While some may miss the concept of a command line interface (CLI) and serial/telenet connection to configure a security appliance, most adopters of the XG product line probably would not even know what a CLI is. That is the actual point of the product: to make enterprise level security simple, effective and automatic.
Management and Administration
An extensive feature set of security technologies hides behind the product's management console, which strives to keep things easy to understand and does a pretty good job of translating technical jargon into something understandable by people who aren't security experts.
Take, for example, the main management dashboard, which is referred to as the "Network Security Control Center" and functions as a starting point for anything an administrator would look to do on a security appliance. Simple menus, colorful icons and graphical representations of activity make it very easy to comprehend network (and endpoint) security health at just a glance.
If an administrator wants to delve into the security posture of the network, for instance, a quick click on the reports section exposes details about risky applications, detected intrusion attempts and other elements that impact the overall security heath of the network components.
Other notable capabilities include the ability to quickly drill down to the esoteric details surrounding security policies, such as the number of user attempts to visit questionable Websites or the user threat quotient, which is a measurement of activity that relates to security exceptions encountered.
As with many security products, defining access policies proves to be a critical, yet complex setup consideration. However, Sophos goes one step further than many other security products by making policy definition very simple, thanks to a plethora of predefined policies and a wizard-driven interface that provides administrators with guided steps to create effective policies.
In practice, the Sophos Security Heartbeat gathers security statistical data from all monitored devices connected to the network and performs real-time analysis of the code being executed, the access profile being used and any related data. Using that information, the product is able to offer a visual representation of the security status of a given element on the network.
That visualization can be compared to a traffic light, where green is good, yellow means caution and red means stop. Actually in Sophos' case, red means there is a problem. That information (or color) is represented as a "health status" and is directly tied into the product's active remediation capabilities.
For example, the Sophos NGEP was able to automatically detect and remediate locally introduced well-known threats in seconds, changing the endpoint's health status to red, and then back to green after remediation. The Security Heartbeat automatically notified the appliance of the endpoint's change in health status, which triggered firewall-applied policies to isolate the endpoint from the network until the endpoint was remediated.
Automated isolation and remediation extends well beyond known threats. Sophos also is able to tackle complex, previously unseen threats that can impact a network. Case in point is the product's ability to identify unknown malware by tracking network behavior.
When suspicious behavior is detected, the appliance blocks network access and uses the information provided by the Security Heartbeat to identify the endpoint, the user and the application. A series of automated processes then takes place, in which the user is notified of the issue immediately, the endpoint's health state changes to red and automated remediation is attempted (the malware is stopped and removed).
Once remediated, the workstation's health status returns to green and normal operation can resume. The entire process only takes a few seconds, and requires no administrator intervention.
The adoption of Sophos's Security Heartbeat will bring much-needed automation and simplicity to SMEs seeking to prevent intrusions, malware and other threats from impacting user operations. What's more, the process of synchronizing endpoint and network security into a unified management paradigm delivers additional value and makes Sophos' security appliances much more intelligent and able to proactively deal with threats.