This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos MDR cover

Hi everyone,

Been a long time since I posted anything on the forums but I felt this was just too important to hang on to and wanted to guage awareness with other Sophos MDR subscribers. 

Found out to my utter surprise that the MDR team do not proactively monitor the estate update health which is somewhat of a gob-smacking surprise to me. We had a situation where one of our update caches failed and there was no alert or dashboard notification of the failure. The cache was feeder to subsequent downstream update caches which the product had self selected to do using it's own algorythms (still try to get my head around how that works). Anyway, the top-level cache updater failed and subsequently was not pulling in any more updates from the Sophos central repos. This cascaded through the downstream updater caches meaning that as a result of the top update cache not updating, all the downstream updater caches also were not updating. All our endpoints happily carried on fetching updates from our update caches which now got further and further out of date. In some cases, these were several weeks out of date i.e. absolutely no current protection running on about 40% or our entire estate.

Now the debate here is whether this event should have triggered within the MDR monitoring. To my absolute astonishment, no, it's not! Also, Sophos confirmed that they have no responsibility to monitor update health, all they monitor is outbreak which, if you're out of date, becomes significantly more and more difficult to spot.

Asking the community here, how many cyber admins out there expect Sophos to monitor update health? I know that this for sure is in my cyber insurance requirements and now I have to find another partner who can monitor this 24/7 because Sophos won't.



This thread was automatically locked due to age.
  • Hi Matt,

    Thanks for reaching out to the Sophos Community Forum.

    We regret to hear about your experience and are following up internally to inquire about your concerns.

    Regarding the endpoint devices being out of date, if an Update Cache no longer has the latest data the endpoint devices will no longer connect to this source for updates. If the network is sectioned off so that the endpoints also cannot connect directly with Sophos Central, this can result in the situation you encountered. 

    Due to the number of different pieces involved, I'd suggest opening a support case with our team so further investigation can take place to understand why this issue occurred. Please send me a private message, and i'd be happy to assist in getting a case created for you.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi Qoosh,

    Interesting answer... I'm not sure that you're completely aware of what happens here. If the updater for the update cache fails, the update cache itself is still valid but out of date. The end points then see the update cache as up to date and do not report any failure. Equally the downstream update cache updaters still fetch from the upstream failed cache and report ok so there are no alerts in central, no endpoints report out of date and no endpoints fail over to the Sophos direct updates. The time taken before any alarm is raised is quite surprising, it was only an update cache updater in the end that raised an alert and that was after 4 months of failure.

    The situation was easily resolved by tracking back up the chain, finding the failed updater for update cache and resolving which then cascaded through to fix the end points. But the point here is that there were no alerts and the MDR team did not pick up on the estate being further and further out of date. What's more interesting is to hear that the MDR team do not practively monitor update health even though in their remit they are supposed to perform 'health checks' routinely. The fact that so many of my end point machines were so far out of date and that there was no warning at all in Sophos Central was surprising to say the least.

    In my cyber insurance terms, it states that I must maintain an up to date cyber protection solution with updating occuring "routinely throughout the day". I cannot be there to check this 24/7/365 which is why we and the cyber insurance explicitly requires an MDR solution. Sophos therefore, cannot provide such a solution based on the MDR teams's own response.