Thread Info
  • Replies 18 replies
  • Subscribers 9 subscribers
  • Views 343537 views
  • Users 0 members are here
Options
Suggested

[Sync Sec] Important announcement on Synchronized Security Features on XG v17.5 Early Access

PMParth

*Synchronized Security in SFOS 17.5*

SFOS 17.5 adds two additional new Synchronized Security features to the release, Lateral Movement Prevention and Synchronized UserID, in order to make use of these new Synchronized Security features you will need to have the latest EAP release of Sophos Endpoint Protection (to be released November 12th), you can check the version based on the screenshots below, specifically Sophos Network Threat Protection has to be >v1.7. The Sophos Network Threat Protection version can be checked by clicking the ‘Run Diagnostic Tool’ button on the about screen.

For more information on joining the EAP Program for Endpoint Protection please visit https://community.sophos.com/products/intercept/early-access-preview/

Besides these two new features in Synchronized Security there are also enhancements to Synchronized Application Control that makes handling of discovered applications easier.

*Lateral Movement Prevention*

Lateral Movement Prevention allows an endpoint to be isolated on the same broadcast domain and hence prevent infections to spread laterally over the network between endpoints. XG Firewall is used as the distribution hub for all information necessary for the endpoint to perform this isolation from other infected endpoints. Configuration for this feature is available within Sophos Central.

You will need to open the developer console in your browser after logging in to Sophos Central and enter the following command: sc.setFlag('endpoint.stonewalling.enabled')

After entering this command you should be able to see a new entry similar to the screenshot below, this will take you to the configuration for excluding specific endpoints from the stonewalling feature so that they are not being isolated.

*Synchronized UserID*

The new Synchronized UserID feature is an additional authentication method for users on XG Firewall. Synchronized UserID requires a configured ActiveDirectory Server for authentication (details can be found in the OnlineHelp) and the endpoint has to be part of this ActiveDirectory Domain as well as the user. Ones the user on the endpoint is authenticated to the ActiveDirectory, the endpoint will send the login information to XG Firewall that will also authenticate the user to the ActiveDirectory. The Synchronized UserID feature is only available for Windows endpoints and only in combination with ActiveDirectory.

*Synchronized Application Control*

SFOS 17.5 also enhances Synchronized Application Control to better handle discovered applications. We have added a separate filter for System Applications, which can now been seen in the special filter “System Applications”, these includes applications like the Windows and MacOS services that are being discovered.

Another added option to manage discovered applications is the additional ‘hide’ option that moves an application to the filter ‘Hidden Applications’. Hidden applications will no longer be displayed in the discovered applications list, but opposed to ‘delete’ these applications will not be added again after they are discovered again but will remain on the ‘Hidden Applications’ filter. This feature is intended for applications that the admin does not want to have displayed continuously on the application list, but are still present in the environment.

These additional features should make the handling of larger amounts of discovered applications easier.

Parents

  • FAQ on Synchronized Security Features in v17.5 

     

    Question: How is the new Lateral Movement Protection different from previous Security Heartbeat auto-isolation?

    The easiest way to describe it is that Security Heartbeat is able to isolate infections at the firewall and now with Lateral Movement Protection isolate at the endpoint level as well.

    Security Heartbeat conditions in firewall rules have been a Synchronized Security feature of XG Firewall since it was introduced, enabling the firewall to isolate compromised devices with a Red or Yellow Heartbeat from other parts of the network at the firewall.  For example, by adding Heartbeat conditions to firewall rules, administrators can automatically isolate an endpoint from the WAN (Internet), DMZ (Servers), or other zones and segments of the network connected through the firewall.

    Lateral Movement Protection extends this feature by also informing all healthy endpoints to further isolate a compromised device at the endpoint.  This has the added benefit of working on the same network segment also known as a broadcast domain or subnet where endpoint computers are typically connected together through a switch.  Lateral Movement Protection can dramatically reduce the exposure to threats spreading within the network.  

    Both features isolate endpoints automatically and restore connectivity when the health of the affected device returns to normal.

    Question: How does Lateral Movement Protection Work?

    When a device has a RED Security Heartbeat condition, the MAC addresses of all the device’s network interfaces are  shared by the Firewall to other endpoints which will utilize the Windows Firewall to block all traffic from those MAC addresses.

    Question: How is Lateral Movement Protection Different from Self-Isolation with Intercept X Advanced with EDR?

    Intercept X with EDR provides a self-isolation feature – the compromised device can use the local Windows Firewall on the client to isolate itself.    

    Lateral Movement Protection enlists your trusted endpoints to isolate any untrustworthy endpoints, ignoring all traffic from the untrusted device to protect themselves from any attacks or hacks it might try to instigate.  Lateral Movement Protection is a an essential tool to prevent the spread of threats or attacks since you can absolutely trust the healthy endpoints to do their part. 

    Question: What are the limitations of Lateral Movement Protection?

    Lateral Movement Protection works on flat networks connected through a layer 2 switch or the firewall which is the vast majority of customer networks out there.  It does not support isolation across different subnets or VLANs routed through a managed layer 3 switch.  Support for this may be added in the future.

    Question: How does Synchronized User ID work and what limitations does it have?

    Synchronized User ID shares the domain user account information from the machine the user is logged into over Security Heartbeat with the Firewall.  The Firewall then checks this against the configured AD server and activates the user.  It only requires that the Active Directory server is configured as an authentication server in XG Firewall.  No agents are required on the server or clients.  It does not share or utilize any password information.  It does not work with other directory services, and it will not recognize “local” users.

    Question: Do these new Synchronized Security Features in v17.5 work on both Windows and Macs?

    Initially they work only on Sophos Central managed Windows endpoints.  Mac support will come in a future update to the Mac Sophos Endpoint client.

    Question:  What Endpoint Release and License do I need to take advantage of these new Synchronized Security features?

    To test these new features, you will require the latest EAP of Sophos Intercept X Advanced with EDR which is currently scheduled to be available starting November 12th.

    All of our Central Endpoint Licenses (Endpoint Protection and all flavours of Intercept X) support Synchronized Security.

    The latest Synchronized Security features in v17.5 will be supported in all of these products as of November 19th following the updated engine release as part of the Intercept X Advanced with EDR release.

  • in reply to Chris McCormack

    if you are using the lateral movement detection you must be already using the sophos central endpoint already, which arrives with "Device Self Isolation"(Part of Endpoint EAP) which also comes alongside the lateral movement prevention, its like the computer also self isolates its self from everything else in the event of a change in health status (Managed and Unmanaged), only allowing the DNS, BOOTP/DHCP and traffic generated by sophos processes to be allowed outside this is in addition to the XG updating the other endpoints not to communicate with the infected computer. This is again and endpoint feature can be enabled with a simple Check box and LMD is just in its initial release on the firewall side like Jan mentioned we will add more capabilities for the LMD. 

Reply
  • in reply to Chris McCormack

    if you are using the lateral movement detection you must be already using the sophos central endpoint already, which arrives with "Device Self Isolation"(Part of Endpoint EAP) which also comes alongside the lateral movement prevention, its like the computer also self isolates its self from everything else in the event of a change in health status (Managed and Unmanaged), only allowing the DNS, BOOTP/DHCP and traffic generated by sophos processes to be allowed outside this is in addition to the XG updating the other endpoints not to communicate with the infected computer. This is again and endpoint feature can be enabled with a simple Check box and LMD is just in its initial release on the firewall side like Jan mentioned we will add more capabilities for the LMD. 

Children
No Data
Unfiltered HTML