Sophos Cloud Optix is an AI-powered, next generation cloud infrastructure security platform that delivers continuous security monitoring, compliance, analytics and remediation, across multiple public cloud accounts and multiple public cloud platforms.
The following questions are answered:
Sophos Cloud Optix is an agent-less SaaS solution that integrates with customer cloud infrastructure accounts using the native cloud provider APIs, logs and cloud services. Information from these sources are used to provide the customer with a detailed inventory of assets in the cloud account and provide an intuitive topological view of the environment’s architecture and traffic flows.
This information is also matched against both out of the box and customer created policies to provide ongoing security and compliance assessments which then result in configurable alerts and auditor ready reports. The solution also provides integrations with third party operations and security team tools. Integrations with GitHub, Bitbucket and Jenkins allow for pro-active scanning of Infrastructure as Code templates (e.g. Terraform, Ansible, AWS CloudFormation and Azure ARM scripts), and integrations with Jira, Slack, ServiceNow, PagerDuty,Splunk and Amazon SNS, allow alerts to be fed automatically to these tools
Note: Always ensure you are running the latest version of these browsers.
Currently Sophos Cloud Optix supports integration with AWS, Azure, Google Cloud Platform and Kubernetes
Yes. If you’re new to Sophos,you can sign up for a free trial of Cloud Optix in Sophos Central here.
If you already have a Sophos Central account, you can activate a free trial of Cloud Optix from the “Free Trials” page in your Sophos Central Admin console.
Note: The trial account is for a period of 30 days.
If you prefer to see the product without on-boarding your own environment, you can get access to a read-only demo account at the following address:
Yes. If you have an AWS account you can subscribe to Cloud Optix on a pay-as-you-go basis, with no contract term commitment. You’ll pay monthly in-arrears via your usual AWS bill, based on your actual usage of Cloud Optix. See AWS Marketplace listing for details:
Sophos Cloud Optix subscriptions are based on the number of Cloud Assets in the cloud environments that you add to the service. Cloud Asset means a single virtual machine instance, including any server instance or database instance, that runs in a cloud environment that benefits from, or whose configuration is accessed by, the service.
You can add as many cloud environments (e.g. AWS Accounts, Azure Subscriptions, GCP Projects) as you need, to a single Cloud Optix account.
You can choose to subscribe to Cloud Optix in one of the following ways:
• Term license subscription (e.g. 500 Cloud Assets for a 12 month term) via Sophos Central
• Pay-as-you-go (billed monthly in arrears, based on usage) via AWS Marketplace
• Sophos MSP Connect partners can subscribe to Cloud Optix using Flex monthly billing, via Sophos Central
• See online help for more details on licensing and Cloud Assets:
Yes. Sophos MSP Connect partners can subscribe to Cloud Optix via the Sophos Central partner dashboard. Cloud Optix is available to MSPs with Flex monthly billing, based on aggregate usage of the service.
You can add your cloud environments using various methods such as AWS CLI script, Terraform, Azure Powershell script and GCP shell script. Further information on connecting your environments and using the scripts can be found in the online help:
The Sophos Cloud Optix solution requires no agents and so the initial setup consists of connecting the Sophos Cloud Optix service to your public cloud environments. This is done using provided scripts which take only a few moments to run. These scripts setup read only access by default and once run, usable information showing inventory and topology should start showing in the console within 15 minutes.
By default, read only access is configured by the installation scripts, which then allow Sophos Cloud Optix to query a Cloud Environment to assess inventory, security and compliance posture, and to receive event and flow logs for analysis. The optional remediation mode for AWS environments requires additional permissions which are contained within the script provided. For detailed information on what the scripts do for each environment see the online help:
To add a cloud environment, Sophos Cloud Optix requires that the provided scripts be run to create a read only connection. The exact permissions needed to run the scripts vary by cloud provider, but generally using Admin level permissions will ensure that the scripts can properly execute. Details are provided in the online help, If you prefer to run the script with limited permissions.
Sophos Cloud Optix has several different kinds of anomaly detection which are automatically enabled.
• User login anomaly detection
• Outbound network traffic anomaly detection
• Applications inferred from host behavior
Each of these detects security-related anomalous events based on account or user activities, API calls, flow log data, and network traffic patterns.
Each requires different resources or learning time before it starts detecting anomalies and showing alerts.
For further information on anomaly detections see the online help.
Detections can be viewed under Alerts and will display the following icon in the Type column:
Alternatively, you can click on the Type filter and select Anomaly (AI) from the list.
Sophos Cloud Optix supports integration with:
• JIRA issue tracking system
• Create Jira tickets for new Sophos Cloud Optix alerts. This is a two way integration whereby an existing Jira ticket for the same type of issue gets updated if present before a new one is created.
• Slack team collaboration tool
• Push new Sophos Cloud Optix alerts into a specific slack channel for instant notification.
• ServiceNow IT Workflow management system
• Create ServiceNow tickets for new Sophos Cloud Optix alerts. This is a two way integration whereby an existing ServiceNow ticket for the same type of issue gets updated if present before a new one is created.
• Splunk SIEM
• Send all new Sophos Cloud Optix Alerts and/or dashboard access logs for your company into Splunk.
• PagerDuty Incident response solution
• Push new Sophos Cloud Optix alerts into PagerDuty.
• AWS GuardDuty Threat Detection service
• Aggregate AWS GuardDuty alerts into the Sophos Cloud Optix dashboard regardless of region. When turned on, other enabled integrations (e.g. Jira, Slack, ServiceNow) automatically work for GuardDuty alerts as well.
• Amazon SNS. Push Cloud Optix alerts to an Amazon SNS topic for downstream integrations, e.g. to send emails, SMS messages, or to integrate into other ticketing systems.
Sophos Cloud Optix is hosted in the US. Organizations in other countries can purchase and use the US-hosted service. The service is not currently available from Cuba, Iran, North Korea, Russia, South Sudan, Sudan, Syria, Ukraine, and Venezuela.
To enable you to log into the Sophos Cloud Optix console, Sophos collects and stores your email address in a database using industry-standard AES 256 encryption. You can choose to sign up using Google single sign-on authentication, or create a password for Sophos Cloud Optix. If you create a password to log into Sophos Cloud Optix, it is hashed using bcrypt. If you use Google single sign-on authentication, Google may send information to Sophos such as your name, email address, and profile picture associated with your Google account.
Note: Customers can improve the security of their Sophos Cloud Optix account by enabling Multi-factor Authentication (MFA) using Google Authenticator.
To use the service, you need to connect one or more Cloud Environments to Sophos Cloud Optix (e.g. Amazon Web Services account, Microsoft Azure subscription, Google Cloud Platform project). By connecting a Cloud Environment, you explicitly authorize Sophos to access information via APIs and to collect log data. Data is transferred from the customer’s cloud environment to Sophos Cloud Optix in two ways. Infrastructure meta-data is ‘pulled’ from the environment by using the cloud platform’s APIs (for example, using AWS SDK). Network flow logs and usage logs are ‘pushed’ by a serverless function (e.g. AWS Lambda) in the customer’s cloud environment, to Cloud Optix log collectors. In both cases, the data transfer uses TLS encryption. Full details of the data collection channels can be found in the Sophos Cloud Optix online help.
Infrastructure meta data includes inventory information about your cloud resources such as instances/VMs, storage buckets and security groups, and their associated security states. Log information includes, for example, AWS CloudTrail and VPC/network flow logs. These logs may include information about an IAM User that accessed and/or made changes to the infrastructure (e.g. IAM User “JDoe” created a new VM instance). In addition, these logs may include information about which IP address is communicating with another IP address, on which port, using which protocol (E.g. 220.127.116.11 to 18.104.22.168 on port 80 via tcp). All infrastructure meta data and log information collected by the service is stored using industry-standard AES 256 encryption. You can remove a Cloud Environment from your Sophos Cloud Optix account at any time; all associated infrastructure meta data and log information will be deleted automatically.
Sophos Cloud Optix also offers optional third party integrations, for example Slack, Jira, ServiceNow, PagerDuty and Splunk. Credentials that you provide in order to use these integrations are stored using AES 256 encryption.
To the extent that the General Data Protection Regulation (GDPR) or, portion of it, applies to a customer’s use of the Cloud Optix service, Sophos represents that it complies with GDPR in the Sophos Services Agreement, which governs the use of Cloud Optix. Section 10.2 of the Sophos Services Agreement states “Each party agrees to comply with all laws applicable to the actions and obligations contemplated by this Agreement” which includes GDPR.
Sophos Services Agreement: https://www.sophos.com/en-us/legal/sophos-services-agreement.aspx. For more information about Sophos commitment to data protection please visit: https://www.sophos.com/en-us/legal/sophos-gdpr.aspx
Yes, Sophos Cloud Optix provides access via a secure REST API which can be used to add IP’s to the whitelist, get alert information, and to gather details on outgoing traffic This is configured under Settings | Integrations | Sophos Cloud Optix API. Further information can be found in the API documentation https://optix.sophos.com/apiDocumentation.
Sophos Cloud Optix provides a number of ‘Out of the Box’ policies that can be used immediately to assess and maintain your security and compliance posture, or which can be copied and modified to create custom policies. Currently Sophos provides the following policies by default and plans to add additional policies over time (policy availability varies for each cloud platform):
• Email addresses cannot be linked to multiple Cloud Optix accounts.
• Due to a restriction in the Subscription permissions with free trials of Azure, Sophos Cloud Optix cannot connect to free trial Azure accounts.
• Certain isolated Azure environments such as US Government, Germany and China cannot be added to Sophos Cloud Optix. For further information on Azure geographies see Microsoft article https://azure.microsoft.com/en-ca/global-infrastructure/geographies/.
• Certain isolated AWS environments such as AWS GovCloud and AWS China cannot be added to Sophos Cloud Optix.
• EC2-Classic environments are not supported by Sophos Cloud Optix.
Further help and guidance can be found in the online help.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.