This guide is intended to help Sophos customers running Intercept X Advanced with XDR carry out the regular tasks in Sophos Central needed to ensure smooth operations and prevent threats. It's broken into two parts, the first focuses on proactive threat related activities which should be carried out each day. Triaging Threat Cases (telemetry from an automated detection) and actively hunting for as yet undetected threats are critical to protect organizations from cybercriminals. In part two, the guide focuses on operational tasks which help customers manage their deployment of Intercept X Advanced with XDR.
Review Threat Cases
The Threat Cases view contains a list of infection types that occurred in the past 90 days. The information provided in this view does not necessarily require an action, but helps you to investigate the chain of events surrounding a malware infection and pinpoint areas where you can improve your security.
The purpose of a threat case is to help admins understand what happened on the affected computer before the detection occurred. Using this information can help you understand ongoing infections, as well as how to further improve your security against similar attacks in the future.
NOTE: Sophos recommends urgently investigating certain detection types as their presence can be an indicator of threat actor activity in the environment, these detections are:
Working with Threat Cases
Details on detection types
Behind every cyberthreat is a cybercriminal, and today’s advanced attacks often combine the latest technology with hands-on live hacking. Protecting against these human-led attacks requires human-led threat hunting.
Check machines showing as unprotected in Computers and Servers reports
This identifies machines which have not had a successful installation of the agent and are therefore unprotected. Unprotected machines are an easy entry point for attackers to pivot to other areas of your network.
Check high severity alerts
High severity (Red) alerts are the highest priority warnings in Sophos Central. These typically indicate the need for admin intervention and should be addressed as soon as possible to ensure good security posture. This can include detections that will require manual intervention or further investigation, API tokens expiring, and, real-time protection being disabled on an endpoint.
High events will remain in the list until they are remediated or acknowledged by an administrator. By checking these daily, you ensure no high severity incidents are overlooked.
If you believe the detection to be a false positive, we recommend carrying out an investigation using the detected Threat Case (see Threat Case section). Legitimate applications can be made to carry out malicious tasks, especially scripting or command interfaces like PowerShell. If you have carried out an investigation and are comfortable that the detection is a false positive, we recommend following these steps:
Check machines with a bad / red health state
Similar to High Severity alerts, machines in a bad/red health state indicate action needs to be taken by an admin. Machines will have a bad / red health state for one of the following reasons:
(See steps below to create the custom query for its first execution)
You can also view the overall health status from the machine list:
Follow these steps to prepare the query for its first execution:
Check alerts related to malware / PUA cleanup
You should investigate cleanup failures because they can indicate more serious issues. For example, many threats have multiple components, if one is active and undetected, it can lock other items. This prevents them from being removed if they're detected causing a cleanup failure on the other component.
Check machines have all appropriate modules deployed
This is especially important if you have recently upgraded your license to include Intercept X or Managed Threat Response functionality. Machines (servers and endpoints) not assigned the desired modules will not have the appropriate functionality and additional layers of security for which you are licensed.
If many endpoints are regularly missing desired components, consider updating the installation script to be sure that the correct components are configured. Details are in the links below.
Check global Tamper Protection status Is set to enabled
Keeping Tamper Protection enabled across your entire estate is vital to ensure an unauthorized administrator or adversary cannot perform any of the following actions on a device:
Customers using the Sophos Central Enterprise Dashboard should check the Global Tamper Protection status in all subestates.
Check audit logs for any of the following:
Review and examination of administrator activities is essential to assessing the adequacy of system controls, to ensure compliance with established policies and operational procedures.
If many unwanted changes are being made, consider changing the role of the administrator(s) responsible to limit unauthorized policy or global changes. Details are in the documentation site below.
Check medium severity alerts
Medium severity events are reported where actions are required, such as for computers out of compliance with policy, or that require a reboot. Malware detections that can automatically be remediated are also reported as medium, but they will only be displayed until they have been cleaned up.
Check machines with medium / orange health state
Machines will have a medium / orange health state for one of the following reasons:
Identify unprotected machines in the environment
You can’t secure what you can’t see. It is imperative to identify and manage all assets that have the potential to access corporate information. Unprotected machines increase your overall attack surface and are a typical entry point for attackers.
If synchronizing Active Directory with Sophos Central
Sophos Central Active Directory synchronization can import machine objects from your AD and consolidate machines which are present in the AD but not protected by Sophos Central, follow the process below to see a list of these machines. You might need to update your AD sync settings to include machine objects.
If using a Sophos Firewall managed in Sophos Central with Cloud Reporting Enabled
The Sophos Firewall can upload connection data to the Sophos XDR data lake and a Live Discover query can extract data for devices which are not managed in Sophos Central.
If using neither of the technologies above
You can export a list of computers and servers to compare to your 3rd party asset management system.
Check the Controlled Updates status for new endpoint or server agent updates
Checking that updates are not paused or controlled when not required ensures your endpoints and servers are receiving the latest feature updates as they are released by Sophos automatically.
Full details of the Controlled Updates options are in the documentation site below.
NOTE: Paused versions expire after 90 days and will be automatically upgraded if no action is taken.
Check Directory service sync status
Checking the status of your Active Directory synchronization to Sophos Central ensures you have a clean list of users and groups without stale/deleted accounts filling up your console and with newly created users populated automatically. This makes setting up user/group-based policies more efficient, as only relevant data is available for assignment.
Check low severity alerts
Check Windows machines with a pending reboot, a long uptime or a long time since the last installation of a Microsoft update
Outside of the obvious benefits of regular reboots (e.g. flushing memory, halting memory leaks, installing security updates, etc.), there are instances in which the Sophos Endpoint Protection also requires a reboot to ensure the latest feature updates can be successfully applied.
Review "What's new" change notes
Sophos regularly updates Sophos Central with improvements or new features. Reviewing the “What’s new” change notes is a great way to stay on top of UI changes and feature updates that will benefit administration and overall security.
Identify & delete old machines from Sophos Central
Similar to the benefits of keeping your AD Sync up to date, deleting machines no longer in use from Sophos Central aids in easier navigation and administration of accurate and relevant device information.
Tamper Protection passwords remain recoverable for a short time by following these steps:
Sophos Central Device Encryption recovery keys remain recoverable permanently by following these steps:
Review admin users and roles
Following the Principle of Least Privilege, periodic assessment of administration roles ensures that only those who need access to certain responsibilities (e.g. access sensitive logs, edit configurations, etc.) have those rights.
"Least Privilege" at US-CERT
To delete an admin account that is no longer a user at your organization follow these steps:
To edit an admin account's role follow these steps:
Full details of the built in and custom roles are in the documentation site below.
Review MFA requirement for admin users
Requiring Multi-factor Authentication for all administrators allows authentication into Sophos Central upon presenting a second form of identification. If admin credentials are harvested by an unapproved individual, that third party will be unable to log in to the admin console without a second factor, preventing unauthorized access and changes.
Review email alert settings
Make sure the frequency and types of email alerts align with your organization’s expectations. Ensure that events your organization wants to be notified on immediately are set appropriated – and also that seemingly unimportant alerts do not flood inboxes and delay response to those that are higher priority.
Full details of the granular email alerts settings are in the documentation site below.
Full heath check via Sophos PS / TAM
Big thanks to the team that put this together, Aaron Chen, David Wayne Peckler, Jessie Gibbons, and Paul Lawrence!
I would add AMSI and IPS to the list of Threat Cases to be immediately investigated.