Sophos Threat Protection, Monitoring, and Response on AWS
Table of Contents
Introduction
Security in AWS operates under a shared security responsibility model, where AWS is responsible for the security of the underlying cloud infrastructure and the customer is responsible for securing workloads deployed into their AWS accounts. This model gives customers the flexibility and agility needed to implement the most applicable security controls for their business functions in AWS. They can tightly restrict access to environments that process or hold sensitive data while deploying less stringent controls for information they want to make public.
To help customers with their security responsibilities, AWS offers a number of security services which are designed to help implement an optimal cloud security posture. AWS also provides security best practice and guidance and suggests that customers consider adding additional security tools available from the AWS Marketplace. These 3rd party solutions are provided by AWS partners such as Sophos and offer industry leading products that are equivalent, identical to, and/or integrate with existing controls in your on-premises environments. These products complement the AWS security services and help customers deploy comprehensive security across their cloud and on-premises environments.
Despite these resources, many customers still struggle with ensuring they are properly protected in AWS. This is often due to the complexity related to properly deploying and managing these services and tools, and the lack of expertise needed to identify potential threats and/or compromises.
Sophos Threat Protection, Monitoring, and Response on AWS
To help address the challenges mentioned above, AWS and Sophos have partnered up to offer the Sophos Threat Protection, Monitoring, and Response Package on AWS. The offering combines key AWS security services with Sophos cloud security products, a cloud based Central management platform, the Sophos Managed Threat Response service, and additional options for extending coverage to on premise networks, remote users, and even other cloud platforms. The service can be purchased directly via AWS Marketplace and deployed by a customer with assistance from the Sophos Professional Services team or using a Sophos authorized Managed Service Provider partner.
Sophos Threat Protection, Monitoring, and Response Package Details
The Sophos Threat Protection, Monitoring, and Response package consists of three required Sophos solutions that are used to protect your AWS VPC’s and workloads and integrates with both AWS security services and the Sophos Managed Threat Response service. The required Sophos products are:
Sophos Intercept X Advanced for Server with XDR : Sophos Intercept X for Server employs a comprehensive, defense in depth approach to server security. A combination of powerful defensive techniques and visibility capabilities give organizations the very best host protection against the latest threats.
- Stop Unknown Threats Deep learning AI in Intercept X for Server excels at detecting and blocking malware even when it hasn’t been seen before. It does this by scrutinizing file attributes from hundreds of millions of samples to identify threats without the need for a signature.
- Block Ransomware Intercept X for Server includes advanced anti-ransomware capabilities that detect and block the malicious encryption processes used in ransomware attacks. Files that have been encrypted will be rolled back to a safe state, minimizing any impact to business productivity.
- Prevent Exploits Anti-exploit technology stops the exploit techniques that attackers rely on to compromise devices, steal credentials and distribute malware. By stopping the techniques used throughout the attack chain Intercept X for Server keeps your organization secure against file-less attacks and zero-day exploits.
- Control Your Servers Ensure only what you want can run. Server Lockdown (whitelisting) makes sure that only applications you have approved can run on a server. File Integrity Monitoring will notify you if there are unauthorized attempts to change critical files.
Sophos Cloud Optix: Cloud Optix is an agentless cloud security posture management solution that helps customers identify vulnerabilities, ensure compliance, and respond to threats in the cloud faster. Cloud Optix provides a complete picture of cloud resources and security configurations across AWS, Azure, Google Cloud, Kubernetes, and DevOps environments, enabling security teams to focus on and fix critical security vulnerabilities before they are identified and exploited in cyberattacks.
- Complete Cloud Security Posture Management Sophos Cloud Optix provides a complete picture of cloud resources across multi-cloud environments. Monitoring costs, detecting insecure configurations and deployments, access anomalies, over-privileged IAM roles, and compliance failures from development to the ongoing security of live services.
- Identify and Respond to Threats Faster Focus on and fix your most critical security vulnerabilities before they are identified and exploited in cyberattacks. By identifying and risk-profiling security, compliance, and cloud spend risks, Cloud Optix ensures teams respond faster, providing contextual alerts that group affected resources with detailed remediation steps.
- Security at The Pace of DevOps Block vulnerabilities in container images and infrastructure-as-code templates predeployment with Cloud Optix. Seamlessly integrate Sophos security and compliance checks at any stage of development to maintain the pace of DevOps without introducing threats into production environments.
- Manage Permissions Before They’re Exploited Cloud Optix analyzes complex, interwoven Identity and Access Management (IAM) roles to visualize relationships, making it simpler to manage access privileges for user, group and cloud service roles. Guiding you on where to make IAM policy updates with the cloud provider before over-privileged IAM access is exploited.
- Reduce Compliance Cost and Complexity Sophos Cloud Optix reduces the cost and complexity of compliance with policies that automatically map to your environments, producing audit-ready reports without diverting resources from other projects. Compliance and security best practice policies include: GDPR, HIPAA, PCI DSS, SOC2, ISO27001, FFIEC, EBU R 143, FedRAMP, CIS Benchmark Level 1 and Level 2 for AWS, Azure, Google Cloud and Kubernetes.
Sophos Firewall on AWS: Sophos Firewall makes security and compliance easy with the best next-gen protection against the latest advanced threats including ransomware, crypto mining, bots, worms, hacks, breaches, and APTs with unique and innovative technologies designed to catch threats we haven’t even seen yet.
- SophosLabs Threat Intelligence, powered by deep learning, identifies new and zero-day threats before they infiltrate your network.
- Industry-leading IPS performance and protection ensure exploitive malware and hackers are stopped dead in their tracks.
- Sandstorm sandboxing provides the ultimate in affordable protection by analyzing suspicious files in a safe cloud environment using the latest technology from Intercept X.
- An integrated web application firewall protects your cloud servers and helps meet compliance requirements with protection from SQL injection and cross-site scripting attacks, URL and form hardening, dual malware engines, GeoIP lists, TLS offloading, reverse authentication, and more.
Each of the above solutions automatically sends information to the Sophos Managed Threat Response service which is used to proactively hunt for indicators of malicious activity. The Managed Threat Response service includes 24/7 threat hunting, detection, and response delivered by an expert team as a fully-managed service.
- Proactively hunt for and validate potential threats and incidents.
- Use all available information to determine the scope and severity of threats.
- Apply the appropriate business context for valid threats.
- Initiate actions to remotely disrupt, contain, and neutralize threats.
- Provide actionable advice for addressing the root cause of recurring incidents.
Additionally, customers using the Sophos Threat Protection, Monitoring, and Response service can also add Sophos Endpoint protection to protect users.
- Central Intercept X Advanced with XDR and MTR Advanced Windows, Mac, and Linux endpoint protection features include Ransomware protection, deep-learning malware detection, anti-exploit file-less attack prevention, XDR and MTR.
Required AWS Security Services
Key AWS Security Services are used to gather infrastructure and service level security information, which is then passed on to Sophos for further analysis. The below services must be enabled in each AWS account and region that is covered by the Sophos TMP on AWS offering.
-
Amazon CloudTrail: AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. Note that CloudTrail is enabled automatically as part of the Cloud Optix setup.
-
AWS GuardDuty: Amazon GuardDuty is a continuous security monitoring service that analyzes and processes VPC Flow Logs, AWS CloudTrail management event logs, CloudTrail S3 data event logs, and DNS logs to identify unexpected and potentially unauthorized and malicious activity within your AWS environment. Note that GuardDuty must be manually enabled from the AWS console in each AWS region you want to support and then connected to Sophos Cloud Optix using the provided integration script.
- AWS Security Hub: AWS Security Hub gives you a comprehensive view of your security alerts and security posture across your AWS accounts.
Note that GuardDuty must be manually enabled from the AWS console in each AWS region you want to support and then connected to Sophos Cloud Optix using the Integration instructions.
Optional but recommended AWS Security Services
Along with the above required AWS Security services, the below AWS services are also recommended as they provide additional information which can be used by Sophos security solutions and the MTR service to help protect customer environments.
-
Amazon Detective: Amazon Detective automatically collects log data from AWS resources. It then uses machine learning, statistical analysis, and graph theory to help you visualize and conduct faster and more efficient security investigations. Enabling this service allows Cloud Optix to include details highlighting IAM security misconfiguration and overprivileged users and roles, and also enables the IAM Visualization feature.
-
Amazon Inspector: Amazon Inspector tests the network accessibility of your Amazon EC2 instances and the security state of your applications that run on those instances. Amazon Inspector assesses applications for exposure, vulnerabilities, and deviations from best practices. Enabling Inspector allows Optix to filter the host inventory list to show EC2 instances for which there are Amazon Inspector findings. Click the Inspector icon in the "Actions" column to view findings for the last assessment run for that EC2 instance.
-
IAM Access Analyzer: AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity.
-
AWS Systems Manager: AWS Systems Manager gives you visibility and control of your infrastructure on AWS. Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and allows you to automate operational tasks across your AWS resources. Systems manager can also be used to automatically deploy Sophos Intercept X agents to EC2 instances as described in the following KB. https://community.sophos.com/intercept-x-endpoint/f/recommended-reads/127860/how-to-auto-deploy-sophos-server-protection-on-aws-instances
Threat Protection, Monitoring, and Response Package Deployment Steps
- Purchase the Threat Protection, Monitoring, and Response Package via the AWS Marketplace.
- Receive license schedule email from Sophos. The license schedule contains details on the Sophos products purchased and should look similar to the below example.
- Sophos Central account signup and license activation. All Sophos products and services are managed from a Sophos Central account.
a. Go to https://central.sophos.com/ and sign in. If you don’t already have an account then start a Sophos Central trial using the below link. https://secure2.sophos.com/en-us/products/sophos-central/free-trial.aspx
b. Once logged into the Sophos Central Admin console, Look for your account name in the upper right of the user interface. Click the name and select Licensing.
c. On the licensing page, Click Apply License Key, copy/paste the License Key from your License schedule and then click Apply.
d. If you see an Apply License Key link, click it. Enter your key and click Apply.
e. If your account already has licenses for the features included on the key, you see another dialog. This lets you choose how to use your new licenses.
i. Renew starts the new licenses when your current licenses expire.
ii. Change starts the new licenses now. We'll adjust the license term so that all your licenses expire on the same date.
f. Click Apply again and confirm that the details on the licensing screen match those on the License Schedule. - Connect Sophos Cloud Optix to your AWS account(s):
a. Open a new tab in your browser and login to your AWS console using an account with administrative level permissions. These are needed to configure both the connection between Optix and your AWS account as well as the AWS security services.
b. Navigate back to your Sophos Central console tab and then click on Cloud Optix which is located under left side menu under My Products.
c. Once redirected to the Optix UI you should be prompted to add a cloud environment. If not, simply click on the ‘+ Add Environments’ option located on the left side menu under Settings. Choose the Full Setup menu item, and then choose CloudFormation by clicking on the ‘Go’ button located to the right. You’ll then be prompted to connect either a single account or an AWS Organization, and also given the option to modify default setup details. Once these steps are complete click on the ‘Launch Stack’ button to redirect to the AWS CloudFormation console page where the Optix template is preloaded and ready to deploy. Follow on screen instructions to complete, or refer to the Optix help documentation for more details.
d. Once the CloudFormation stack has been launched, the setup and initial sync typically takes between 10-15 minutes to complete and once done the Optix Environments section should show the new environment connection along with green operational status indicators as shown below. Note that the required AWS CloudTrail service is enabled as part of the Optix setup with status shown under ‘Activity Logs’.
If you encounter any issues or errors connecting Optix to your AWS accounts, please reach out to the Sophos public cloud team for assistance. Publiccloudteam@sophos.com - Run Optix AWS GuardDuty integration script: As discussed above, the AWS GuardDuty service is a required AWS security service. Once enabled and configured using the Optix integration script, GuardDuty alerts will be sent to Cloud Optix. Detailed instructions on how to deploy and run the script can be found in the Optix Integrations section.
- Configure Optix to receive alerts from AWS Security Hub: As discussed above, the AWS Security Hub service is a required AWS security service. Once enabled and configured using the Optix integration procedure, Security Hub alerts will be sent to Cloud Optix. Detailed instructions on how to deploy and run the script can be found in the Optix Integrations section.
- Configure Intercept X Server policies and deploy agents
a. Configure ‘Best Practice’ Intercept X Server protection policies in Central (Please see Onboarding checklist section for details)
b. Use Optix Inventory>Hosts information to identify all EC2 instances in attached AWS accounts.
c. Deploy Intercept X agents onto EC2 instances using built in link as shown below, or refer to KB in onboarding checklist.
- Deploy a High Availability pair of Sophos Firewall’s into AWS account: To comply with AWS architectural best practices, Sophos provides a High Availability solution which deploys a pair of Sophos Firewalls and utilizes an AWS Network Load Balancer as well as the AWS Transit Gateway service to ensure failover across availability zones. The solution is deployed via a Sophos provided CloudFormation template available via AWS Marketplace and configured using the configuration guide.
- Configure XG FW’s and connect to Central management: Once the XG Firewalls are deployed they must be configured to Connect to the Sophos Central account.
Please refer to our how-to video showing the onboarding process and management of Sophos firewalls in Sophos Central account.
Sophos Product Onboarding Configuration Checklist
|
Onboarding Item |
Policy/ Setting Detail |
Policy/ Setting Detail |
Notes or Comments |
Complete? |
|
General Setup |
|
|
https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/GettingStarted.html |
|
|
Customer has signed up for Sophos Central trial account |
|
|
https://secure2.sophos.com/en-us/products/sophos-central/free-trial.aspx |
|
|
Customer has logged into Sophos Central account and applied license keys |
|
|
https://docs.sophos.com/central/Customer/help/en-us/central/common/tasks/ActivateLicense.html |
|
|
Customer has configured Managed Threat Response preferences |
|
|
https://docs.sophos.com/central/MTR/newstartup/en-us/index.html |
|
|
Cloud Optix Setup |
|
|
|
|
|
Customer AWS accounts are connected to Cloud Optix |
|
|
https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/learningContents/AddEnvAWSCloudForm.html |
|
|
AWS required and optional security services are enabled and integrated with Optix |
|
|
https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/concepts/Integrations.html
|
|
|
Customer has reviewed the Optix AWS inventory section and is shown what AWS meta data information is captured |
|
|
|
|
|
Customer has reviewed Optix activity logs (CloudTrail) information |
|
|
|
|
|
At a minimum the following required Optix Policies are enabled: |
|
|
https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/concepts/OutOfBoxPolicies.html
|
|
|
Customer has reviewed Optix Integrations options and has chosen at least one option for Alerts |
|
|
https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/concepts/Integrations.html
|
|
|
Customer has reviewed Optix Host section and associated AWS GuardDuty information, and is shown how to filter on GuardDuty alerts in Alerts section |
|
|
|
|
|
Customer has reviewed different Optix Alert types including Anomaly and is shown how to filter and export |
|
|
|
|
|
Customer has reviewed Optix report settings section |
|
|
https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/concepts/WeeklySummaryReport.html |
|
|
Intercept X Server Policy Setup |
|
|
|
|
|
|
Threat Protection Policy |
Server Base Policy |
|
|
|
Runtime Protection |
|
|
|
|
|
Protect document files from ransomware (CryptoGuard) |
Enabled |
Enabled
|
|
|
|
Protect from remotely run ransomware |
Enabled
|
Enabled
|
|
|
|
Protect from Encrypting File System attacks |
Enabled
|
Enabled
|
|
|
|
Protect from master boot record ransomware |
Enabled
|
Enabled
|
|
|
|
Protect critical functions in web browsers (Safe Browsing) |
Enabled
|
Disabled |
|
|
|
Mitigate exploits in vulnerable applications |
Enabled
|
Enabled
|
|
|
|
Protect web browsers |
Enabled |
Enabled |
|
|
|
Protect web browser plugins |
Enabled |
Enabled |
|
|
|
Protect Java applications |
Enabled |
Enabled |
|
|
|
Protect media application |
Enabled |
Enabled |
|
|
|
Protect office applications |
Enabled |
Enabled |
|
|
|
Prevent credential theft |
Enabled |
Enabled |
|
|
|
Prevent code cave utilization |
Enabled |
Enabled |
|
|
|
Prevent APC violation |
Enabled |
Enabled |
|
|
|
Prevent privilege escalation |
Enabled |
Enabled |
|
|
|
Protect processes |
Enabled |
Enabled |
|
|
|
Prevent process hollowing attacks |
Enabled |
Enabled |
|
|
|
Prevent DLLs loading from untrusted folders |
Enabled |
Enabled |
|
|
|
Enable CPU branch tracing |
Enabled |
Disabled |
|
|
|
Dynamic shellcode protection |
Enabled |
Enabled |
|
|
|
Validate CTF Protocol caller |
Enabled |
Enabled |
|
|
|
Prevent side loading of insecure modules |
Enabled |
Enabled |
|
|
|
Deep Learning |
|
|
|
|
|
Enable deep learning |
Enabled |
Enabled |
|
|
|
Remediation |
|
|
|
|
|
Automatic cleanup of malware |
Enabled |
Enabled |
|
|
|
Send Endpoint Data to Sophos Central |
Enabled |
Enabled |
|
|
|
Runtime Protection |
|
|
|
|
|
Detect malicious connections to command and control servers |
Enabled |
Enabled |
|
|
|
Enable Sophos Security Heartbeat |
Enabled |
Enabled |
|
|
|
AMSI Protection |
Enabled |
Enabled |
|
|
|
Live Protection |
|
|
|
|
|
Use Live Protection to check the latest threat information from SophosLabs online |
Enabled |
Enabled |
|
|
|
Use Live Protection during scheduled scans |
Enabled |
Enabled |
|
|
|
Real-time Scanning - Local Files and Network Shares |
|
|
|
|
|
Remote files |
Enabled |
Enabled |
|
|
|
Real-time Scanning - Internet |
|
|
|
|
|
Scan downloads in progress |
Enabled |
Enabled |
|
|
|
Block access to malicious websites |
Enabled |
Enabled |
|
|
|
Detect low-reputation files |
Enabled |
Enabled |
|
|
|
Remediation |
|
|
|
|
|
Automatic cleanup of malware |
Enabled |
Enabled |
|
|
|
Real-time scanning Options |
|
|
|
|
|
Automatically exclude activity by known applications |
Enabled |
Enabled |
|
|
|
Detect malicious behavior (HIPS) |
Enabled |
Enabled |
|
|
|
Update Policy (Server) |
Update Management |
Base Policy - Update Management |
|
|
|
Scheduled Updates |
Disabled |
Disabled |
|
|
|
|
|
|
|
|
|
Intercept X Server Agent Deployment |
|
|
|
|
|
Please refer to the KB article for information on how to automate the deployment using the AWS Systems Manager service. |
|
|
|
|
|
Optix Inventory>Hosts ‘Server Agent’ column shows that agent is successfully deployed to all hosts. |
|
|
https://docs.sophos.com/pcg/optix/help/en-us/pcg/optix/concepts/ServerAgentIntegration.html |
|
|
|
|
|
|
|
|
Sophos Firewall on AWS Deployment |
|
|
|
|
|
Customer has subscribed to the Sophos FW High Availability AWS Marketplace listing |
|
|
https://aws.amazon.com/marketplace/pp/prodview-r3pjzf5gpoikm?ref_=srh_res_product_title
|
|
|
Customer has followed deployment steps detailed in KB |
|
|
|
|
|
Customer has connected deployed Firewalls to Sophos Central account |
|
|
|
|
|
|
|
|
|
|
|
Sophos Firewall on AWS Configuration |
|
|
https://www.sophos.com/en-us/support/products/xg-firewall/how-to-library.aspx
|
|
|
VPC and subnet objects have been created to match what is shown in Optix Inventory section |
|
|
|
|
|
Optix inventory and network visualization tools are used to identify any servers that are allowing inbound traffic on ports 80/443 |
|
|
|
|
|
XG IPS policy is enabled to protect all AWS subnets shown in Optix inventory |
|
|
|
|
|
XG WAF policy used to protect all servers using ports 80/443 |
|
|
|
|
|
XG Web policy is enabled and applied to all VPC subnets shown in Optix |
|
|
|
|
|
XG Sandstorm is enabled to scan any suspicious file downloads in to VPCs |
|
|
|
|
|
XG ATP is enabled to check for CnCs on all outbound traffic (DNS,HTTP and HTTPS) from VPC subnets |
|
|
|
|
|
XG has been configured to forward the events (Syslog) to a SIEM and SOAR Platform |
|
|
|
|
AWS
[edited by: emmosophos at 4:24 PM (GMT -7) on 24 Aug 2021]
