Sophos Threat Protection, Monitoring, and Response on AWS
Security in AWS operates under a shared security responsibility model, where AWS is responsible for the security of the underlying cloud infrastructure and the customer is responsible for securing workloads deployed into their AWS accounts. This model gives customers the flexibility and agility needed to implement the most applicable security controls for their business functions in AWS. They can tightly restrict access to environments that process or hold sensitive data while deploying less stringent controls for information they want to make public.
To help customers with their security responsibilities, AWS offers a number of security services which are designed to help implement an optimal cloud security posture. AWS also provides security best practice and guidance and suggests that customers consider adding additional security tools available from the AWS Marketplace. These 3rd party solutions are provided by AWS partners such as Sophos and offer industry leading products that are equivalent, identical to, and/or integrate with existing controls in your on-premises environments. These products complement the AWS security services and help customers deploy comprehensive security across their cloud and on-premises environments.
Despite these resources, many customers still struggle with ensuring they are properly protected in AWS. This is often due to the complexity related to properly deploying and managing these services and tools, and the lack of expertise needed to identify potential threats and/or compromises.
To help address the challenges mentioned above, AWS and Sophos have partnered up to offer the Sophos Threat Protection, Monitoring, and Response Package on AWS. The offering combines key AWS security services with Sophos cloud security products, a cloud based Central management platform, the Sophos Managed Threat Response service, and additional options for extending coverage to on premise networks, remote users, and even other cloud platforms. The service can be purchased directly via AWS Marketplace and deployed by a customer with assistance from the Sophos Professional Services team or using a Sophos authorized Managed Service Provider partner.
The Sophos Threat Protection, Monitoring, and Response package consists of three required Sophos solutions that are used to protect your AWS VPC’s and workloads and integrates with both AWS security services and the Sophos Managed Threat Response service. The required Sophos products are:
Sophos Intercept X Advanced for Server with XDR : Sophos Intercept X for Server employs a comprehensive, defense in depth approach to server security. A combination of powerful defensive techniques and visibility capabilities give organizations the very best host protection against the latest threats.
Sophos Cloud Optix: Cloud Optix is an agentless cloud security posture management solution that helps customers identify vulnerabilities, ensure compliance, and respond to threats in the cloud faster. Cloud Optix provides a complete picture of cloud resources and security configurations across AWS, Azure, Google Cloud, Kubernetes, and DevOps environments, enabling security teams to focus on and fix critical security vulnerabilities before they are identified and exploited in cyberattacks.
Sophos Firewall on AWS: Sophos Firewall makes security and compliance easy with the best next-gen protection against the latest advanced threats including ransomware, crypto mining, bots, worms, hacks, breaches, and APTs with unique and innovative technologies designed to catch threats we haven’t even seen yet.
Each of the above solutions automatically sends information to the Sophos Managed Threat Response service which is used to proactively hunt for indicators of malicious activity. The Managed Threat Response service includes 24/7 threat hunting, detection, and response delivered by an expert team as a fully-managed service.
Additionally, customers using the Sophos Threat Protection, Monitoring, and Response service can also add Sophos Endpoint protection to protect users.
Key AWS Security Services are used to gather infrastructure and service level security information, which is then passed on to Sophos for further analysis. The below services must be enabled in each AWS account and region that is covered by the Sophos TMP on AWS offering.
Amazon CloudTrail: AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. Note that CloudTrail is enabled automatically as part of the Cloud Optix setup.
AWS GuardDuty: Amazon GuardDuty is a continuous security monitoring service that analyzes and processes VPC Flow Logs, AWS CloudTrail management event logs, CloudTrail S3 data event logs, and DNS logs to identify unexpected and potentially unauthorized and malicious activity within your AWS environment. Note that GuardDuty must be manually enabled from the AWS console in each AWS region you want to support and then connected to Sophos Cloud Optix using the provided integration script.
Along with the above required AWS Security services, the below AWS services are also recommended as they provide additional information which can be used by Sophos security solutions and the MTR service to help protect customer environments.
Amazon Detective: Amazon Detective automatically collects log data from AWS resources. It then uses machine learning, statistical analysis, and graph theory to help you visualize and conduct faster and more efficient security investigations. Enabling this service allows Cloud Optix to include details highlighting IAM security misconfiguration and overprivileged users and roles, and also enables the IAM Visualization feature.
Amazon Inspector: Amazon Inspector tests the network accessibility of your Amazon EC2 instances and the security state of your applications that run on those instances. Amazon Inspector assesses applications for exposure, vulnerabilities, and deviations from best practices. Enabling Inspector allows Optix to filter the host inventory list to show EC2 instances for which there are Amazon Inspector findings. Click the Inspector icon in the "Actions" column to view findings for the last assessment run for that EC2 instance.
IAM Access Analyzer: AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity.
AWS Systems Manager: AWS Systems Manager gives you visibility and control of your infrastructure on AWS. Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and allows you to automate operational tasks across your AWS resources. Systems manager can also be used to automatically deploy Sophos Intercept X agents to EC2 instances as described in the following KB. https://community.sophos.com/intercept-x-endpoint/f/recommended-reads/127860/how-to-auto-deploy-sophos-server-protection-on-aws-instances
a. Open a new tab in your browser and login to your AWS console using an account with administrative level permissions. These are needed to configure both the connection between Optix and your AWS account as well as the AWS security services.b. Navigate back to your Sophos Central console tab and then click on Cloud Optix which is located under left side menu under My Products.c. Once redirected to the Optix UI you should be prompted to add a cloud environment. If not, simply click on the ‘+ Add Environments’ option located on the left side menu under Settings. Choose the Full Setup menu item, and then choose CloudFormation by clicking on the ‘Go’ button located to the right. You’ll then be prompted to connect either a single account or an AWS Organization, and also given the option to modify default setup details. Once these steps are complete click on the ‘Launch Stack’ button to redirect to the AWS CloudFormation console page where the Optix template is preloaded and ready to deploy. Follow on screen instructions to complete, or refer to the Optix help documentation for more details.
d. Once the CloudFormation stack has been launched, the setup and initial sync typically takes between 10-15 minutes to complete and once done the Optix Environments section should show the new environment connection along with green operational status indicators as shown below. Note that the required AWS CloudTrail service is enabled as part of the Optix setup with status shown under ‘Activity Logs’.If you encounter any issues or errors connecting Optix to your AWS accounts, please reach out to the Sophos public cloud team for assistance. Publiccloudteam@sophos.com
Customer has signed up for Sophos Central trial account
Customer has logged into Sophos Central account and applied license keys
Customer has configured Managed Threat Response preferences
Cloud Optix Setup
Customer AWS accounts are connected to Cloud Optix
AWS required and optional security services are enabled and integrated with Optix
Customer has reviewed the Optix AWS inventory section and is shown what AWS meta data information is captured
Customer has reviewed Optix activity logs (CloudTrail) information
At a minimum the following required Optix Policies are enabled:• CIS Benchmark v1.3• PCI DSS v3.2• Sophos Cloud Optix Best Practices
Customer has reviewed Optix Integrations options and has chosen at least one option for Alerts
Customer has reviewed Optix Host section and associated AWS GuardDuty information, and is shown how to filter on GuardDuty alerts in Alerts section
Customer has reviewed different Optix Alert types including Anomaly and is shown how to filter and export
Customer has reviewed Optix report settings section
Intercept X Server Policy Setup
Threat Protection Policy
Server Base Policy
Protect document files from ransomware (CryptoGuard)
Protect from remotely run ransomware
Protect from Encrypting File System attacks
Protect from master boot record ransomware
Protect critical functions in web browsers (Safe Browsing)
Mitigate exploits in vulnerable applications
Protect web browsers
Protect web browser plugins
Protect Java applications
Protect media application
Protect office applications
Prevent credential theft
Prevent code cave utilization
Prevent APC violation
Prevent privilege escalation
Prevent process hollowing attacks
Prevent DLLs loading from untrusted folders
Enable CPU branch tracing
Dynamic shellcode protection
Validate CTF Protocol caller
Prevent side loading of insecure modules
Enable deep learning
Automatic cleanup of malware
Send Endpoint Data to Sophos Central
Detect malicious connections to command and control servers
Enable Sophos Security Heartbeat
Use Live Protection to check the latest threat information from SophosLabs online
Use Live Protection during scheduled scans
Real-time Scanning - Local Files and Network Shares
Real-time Scanning - Internet
Scan downloads in progress
Block access to malicious websites
Detect low-reputation files
Real-time scanning Options
Automatically exclude activity by known applications
Detect malicious behavior (HIPS)
Update Policy (Server)
Base Policy - Update Management
Intercept X Server Agent Deployment
Please refer to the KB article for information on how to automate the deployment using the AWS Systems Manager service.
Optix Inventory>Hosts ‘Server Agent’ column shows that agent is successfully deployed to all hosts.
Sophos Firewall on AWS Deployment
Customer has subscribed to the Sophos FW High Availability AWS Marketplace listing
Customer has followed deployment steps detailed in KB
Customer has connected deployed Firewalls to Sophos Central account
Sophos Firewall on AWS Configuration
VPC and subnet objects have been created to match what is shown in Optix Inventory section
Optix inventory and network visualization tools are used to identify any servers that are allowing inbound traffic on ports 80/443
XG IPS policy is enabled to protect all AWS subnets shown in Optix inventory
XG WAF policy used to protect all servers using ports 80/443
XG Web policy is enabled and applied to all VPC subnets shown in Optix
XG Sandstorm is enabled to scan any suspicious file downloads in to VPCs
XG ATP is enabled to check for CnCs on all outbound traffic (DNS,HTTP and HTTPS) from VPC subnets
XG has been configured to forward the events (Syslog) to a SIEM and SOAR Platform