Been a long time since I posted anything on the forums but I felt this was just too important to hang on to and wanted to guage awareness with other Sophos MDR subscribers.
Found out to my utter surprise that the MDR team do not proactively monitor the estate update health which is somewhat of a gob-smacking surprise to me. We had a situation where one of our update caches failed and there was no alert or dashboard notification of the failure. The cache was feeder to subsequent downstream update caches which the product had self selected to do using it's own algorythms (still try to get my head around how that works). Anyway, the top-level cache updater failed and subsequently was not pulling in any more updates from the Sophos central repos. This cascaded through the downstream updater caches meaning that as a result of the top update cache not updating, all the downstream updater caches also were not updating. All our endpoints happily carried on fetching updates from our update caches which now got further and further out of date. In some cases, these were several weeks out of date i.e. absolutely no current protection running on about 40% or our entire estate.
Now the debate here is whether this event should have triggered within the MDR monitoring. To my absolute astonishment, no, it's not! Also, Sophos confirmed that they have no responsibility to monitor update health, all they monitor is outbreak which, if you're out of date, becomes significantly more and more difficult to spot.
Asking the community here, how many cyber admins out there expect Sophos to monitor update health? I know that this for sure is in my cyber insurance requirements and now I have to find another partner who can monitor this 24/7 because Sophos won't.