Sophos Threat Protection, Monitoring, and Response Package

Sophos Threat Protection, Monitoring, and Response on AWS

Introduction

Security in AWS operates under a shared security responsibility model, where AWS is responsible for the security of the underlying cloud infrastructure and the customer is responsible for securing workloads deployed into their AWS accounts. This model gives customers the flexibility and agility needed to implement the most applicable security controls for their business functions in AWS. They can tightly restrict access to environments that process or hold sensitive data while deploying less stringent controls for information they want to make public.

To help customers with their security responsibilities, AWS offers a number of security services which are designed to help implement an optimal cloud security posture. AWS also provides security best practice and guidance and suggests that customers consider adding additional security tools available from the AWS Marketplace. These 3rd party solutions are provided by AWS partners such as Sophos and offer industry leading products that are equivalent, identical to, and/or integrate with existing controls in your on-premises environments. These products complement the AWS security services and help customers deploy comprehensive security across their cloud and on-premises environments.

Despite these resources, many customers still struggle with ensuring they are properly protected in AWS. This is often due to the complexity related to properly deploying and managing these services and tools, and the lack of expertise needed to identify potential threats and/or compromises.

Sophos Threat Protection, Monitoring, and Response on AWS

To help address the challenges mentioned above, AWS and Sophos have partnered up to offer the Sophos Threat Protection, Monitoring, and Response Package on AWS. The offering combines key AWS security services with Sophos cloud security products, a cloud based Central management platform, the Sophos Managed Threat Response service, and additional options for extending coverage to on premise networks, remote users, and even other cloud platforms. The service can be purchased directly via AWS Marketplace and deployed by a customer with assistance from the Sophos Professional Services team or using a Sophos authorized Managed Service Provider partner.

Sophos Threat Protection, Monitoring, and Response Package Details

The Sophos Threat Protection, Monitoring, and Response package consists of three required Sophos solutions that are used to protect your AWS VPC’s and workloads and integrates with both AWS security services and the Sophos Managed Threat Response service. The required Sophos products are:

Sophos Intercept X Advanced for Server with XDR : Sophos Intercept X for Server employs a comprehensive, defense in depth approach to server security. A combination of powerful defensive techniques and visibility capabilities give organizations the very best host protection against the latest threats.

Stop Unknown Threats Deep learning AI in Intercept X for Server excels at detecting and blocking malware even when it hasn’t been seen before. It does this by scrutinizing file attributes from hundreds of millions of samples to identify threats without the need for a signature.
Block Ransomware Intercept X for Server includes advanced anti-ransomware capabilities that detect and block the malicious encryption processes used in ransomware attacks. Files that have been encrypted will be rolled back to a safe state, minimizing any impact to business productivity.
Prevent Exploits Anti-exploit technology stops the exploit techniques that attackers rely on to compromise devices, steal credentials and distribute malware. By stopping the techniques used throughout the attack chain Intercept X for Server keeps your organization secure against file-less attacks and zero-day exploits.
Control Your Servers Ensure only what you want can run. Server Lockdown (whitelisting) makes sure that only applications you have approved can run on a server. File Integrity Monitoring will notify you if there are unauthorized attempts to change critical files.

Sophos Cloud Optix: Cloud Optix is an agentless cloud security posture management solution that helps customers identify vulnerabilities, ensure compliance, and respond to threats in the cloud faster. Cloud Optix provides a complete picture of cloud resources and security configurations across AWS, Azure, Google Cloud, Kubernetes, and DevOps environments, enabling security teams to focus on and fix critical security vulnerabilities before they are identified and exploited in cyberattacks.

Complete Cloud Security Posture Management Sophos Cloud Optix provides a complete picture of cloud resources across multi-cloud environments. Monitoring costs, detecting insecure configurations and deployments, access anomalies, over-privileged IAM roles, and compliance failures from development to the ongoing security of live services.
Identify and Respond to Threats Faster Focus on and fix your most critical security vulnerabilities before they are identified and exploited in cyberattacks. By identifying and risk-profiling security, compliance, and cloud spend risks, Cloud Optix ensures teams respond faster, providing contextual alerts that group affected resources with detailed remediation steps.
Security at The Pace of DevOps Block vulnerabilities in container images and infrastructure-as-code templates predeployment with Cloud Optix. Seamlessly integrate Sophos security and compliance checks at any stage of development to maintain the pace of DevOps without introducing threats into production environments.
Manage Permissions Before They’re Exploited Cloud Optix analyzes complex, interwoven Identity and Access Management (IAM) roles to visualize relationships, making it simpler to manage access privileges for user, group and cloud service roles. Guiding you on where to make IAM policy updates with the cloud provider before over-privileged IAM access is exploited.
Reduce Compliance Cost and Complexity Sophos Cloud Optix reduces the cost and complexity of compliance with policies that automatically map to your environments, producing audit-ready reports without diverting resources from other projects. Compliance and security best practice policies include: GDPR, HIPAA, PCI DSS, SOC2, ISO27001, FFIEC, EBU R 143, FedRAMP, CIS Benchmark Level 1 and Level 2 for AWS, Azure, Google Cloud and Kubernetes.

Sophos Firewall on AWS: Sophos Firewall makes security and compliance easy with the best next-gen protection against the latest advanced threats including ransomware, crypto mining, bots, worms, hacks, breaches, and APTs with unique and innovative technologies designed to catch threats we haven’t even seen yet.

SophosLabs Threat Intelligence, powered by deep learning, identifies new and zero-day threats before they infiltrate your network.
Industry-leading IPS performance and protection ensure exploitive malware and hackers are stopped dead in their tracks.
Sandstorm sandboxing provides the ultimate in affordable protection by analyzing suspicious files in a safe cloud environment using the latest technology from Intercept X.
An integrated web application firewall protects your cloud servers and helps meet compliance requirements with protection from SQL injection and cross-site scripting attacks, URL and form hardening, dual malware engines, GeoIP lists, TLS offloading, reverse authentication, and more.

Each of the above solutions automatically sends information to the Sophos Managed Threat Response service which is used to proactively hunt for indicators of malicious activity. The Managed Threat Response service includes 24/7 threat hunting, detection, and response delivered by an expert team as a fully-managed service.

Proactively hunt for and validate potential threats and incidents.
Use all available information to determine the scope and severity of threats.
Apply the appropriate business context for valid threats.
Initiate actions to remotely disrupt, contain, and neutralize threats.
Provide actionable advice for addressing the root cause of recurring incidents.

Additionally, customers using the Sophos Threat Protection, Monitoring, and Response service can also add Sophos Endpoint protection to protect users.

Central Intercept X Advanced with XDR and MTR Advanced Windows, Mac, and Linux endpoint protection features include Ransomware protection, deep-learning malware detection, anti-exploit file-less attack prevention, XDR and MTR.

Required AWS Security Services

Key AWS Security Services are used to gather infrastructure and service level security information, which is then passed on to Sophos for further analysis. The below services must be enabled in each AWS account and region that is covered by the Sophos TMP on AWS offering.

Amazon CloudTrail: AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. Note that CloudTrail is enabled automatically as part of the Cloud Optix setup.
AWS GuardDuty: Amazon GuardDuty is a continuous security monitoring service that analyzes and processes VPC Flow Logs, AWS CloudTrail management event logs, CloudTrail S3 data event logs, and DNS logs to identify unexpected and potentially unauthorized and malicious activity within your AWS environment. Note that GuardDuty must be manually enabled from the AWS console in each AWS region you want to support and then connected to Sophos Cloud Optix using the provided integration script.
AWS Security Hub: AWS Security Hub gives you a comprehensive view of your security alerts and security posture across your AWS accounts.
Note that GuardDuty must be manually enabled from the AWS console in each AWS region you want to support and then connected to Sophos Cloud Optix using the Integration instructions.

Optional but recommended AWS Security Services

Along with the above required AWS Security services, the below AWS services are also recommended as they provide additional information which can be used by Sophos security solutions and the MTR service to help protect customer environments.

Amazon Detective: Amazon Detective automatically collects log data from AWS resources. It then uses machine learning, statistical analysis, and graph theory to help you visualize and conduct faster and more efficient security investigations. Enabling this service allows Cloud Optix to include details highlighting IAM security misconfiguration and overprivileged users and roles, and also enables the IAM Visualization feature.
Amazon Inspector: Amazon Inspector tests the network accessibility of your Amazon EC2 instances and the security state of your applications that run on those instances. Amazon Inspector assesses applications for exposure, vulnerabilities, and deviations from best practices. Enabling Inspector allows Optix to filter the host inventory list to show EC2 instances for which there are Amazon Inspector findings. Click the Inspector icon in the "Actions" column to view findings for the last assessment run for that EC2 instance.
IAM Access Analyzer: AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity.
AWS Systems Manager: AWS Systems Manager gives you visibility and control of your infrastructure on AWS. Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and allows you to automate operational tasks across your AWS resources. Systems manager can also be used to automatically deploy Sophos Intercept X agents to EC2 instances as described in the following KB. https://community.sophos.com/intercept-x-endpoint/f/recommended-reads/127860/how-to-auto-deploy-sophos-server-protection-on-aws-instances

Threat Protection, Monitoring, and Response Package Deployment Steps

Purchase the Threat Protection, Monitoring, and Response Package via the AWS Marketplace.
Receive license schedule email from Sophos. The license schedule contains details on the Sophos products purchased and should look similar to the below example.
Sophos Central account signup and license activation. All Sophos products and services are managed from a Sophos Central account.

a. Go to https://central.sophos.com/ and sign in. If you don’t already have an account then start a Sophos Central trial using the below link. https://secure2.sophos.com/en-us/products/sophos-central/free-trial.aspx
b. Once logged into the Sophos Central Admin console, Look for your account name in the upper right of the user interface. Click the name and select Licensing.

c. On the licensing page, Click Apply License Key, copy/paste the License Key from your License schedule and then click Apply.
d. If you see an Apply License Key link, click it. Enter your key and click Apply.
e. If your account already has licenses for the features included on the key, you see another dialog. This lets you choose how to use your new licenses.

i. Renew starts the new licenses when your current licenses expire.
ii. Change starts the new licenses now. We'll adjust the license term so that all your licenses expire on the same date.

f. Click Apply again and confirm that the details on the licensing screen match those on the License Schedule.
Connect Sophos Cloud Optix to your AWS account(s):

a. Open a new tab in your browser and login to your AWS console using an account with administrative level permissions. These are needed to configure both the connection between Optix and your AWS account as well as the AWS security services.
b. Navigate back to your Sophos Central console tab and then click on Cloud Optix which is located under left side menu under My Products.

c. Once redirected to the Optix UI you should be prompted to add a cloud environment. If not, simply click on the ‘+ Add Environments’ option located on the left side menu under Settings. Choose the Full Setup menu item, and then choose CloudFormation by clicking on the ‘Go’ button located to the right. You’ll then be prompted to connect either a single account or an AWS Organization, and also given the option to modify default setup details. Once these steps are complete click on the ‘Launch Stack’ button to redirect to the AWS CloudFormation console page where the Optix template is preloaded and ready to deploy. Follow on screen instructions to complete, or refer to the Optix help documentation for more details.

d. Once the CloudFormation stack has been launched, the setup and initial sync typically takes between 10-15 minutes to complete and once done the Optix Environments section should show the new environment connection along with green operational status indicators as shown below. Note that the required AWS CloudTrail service is enabled as part of the Optix setup with status shown under ‘Activity Logs’.

If you encounter any issues or errors connecting Optix to your AWS accounts, please reach out to the Sophos public cloud team for assistance. Publiccloudteam@sophos.com
Run Optix AWS GuardDuty integration script: As discussed above, the AWS GuardDuty service is a required AWS security service. Once enabled and configured using the Optix integration script, GuardDuty alerts will be sent to Cloud Optix. Detailed instructions on how to deploy and run the script can be found in the Optix Integrations section.
Configure Optix to receive alerts from AWS Security Hub: As discussed above, the AWS Security Hub service is a required AWS security service. Once enabled and configured using the Optix integration procedure, Security Hub alerts will be sent to Cloud Optix. Detailed instructions on how to deploy and run the script can be found in the Optix Integrations section.
Configure Intercept X Server policies and deploy agents
a. Configure ‘Best Practice’ Intercept X Server protection policies in Central (Please see Onboarding checklist section for details)
b. Use Optix Inventory>Hosts information to identify all EC2 instances in attached AWS accounts.
c. Deploy Intercept X agents onto EC2 instances using built in link as shown below, or refer to KB in onboarding checklist.
Deploy a High Availability pair of Sophos Firewall’s into AWS account: To comply with AWS architectural best practices, Sophos provides a High Availability solution which deploys a pair of Sophos Firewalls and utilizes an AWS Network Load Balancer as well as the AWS Transit Gateway service to ensure failover across availability zones. The solution is deployed via a Sophos provided CloudFormation template available via AWS Marketplace and configured using the configuration guide.
Configure XG FW’s and connect to Central management: Once the XG Firewalls are deployed they must be configured to Connect to the Sophos Central account.
Please refer to our how-to video showing the onboarding process and management of Sophos firewalls in Sophos Central account.

Sophos Product Onboarding Configuration Checklist

Onboarding Item	Policy/ Setting Detail	Policy/ Setting Detail	Notes or Comments	Complete?
General Setup			https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/GettingStarted.html
Customer has signed up for Sophos Central trial account			https://secure2.sophos.com/en-us/products/sophos-central/free-trial.aspx
Customer has logged into Sophos Central account and applied license keys			https://docs.sophos.com/central/Customer/help/en-us/central/common/tasks/ActivateLicense.html
Customer has configured Managed Threat Response preferences			https://docs.sophos.com/central/MTR/newstartup/en-us/index.html
Cloud Optix Setup
Customer AWS accounts are connected to Cloud Optix			https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/learningContents/AddEnvAWSCloudForm.html
AWS required and optional security services are enabled and integrated with Optix			https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/concepts/Integrations.html
Customer has reviewed the Optix AWS inventory section and is shown what AWS meta data information is captured
Customer has reviewed Optix activity logs (CloudTrail) information			https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/concepts/AnomalyHighRisk.html?hl=activity%2Clog
At a minimum the following required Optix Policies are enabled: • CIS Benchmark v1.3 • PCI DSS v3.2 • Sophos Cloud Optix Best Practices			https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/concepts/OutOfBoxPolicies.html
Customer has reviewed Optix Integrations options and has chosen at least one option for Alerts			https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/concepts/Integrations.html
Customer has reviewed Optix Host section and associated AWS GuardDuty information, and is shown how to filter on GuardDuty alerts in Alerts section
Customer has reviewed different Optix Alert types including Anomaly and is shown how to filter and export			https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/concepts/AnomalyDetection.html?hl=anomaly%2Cdetection
Customer has reviewed Optix report settings section			https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/concepts/WeeklySummaryReport.html
Intercept X Server Policy Setup
	Threat Protection Policy	Server Base Policy	https://community.sophos.com/intercept-x-endpoint/f/recommended-reads/126339/sophos-intercept-x-threat-protection-policy-best-practices
Runtime Protection
Protect document files from ransomware (CryptoGuard)	Enabled	Enabled
Protect from remotely run ransomware	Enabled	Enabled
Protect from Encrypting File System attacks	Enabled	Enabled
Protect from master boot record ransomware	Enabled	Enabled
Protect critical functions in web browsers (Safe Browsing)	Enabled	Disabled
Mitigate exploits in vulnerable applications	Enabled	Enabled
Protect web browsers	Enabled	Enabled
Protect web browser plugins	Enabled	Enabled
Protect Java applications	Enabled	Enabled
Protect media application	Enabled	Enabled
Protect office applications	Enabled	Enabled
Prevent credential theft	Enabled	Enabled
Prevent code cave utilization	Enabled	Enabled
Prevent APC violation	Enabled	Enabled
Prevent privilege escalation	Enabled	Enabled
Protect processes	Enabled	Enabled
Prevent process hollowing attacks	Enabled	Enabled
Prevent DLLs loading from untrusted folders	Enabled	Enabled
Enable CPU branch tracing	Enabled	Disabled
Dynamic shellcode protection	Enabled	Enabled
Validate CTF Protocol caller	Enabled	Enabled
Prevent side loading of insecure modules	Enabled	Enabled
Deep Learning
Enable deep learning	Enabled	Enabled
Remediation
Automatic cleanup of malware	Enabled	Enabled
Send Endpoint Data to Sophos Central	Enabled	Enabled
Runtime Protection
Detect malicious connections to command and control servers	Enabled	Enabled
Enable Sophos Security Heartbeat	Enabled	Enabled
AMSI Protection	Enabled	Enabled
Live Protection
Use Live Protection to check the latest threat information from SophosLabs online	Enabled	Enabled
Use Live Protection during scheduled scans	Enabled	Enabled
Real-time Scanning - Local Files and Network Shares
Remote files	Enabled	Enabled
Real-time Scanning - Internet
Scan downloads in progress	Enabled	Enabled
Block access to malicious websites	Enabled	Enabled
Detect low-reputation files	Enabled	Enabled
Remediation
Automatic cleanup of malware	Enabled	Enabled
Real-time scanning Options
Automatically exclude activity by known applications	Enabled	Enabled
Detect malicious behavior (HIPS)	Enabled	Enabled
Update Policy (Server)	Update Management	Base Policy - Update Management
Scheduled Updates	Disabled	Disabled

Intercept X Server Agent Deployment
Please refer to the KB article for information on how to automate the deployment using the AWS Systems Manager service.			https://community.sophos.com/intercept-x-endpoint/f/recommended-reads/127860/how-to-auto-deploy-sophos-server-protection-on-aws-instances
Optix Inventory>Hosts ‘Server Agent’ column shows that agent is successfully deployed to all hosts.			https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/concepts/ServerAgentIntegration.html

Sophos Firewall on AWS Deployment
Customer has subscribed to the Sophos FW High Availability AWS Marketplace listing			https://aws.amazon.com/marketplace/pp/prodview-r3pjzf5gpoikm?ref_=srh_res_product_title
Customer has followed deployment steps detailed in KB			https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-ha-aa-deployment-with-in-aws
Customer has connected deployed Firewalls to Sophos Central account			https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContent/CentralManageXG2.html

Sophos Firewall on AWS Configuration			https://www.sophos.com/en-us/support/products/xg-firewall/how-to-library.aspx
VPC and subnet objects have been created to match what is shown in Optix Inventory section
Optix inventory and network visualization tools are used to identify any servers that are allowing inbound traffic on ports 80/443
XG IPS policy is enabled to protect all AWS subnets shown in Optix inventory
XG WAF policy used to protect all servers using ports 80/443
XG Web policy is enabled and applied to all VPC subnets shown in Optix
XG Sandstorm is enabled to scan any suspicious file downloads in to VPCs
XG ATP is enabled to check for CnCs on all outbound traffic (DNS,HTTP and HTTPS) from VPC subnets
XG has been configured to forward the events (Syslog) to a SIEM and SOAR Platform

AWS
[edited by: emmosophos at 4:24 PM (GMT -7) on 24 Aug 2021]

Justin McDermott 10 months ago

I was thinking that IR was included with this. It Had a prospective customer that uses Palo Alto XDR and thought IR would be included in MTD. I Guess this is the easiest way to get non-Sophos endpoints over to Sophos. DQ Fan Feedback
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel