Sophos Community
  • User
  • Help
  • Site
  • Search
  • User
  • All Groups
  • Knowledge Base
  • Community Blog
  • Member Recognition
  • More
  • Cancel

Knowledge Base

  • Advisories
  • +CyberoamOS
  • +Data Control and DLP
  • Email Appliance
  • +Endpoint Security and Control
  • +Free Tools
  • +General
  • +Mobile
  • +PureMessage
  • +Reflexion
  • +SafeGuard encryption
  • +Server protection
  • +Sophos Central
  • Sophos Clean
  • Sophos Home
  • +Sophos UTM 9
  • Web Appliance
  • +XG Firewall
Tweets by SophosSupport

Sophos Cloud Optix - FAQ

  • Article ID: 133806
  • Updated: 29 Nov 2019
  • 0 people found this helpful
  • Available in: English | Español | Italiano | 日本語 | Français | Deutsch

Overview

Sophos Cloud Optix is an AI-powered, next generation cloud infrastructure security platform that delivers continuous security monitoring, compliance, analytics and remediation, across multiple public cloud accounts and multiple public cloud platforms.

The following questions are answered:

  • How does the solution work?
  • Which web browsers are supported?
  • Which Cloud platforms are supported?
  • Can I create a free trial account for Sophos Cloud Optix?
  • Can I buy Cloud Optix via AWS Marketplace?
  • How is Cloud Optix licensed?
  • Is Cloud Optix available to Sophos Managed Service Providers (MSPs)?
  • How do I add my cloud environments?
  • How long does initial setup take?
  • What permissions are needed by the solution?
  • Are there any pre-requisites required before connecting Sophos Cloud Optix to a Cloud provider account?
  • What are anomaly detections?
  • How do I view anomaly detections?
  • What 3rd party integrations does Sophos Cloud Optix support?
  • Where is Cloud Optix located?
  • What information is handled by Sophos Cloud Optix and how is it secured?
  • Cloud Optix and GDPR
  • Is there an API?
  • Are Security and Compliance policies provided with the solution, or do I have to create these myself?
  • Are there any issues that I should be aware of?
  • Where can I go for further help and guidance?
  • Feedback and contact

How does the solution work?

Sophos Cloud Optix is an agent-less SaaS solution that integrates with customer cloud infrastructure accounts using the native cloud provider APIs, logs and cloud services. Information from these sources are used to provide the customer with a detailed inventory of assets in the cloud account and provide an intuitive topological view of the environment’s architecture and traffic flows.

This information is also matched against both out of the box and customer created policies to provide ongoing security and compliance assessments which then result in configurable alerts and auditor ready reports. The solution also provides integrations with third party operations and security team tools. Integrations with GitHub, Bitbucket and Jenkins allow for pro-active scanning of Infrastructure as Code templates (e.g. Terraform, Ansible, AWS CloudFormation and Azure ARM scripts), and integrations with Jira, Slack, ServiceNow, PagerDuty,Splunk and Amazon SNS, allow alerts to be fed automatically to these tools

Which web browsers are supported?

Please see https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/concepts/ SupportedBrowsers.html for details.  

Note: Always ensure you are running the latest version of these browsers.

Which Cloud platforms are supported?

Currently Sophos Cloud Optix supports integration with AWS, Azure, Google Cloud Platform and Kubernetes

Can I create a free trial account for Sophos Cloud Optix?

Yes. If you’re new to Sophos,you can sign up for a free trial of Cloud Optix in Sophos Central here.

If you already have a Sophos Central account, you can activate a free trial of Cloud Optix from the “Free Trials” page in your Sophos Central Admin console.

Note: The trial account is for a period of 30 days.

If you prefer to see the product without on-boarding your own environment, you can get access to a read-only demo account at the following address:

  • https://secure2.sophos.com/en-us/products/cloud-optix/demo.aspx

Can I buy Cloud Optix via AWS Marketplace?

Yes. If you have an AWS account you can subscribe to Cloud Optix on a pay-as-you-go basis, with no contract term commitment. You’ll pay monthly in-arrears via your usual AWS bill, based on your actual usage of Cloud Optix. See AWS Marketplace listing for details:

https://aws.amazon.com/marketplace/pp/Sophos-Sophos-Cloud-Optix-PAYG/B07V59XTDF

How is Cloud Optix licensed?

Sophos Cloud Optix subscriptions are based on the number of Cloud Assets in the cloud environments that you add to the service. Cloud Asset means a single virtual machine instance, including any server instance or database instance, that runs in a cloud environment that benefits from, or whose configuration is accessed by, the service.

You can add as many cloud environments (e.g. AWS Accounts, Azure Subscriptions, GCP Projects) as you need, to a single Cloud Optix account.

You can choose to subscribe to Cloud Optix in one of the following ways:

• Term license subscription (e.g. 500 Cloud Assets for a 12 month term) via Sophos Central

• Pay-as-you-go (billed monthly in arrears, based on usage) via AWS Marketplace

• Sophos MSP Connect partners can subscribe to Cloud Optix using Flex monthly billing, via Sophos Central

• See online help for more details on licensing and Cloud Assets:

https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/concepts/SophosCloudOptix Licensing.html

Is Cloud Optix available to Sophos Managed Service Provider (MSP) partners?

Yes. Sophos MSP Connect partners can subscribe to Cloud Optix via the Sophos Central partner dashboard. Cloud Optix is available to MSPs with Flex monthly billing, based on aggregate usage of the service.

How do I add my cloud environments?

You can add your cloud environments using various methods such as AWS CLI script, Terraform, Azure Powershell script and GCP shell script. Further information on connecting your environments and using the scripts can be found in the online help:

  • Add an AWS environment
  • Add a Microsoft Azure environment
  • Add a Google Cloud Platform environment
  • Add a Kubernetes cluster
  • Add your development environment

How long does initial setup take?

The Sophos Cloud Optix solution requires no agents and so the initial setup consists of connecting the Sophos Cloud Optix service to your public cloud environments. This is done using provided scripts which take only a few moments to run. These scripts setup read only access by default and once run, usable information showing inventory and topology should start showing in the console within 15 minutes.

What permissions are needed by the solution?

By default, read only access is configured by the installation scripts, which then allow Sophos Cloud Optix to query a Cloud Environment to assess inventory, security and compliance posture, and to receive event and flow logs for analysis. The optional remediation mode for AWS environments requires additional permissions which are contained within the script provided. For detailed information on what the scripts do for each environment see the online help:

  • What does the Sophos setup script for AWS do?
  • Create the remediation role
  • What does the Sophos setup script for Azure do?
  • What does the Sophos setup script for GCP do?

Are there any pre-requisites required before connecting Sophos Cloud Optix to a Cloud provider account?

To add a cloud environment, Sophos Cloud Optix requires that the provided scripts be run to create a read only connection. The exact permissions needed to run the scripts vary by cloud provider, but generally using Admin level permissions will ensure that the scripts can properly execute. Details are provided in the online help, If you prefer to run the script with limited permissions.

What are anomaly detections?

Sophos Cloud Optix has several different kinds of anomaly detection which are automatically enabled.

• User login anomaly detection

• Outbound network traffic anomaly detection

• Applications inferred from host behavior

Each of these detects security-related anomalous events based on account or user activities, API calls, flow log data, and network traffic patterns.

Each requires different resources or learning time before it starts detecting anomalies and showing alerts.

For further information on anomaly detections see the online help.

How do I view anomaly detections?

Detections can be viewed under Alerts and will display the following icon in the Type column:

Alternatively, you can click on the Type filter and select Anomaly (AI) from the list.

For further information on anomaly detections see the online help.

What 3rd party integrations does Sophos Cloud Optix support?

Sophos Cloud Optix supports integration with:

• JIRA issue tracking system

• Create Jira tickets for new Sophos Cloud Optix alerts. This is a two way integration whereby an existing Jira ticket for the same type of issue gets updated if present before a new one is created.

• Slack team collaboration tool

• Push new Sophos Cloud Optix alerts into a specific slack channel for instant notification.

• ServiceNow IT Workflow management system

• Create ServiceNow tickets for new Sophos Cloud Optix alerts. This is a two way integration whereby an existing ServiceNow ticket for the same type of issue gets updated if present before a new one is created.

• Splunk SIEM

• Send all new Sophos Cloud Optix Alerts and/or dashboard access logs for your company into Splunk.

• PagerDuty Incident response solution

• Push new Sophos Cloud Optix alerts into PagerDuty.

• AWS GuardDuty Threat Detection service

• Aggregate AWS GuardDuty alerts into the Sophos Cloud Optix dashboard regardless of region. When turned on, other enabled integrations (e.g. Jira, Slack, ServiceNow) automatically work for GuardDuty alerts as well.

• Amazon SNS. Push Cloud Optix alerts to an Amazon SNS topic for downstream integrations, e.g. to send emails, SMS messages, or to integrate into other ticketing systems.

Where is Cloud Optix located?

Sophos Cloud Optix is hosted in the US. Organizations in other countries can purchase and use the US-hosted service. The service is not currently available from Cuba, Iran, North Korea, Russia, South Sudan, Sudan, Syria, Ukraine, and Venezuela.

What information is handled by Sophos Cloud Optix and how is it secured?

To enable you to log into the Sophos Cloud Optix console, Sophos collects and stores your email address in a database using industry-standard AES 256 encryption. You can choose to sign up using Google single sign-on authentication, or create a password for Sophos Cloud Optix. If you create a password to log into Sophos Cloud Optix, it is hashed using bcrypt. If you use Google single sign-on authentication, Google may send information to Sophos such as your name, email address, and profile picture associated with your Google account.

Note: Customers can improve the security of their Sophos Cloud Optix account by enabling Multi-factor Authentication (MFA) using Google Authenticator.

To use the service, you need to connect one or more Cloud Environments to Sophos Cloud Optix (e.g. Amazon Web Services account, Microsoft Azure subscription, Google Cloud Platform project). By connecting a Cloud Environment, you explicitly authorize Sophos to access information via APIs and to collect log data. Data is transferred from the customer’s cloud environment to Sophos Cloud Optix in two ways. Infrastructure meta-data is ‘pulled’ from the environment by using the cloud platform’s APIs (for example, using AWS SDK). Network flow logs and usage logs are ‘pushed’ by a serverless function (e.g. AWS Lambda) in the customer’s cloud environment, to Cloud Optix log collectors. In both cases, the data transfer uses TLS encryption. Full details of the data collection channels can be found in the Sophos Cloud Optix online help.

Infrastructure meta data includes inventory information about your cloud resources such as instances/VMs, storage buckets and security groups, and their associated security states. Log information includes, for example, AWS CloudTrail and VPC/network flow logs. These logs may include information about an IAM User that accessed and/or made changes to the infrastructure (e.g. IAM User “JDoe” created a new VM instance). In addition, these logs may include information about which IP address is communicating with another IP address, on which port, using which protocol (E.g. 1.1.1.1 to 2.2.2.2 on port 80 via tcp). All infrastructure meta data and log information collected by the service is stored using industry-standard AES 256 encryption. You can remove a Cloud Environment from your Sophos Cloud Optix account at any time; all associated infrastructure meta data and log information will be deleted automatically.

Sophos Cloud Optix also offers optional third party integrations, for example Slack, Jira, ServiceNow, PagerDuty and Splunk. Credentials that you provide in order to use these integrations are stored using AES 256 encryption. 

Cloud Optix and GDPR

To the extent that the General Data Protection Regulation (GDPR) or, portion of it, applies to a customer’s use of the Cloud Optix service, Sophos represents that it complies with GDPR in the Sophos Services Agreement, which governs the use of Cloud Optix. Section 10.2 of the Sophos Services Agreement states “Each party agrees to comply with all laws applicable to the actions and obligations contemplated by this Agreement” which includes GDPR.

Sophos Services Agreement: https://www.sophos.com/en-us/legal/sophos-services-agreement.aspx. For more information about Sophos commitment to data protection please visit: https://www.sophos.com/en-us/legal/sophos-gdpr.aspx

Is there an API?

Yes, Sophos Cloud Optix provides access via a secure REST API which can be used to add IP’s to the whitelist, get alert information, and to gather details on outgoing traffic

This is configured under Settings | Integrations | Sophos Cloud Optix API. Further information can be found in the API documentation https://optix.sophos.com/apiDocumentation.

Are Security and Compliance policies provided with the solution, or do I have to create these myself?

Sophos Cloud Optix provides a number of ‘Out of the Box’ policies that can be used immediately to assess and maintain your security and compliance posture, or which can be copied and modified to create custom policies. Currently Sophos provides the following policies by default and plans to add additional policies over time (policy availability varies for each cloud platform):

  • CIS Benchmarks
  • FedRamp
  • FFIEC
  • HIPAA
  • PCI DSS
  • SOC2
  • GDPR

Are there any issues that I should be aware of?

• Email addresses cannot be linked to multiple Cloud Optix accounts. 

• Due to a restriction in the Subscription permissions with free trials of Azure, Sophos Cloud Optix cannot connect to free trial Azure accounts.

• Certain isolated Azure environments such as US Government, Germany and China cannot be added to Sophos Cloud Optix. For further information on Azure geographies see Microsoft article https://azure.microsoft.com/en-ca/global-infrastructure/geographies/.

• Certain isolated AWS environments such as AWS GovCloud and AWS China cannot be added to Sophos Cloud Optix.

• EC2-Classic environments are not supported by Sophos Cloud Optix.

Where can I go for further help and guidance?

Further help and guidance can be found in the online help.

Feedback and contact

If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

 

Article appears in the following topics
  • Sophos Central

Did this article provide the information you were looking for?

Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.

  • Submit
Sophos Footer
  • T&Cs
  • Help
  • Cookie Info
  • Contact Support

© 1997 - 2019 Sophos Ltd. All rights reserved.