We are looking at requiring smb signing on our network. The fact that Microsoft and others say to expect a 15% performance impact makes that a hard pill to swallow. My question, would the types of attacks and lateral movement exploited by not requiring smb signing be blocked by Sophos Endpoint / Intercept X? We just want to avoid taking a performance hit to protect ourselves against something we might already be protected from. I've tried searching around on this one but can't find any indication either way.
Since this is a signing technology what it prevents is Man in the Middle and message tampering (alteration of the message in transit). It doesn't prevent lateral movement or malicious code running…
Since this is a signing technology what it prevents is Man in the Middle and message tampering (alteration of the message in transit). It doesn't prevent lateral movement or malicious code running on a trusted machine. So, if Machine A talks to Machine B with signing enabled you know the message sent by A is the exact message B got. However, if A is compromised and is sending malicious content in the message - it still is transmitted and signed.
What technologies does Intercept X offer to help here? Exploit mitigation on a machine will detect specific actions regardless of the source - so if a code cave or some other exploit is happening it triggers. For lateral movement, the Endpoint IPS element of the endpoint is specifically built to inspect incoming and outgoing packets to see if they match exploits we are protecting against - such as EternalBlue which leveraged an exploit in SMB.
So, in short, signing lets you know if there is and prevents tampering of data in transit but, in and of itself, does not protect against lateral movement or exploits.
I hope that helps.
Program Manager, Support Readiness | CISSP | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS AlertsIf a post solves your question use the 'Verify Answer' link.
Awesome. Yes, very helpful. In our environment we have Sophos endpoint with Intercept X installed on all servers and desktops, with an XG firewall. We block all outbound smb, so smb traffic is restricted to the local network. So seems like this may be a pretty low risk for us.