Cloud Optix new asset inventory and threat investigation updates

Over the second quarter of 2020, a host of great enhancements have been added to the Cloud Optix service to enable organizations to harden their cloud security posture for AWS, Azure and Google Cloud platform. Check out these latest updates below – all included with your existing Cloud Optix license.

Inventory and topology visualization updates

• AWS Activity Logs visualization
  In the Activity Logs section of the Inventory, for AWS, new activity logs visualizations allow you to easily analyse CloudTrail logs by geographic location to help investigate high risk events. The new graph views help to visualize pertinent information to help customers identify potential abnormalities:
  • Geolocation of IP addresses from which CloudTrail events have been generated
  • Geolocation of IP addresses that are trusted in Security Group rules
  • Number of Public S3 buckets over time
  • Number of EC2 instances (and Public EC2 instances) over time
  • Number of EC2 instances in each AWS region (map view)
  • Most active (top 10) IAM Users by number of CloudTrail events
  • Top error types and top sources of errors
     
• IAM Visualization enhancement (Lambda service)
  IAM Visualization now include the AWS Lambda service to show IAM users, groups, and roles that have access to the Lambda service. 
  
  
• Visibility of NACLs from Topology Visualization 
  From the AWS Topology Visualization, customers can now see details of NACL rules for a sub-net. Click on the route-table icon for a sub-net, this will show a new Network ACL section in the right-hand panel. Click on the NACL ID link to open a modal with the NACL rule details.
   
• Inventory Azure IoT Hubs
  New "IoT Hub" tab now available in the Network section of the Azure inventory. This provides details of the customer's IoT Hubs and identifies any hubs that are using legacy TLS 1.0/1.1 encryption (soon to be deprecated by Azure).

• Inventory of Azure Logic Apps
  New "Logic Apps" tab now available in the Serverless section of the Azure inventory. This provides details of the customer's Logic Apps and identifies any in public mode.

Management and alerts

• New email alerts
  Customers can optionally choose to have Cloud Optix alerts sent via emails. This new capability is presented at the bottom of the 'Integrations' page. Email Alerts are off by default and can be configured by Super Admin users only. 
  
  
• Brandable reports for MSPs
  Sophos Managed Service Provider Partners may now co-brand exportable PDF compliance reports for customers. This can be enabled for other types of account on-request.

Cloud Optix API enhancements

• Cloud Optix Inventory API additions
  Cloud Optix API now includes the ability to pull inventory information for serverless functions and containers
  
  
• Multiple API keys for a single Cloud Optix account 
  Cloud Optix Super Admin users can now create multiple keys for the Cloud Optix API (previously one key per customer account).

Integration enhancements

• Amazon SNS integration 
  Cloud Optix Amazon SNS integration now provides the environment's account name and ID as 'MessageAttributes' with each alert. This enables downstream filtering of alerts based on the environment (e.g. route alerts for a specific AWS account to a specific ticketing system).
  
  
• Jira integration (test button)
  The Jira integration page now provides a 'Test configuration' button to enable customers to test that their settings are correct, without having to wait for security alerts to generate new tickets to determine if the integration is configured correctly.