Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Our latest video on Sophos Techvids outlines best practices for configuring your threat protection policy for Intercept X in Sophos Central.
Intercept X is a powerful product. It's got multiple layers of Protection to protect against lots of different threat vectors and doesn't rely on one specific form of scanning. As we all know, however, great power comes with great responsibility. That responsibility, in our case, comes in the form of Policy configuration.
Misconfigured policies leads to critical pieces of that threat protection fortress of defence being inactive when the bad guy's attack and put you in a position you do NOT want to be in as the IT guy. We know there's a ton of configuration options available, and it can be a bit daunting at first.
Let's break down the threat protection policy so you can configure your policy as securely as possible.
Before we jump into the policy, we need to talk about Multi-Factor Authentication or MFA. With MFA turned on, logging in Central will require a second factor. We have different options available like Google Authenticator or SMS codes, Pick one that works for you.
MFA makes it harder for a bad actor to compromise your account because they need access to that second factor and can’t just guess or brute force your password. Remember, MFA works on the principle that two different attributes are harder to compromise than one. A password is something you KNOW, but an authentication code is something you HAVE because it constantly changes and is only accessible from the device set up to generate it.
Access to your dashboard is the most important safety system you have, so don’t let it fall into the wrong hands.
To turn on MFA, go to Global Settings, scroll down to Multi-Factor Authentication, and we recommend enabling "All admins need MFA". More info on MFA: https://docs.sophos.com/central/Customer/help/en-us/central/Customer/common/concepts/MultiFactorAuthentication.html
Note: This is now enabled by default on all Sophos Central accounts.
To get to the Threat Protection Policy navigate to Endpoint>Policies> and either select an existing policy or create a new policy. Click the settings tab once you're in a policy to view the configuration settings.
Now, these settings are going to look different for the Endpoint policy than the Server policy. For the most part, the settings are identical, but the placement of settings is a little different. We’ll go through the endpoint policy first, then cover the differences in the server policy.
Right off the jump, we see, "Use Recommended Settings".
We recommend leaving this turned on. As long as you've installed Intercept X on the devices in your environment, they'll get a policy that we deem secure today, and we'll update it accordingly when we add new features in the future.
Now there's more to the policy like Scheduled system scans, device isolation, and exclusions, but we'll talk about those in a minute.
Why do we have so many scans you ask? It’s like a stack of sifts. Some scans are better at detecting different types of things or are more efficient. Stacking them together means if a detection happens at one layer, we don’t proceed to the next. That allows us to optimize protection and performance.
Active Exploits are actions that known good applications can be forced to take – which can be malicious. Think of macros in Word Docs – Word is a good application and won’t be stopped by out PE scanning. However, the Macro you just loaded makes it call PowerShell, and edit your local environment variables changing the path for File Explorer to a malicious PE that came bundled with the Word Doc.
Basically, Active Exploit Mitigation looks at what an application is doing and determines if that action is malicious or of concern, regardless of which PE or process is doing the action.
The runtime protection settings are your “active exploit” protection, monitoring behavior after files have been executed and they are trying to do damage. We recommend all these settings to be turned on.
Advanced Settings
Device Isolation
Scheduled Scans
We suggest configuring a scheduled scan for once a week. In an incident response scenario, you may need to perform these more frequently.
Preventing an attack is more effective than trying to stop it once it's underway. Detections on a system through scheduled scans can alert you that further investigation is necessary - ie., something has changed. Sophos Labs continually publishes new detections. A file we did not look for with older detection data may be detected with an updated database later on. A scheduled scan provides you with a second check in case something gets through real-time protection.
Now to the danger zone, we go with exclusions. In some situations, exclusions may be unavoidable. Try to use a scalpel when making exclusions, not a hammer. What we mean is to try to be as exact and precise as possible. Don't exclude entire drives. Exclude specific files or detections instead of entire folders. We do health checks on customers and sometimes see things like the "D" through "H" drives excluded which is very risky.
Remember, any PE that falls under an exclusion will have no restrictions on running. It will be able to do whatever malicious action it wants.
Before making exclusions, read through our documentation on scanning exclusions, and while making exclusions, read the exclusion description that's displayed to make sure you're using the right type of exclusion.
For example, if Active Exploit Mitigation detects a threat, it will show up in the Detected Exploits option.
Trying to make a file or folder exclusion for that detection won’t work because that applies to the real-time scanning, not active exploit mitigation.
If you're putting exclusions into your policy, create separate policies for the users or devices that need those exclusions if possible to minimize the scope of the exclusions. We've seen some messy situations due to improper use of exclusions, and we don't want that happening to you, so be careful!
Switching over to the server-side of things, while all the settings are pretty much the same, they're ordered a little different. All the intercept X advanced features live at the top, and the Standard protection is underneath. If you have the Intercept X advanced license then enable all the advanced features for full protection.
When you create a new policy, all the recommended settings will be turned on, but the intercept X advanced options don’t have the use "recommended settings" check box we saw on the endpoint side. The Server Protection default settings section does have an enable all check box which we recommend leaving checked.
Server protection can be more sensitive than endpoint so you may need to configure these settings more to optimize performance. Again all these settings are the same as what I mentioned for endpoint, minus the device isolation. More info: https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/ServerConfigureMalwareProtection.html
question please, if IIinstall the sophos endpoint package first, and then I update policies in my central account, does it affect computers and update their policies automatically ?
That's correct, the policies will automatically be updated on the endpoints if they’re online. If a device is powered off, it will check in with Sophos Central when it is powered on and update the policy accordingly.
You can see when the latest policy was received for each component using the "Endpoint Self Help" tool.