the ability to exchange information. This results in the creation of the Sunchronized Security (SynSec) system. SynSec is a process of ensuring information security as a single system. In this case, each information security component is connected to each other in real time. For example, the solution implemented according to this principle.
Security Heartbeat Technology provides communication between security components, enabling system co-operation and monitoring. IN integrated solutions of the following classes:
- β classic signature antivirus;
- β specialized antivirus for servers;
- β a new generation antivirus (without signatures and with artificial intelligence technologies);
- β Next-Generation Firewall;
- β management of mobile devices and control of access to corporate mail and files;
- ;
- - access points managed both from the cloud and locally via Sophos UTM / Sophos XG;
- - a classic solution for filtering web traffic;
- β cloud/local anti-spam/anti-virus solution;
- β raising employee awareness, conducting test phishing mailings;
- β audit of cloud infrastructures.
It is easy to see that Sophos Central supports a fairly wide range of information security solutions. At Sophos Central, the SynSec concept is based on three important principles: detection, analysis and response. Let's take a look at each of them for a detailed description.
Synsec concepts
DETECTION (identification of unknown threats)
Sophos products managed by Sophos Central automatically share information among themselves to identify risks and unknown threats, which includes:
- analysis of network traffic with the ability to identify high-risk applications and malicious traffic;
- detection of users with a high risk group by correlation analysis of their actions in the network.
ANALYSIS (instant and intuitive)
Real-time incident analysis provides instant insight into the current situation in the system.
- display of the full chain of events that led to the incident, including all files, registry keys, URLs, etc.
RESPONSE (automatic incident response)
Setting up security policies allows you to automatically respond to infections and incidents in seconds. This is provided:
- instant isolation of infected devices and stop the attack in real time (even within the same network / broadcast domain);
- restricting access to company network resources for devices that do not comply with policies;
- remote launch of a device scan when outgoing spam is detected.
We have reviewed the main principles of protection on which the work of Sophos Central is based. Now let's move on to a description of how SynSec technology manifests itself in action.
From theory to practice
To begin with, let's explain how device interaction is established according to the SynSec principle using Heartbeat technology. The first step is to register Sophos XG with Sophos Central. At this stage, he receives a certificate for self-identification, an IP address and a port through which end devices will interact with him using Heartbeat technology, as well as a list of IDs of end devices managed through Sophos Central and their client certificates.
Shortly after Sophos XG registration occurs, Sophos Central will send information to end devices to initiate Heartbeat interaction:
- a list of certificate authorities used to issue Sophos XG certificates;
- a list of device IDs that are registered with Sophos XG;
- IP address and port for communication using Heartbeat technology.
This information is stored on the computer in the following path: %ProgramData%SophosHearbeatConfigHeartbeat.xml and is updated regularly.
Communication using Heartbeat technology is carried out by sending messages to the magic IP address 52.5.76.173:8347 and back. During the analysis, it was revealed that packets are sent with a period of 15 seconds, as stated by the vendor. It is worth noting that Heartbeat messages are processed directly by the XG Firewall - it intercepts packets and monitors the status of the endpoint. If you do a packet capture on the host, then the traffic will look like communicating with an external IP address, although in fact the endpoint communicates directly with the XG firewall.
Let a malicious application somehow get on the computer. Sophos Endpoint detects this attack or we stop receiving Heartbeat from this system. The infected device automatically sends information about the infection to the system, triggering an automatic chain of actions. XG Firewall instantly isolates the computer, preventing attack propagation and interaction with C&C servers.
Sophos Endpoint automatically removes malware. After its removal, the end device is synchronized with Sophos Central, then XG Firewall restores access to the network. Root Cause Analysis (RCA or EDR - Endpoint Detection and Responce) allows you to get a detailed picture of what happened.
Assuming that corporate resources are accessed via mobile devices and tablets, is it possible to provide SynSec in this case?
Sophos Central provides support for this scenario. ΠΈ . Suppose a user tries to violate a security policy on a mobile device protected by Sophos Mobile. Sophos Mobile detects a security policy violation and sends notifications to the rest of the system, triggering a preconfigured incident response. If the Sophos Mobile policy is configured to "deny network connection", then Sophos Wireless will restrict network access for this device. The Sophos Central toolbar on the Sophos Wireless tab will display a notification that the device is infected. At the time when the user tries to access the network, a splash screen will appear on the screen informing that access to the Internet is limited.
The endpoint has multiple Heartbeat statuses: red, yellow, and green.
Red status occurs in the following cases:
- active malware detected;
- an attempt to launch malware was detected;
- malicious network traffic detected;
- malware has not been removed.
A yellow status means either inactive malware or a PUP (Potentially Unwanted Program) has been detected on the endpoint. A green status indicates that none of the above problems have been detected.
Having considered some classic scenarios of interaction between protected devices and Sophos Central, let's move on to describing the solution's graphical interface and reviewing the main settings and supported functionality.
Graphical interface
The control panel displays the latest notifications. Also, in the form of diagrams, a summary characteristic for various protection components is displayed. In this case, summarized data on the protection of personal computers is displayed. This panel also provides a summary of attempts to visit dangerous resources and resources with inappropriate content, email analysis statistics.
Sophos Central supports the display of notifications in order of importance, which will not allow the user to miss critical security alerts. In addition to concisely displayed summary information about the state of the protection system, Sophos Central supports event logging and integration with SIEM systems. Sophos Central for many companies is a platform for both internal SOC and for providing services to its customers - MSSP.
One of the important features is the support for the update cache for endpoint clients. This saves external traffic bandwidth, since in this case updates are downloaded once to one of the endpoint clients, and then other end devices download updates from it. In addition to this capability, the selected endpoint can relay security policy messages and informational reports to the Sophos cloud. This function will be useful if there are end devices that do not have direct access to the Internet, but require protection. Sophos Central provides an option (tamper protection) that prohibits changing computer security settings or removing the endpoint agent.
One of the components of endpoint protection is a new generation antivirus (NGAV) - . With the help of deep machine learning technologies, the antivirus is able to detect previously unknown threats without the use of signatures. The detection accuracy is comparable to signature-based counterparts, but unlike them, it provides proactive protection, preventing zero-day attacks. Intercept X is able to work in parallel with signature antiviruses from other vendors.
In this article, we briefly talked about the SynSec concept, which is implemented in Sophos Central, as well as some of the features of this solution. We will describe how each of the protection components integrated into Sophos Central functions in the following articles. You can get a demo version of the solution .
Source: habr.com