Sophos Extended Detection and Response (XDR) now goes even further in the public cloud, adding Microsoft Azure (Azure) and Google Cloud Platform (GCP) activity logs alongside Amazon Web Services (AWS) – helping your security teams see the bigger picture across public cloud environments.
New Cloud Optix data sources in Sophos XDR now allow you to easily investigate AWS, Azure and GCP cloud environment API, CLI, and management console activities. Using fully customizable and pre-written SQL queries you can uncover initial access attempts on the environment via compromised roles, as well newly created user roles and resources indicating persistence within the environment, and privilege escalation and exfiltration tactics shown by attackers.
Using Cloud Optix findings as an indicator of compromise, we help you pivot using the Sophos XDR data lake to investigate workload vulnerabilities using Sophos Intercept X for Server workload protection agents running on those workloads. Examples include the detection of compute workload resources with ports, such as RDP or SSH exposed to the internet. In this scenario, Cloud Optix, alerts you to these access vulnerabilities, and Sophos XDR allows you to quickly pivot investigations to identify the number of authentication attempts on those instances, and any successful attempts made. You can then act confidently, to remove access and prevent a breach, with Cloud Optix providing guided remediation instructions to reduce your mean time to resolve (MTTR) vulnerabilities
More Cloud Optix enhancements
This latest update to Sophos Cloud Optix also includes a range of additions to enhance your cloud security monitoring and compliance response:
1. AWS Activity Anomalies - New SophosAI models continuously analyze AWS CloudTrail user activity logs. This allows Cloud Optix to build a picture of individual user role activity to identify both accidental changes as well as malicious activity from compromised roles. It brings AWS CloudTrail events to life in a clear and detailed timeline view of user activities, identifying high risk anomalies such as actions performed outside of normal working hours as well as those never performed before.
With this update, you can dramatically shrink alert totals for security teams and help them focus on investigating high-risk patterns of behavior that could lead to a security incident in a fraction of the time that it took them before.
2. Multiple Jira Integration Instances - Now add multiple Jira Integration instances to a Cloud Optix account. Each cloud environment will be linked to one Jira instance. This could be a separate Jira Instance per environment, or a common Jira instance shared with many environments.
3. Azure IAM Visualization - Visualize the relationships between IAM Roles, IAM Users, and Services in Azure to simplify the management of complex, interwoven IAM roles for multiple Azure subscriptions and Azure AD.
4. Custom Policy Alerts - Now create custom alerts based on Cloud Optix advanced search queries. Future security benchmark scans will then raise alerts in Cloud Optix when the criteria of the query is met.
These latest updates and a summary of all Cloud Optix enhances is available here.
Try Sophos Cloud Security Posture Management free for 30-day with Cloud Optix at www.sophos.com/cloud-optix