Inside of every enterprise are multiple endpoints and potential attack surfaces that represent areas of security risk. Taking the digital pulse of an enterprise’s security posture, across the attack surface, is the goal of Sophos’ new synchronized security effort.
The synchronized security initiative includes both hardware and software to enable a capability that Sophos is branding as the Sophos Security Heartbeat. The basic purpose of the Security Heartbeat is to provide visibility into the current state of an organization’s security posture, based on intelligence coming from multiple sources, including endpoints and next-generation firewalls.
“Security Heartbeat is a direct connection between our endpoints and our network devices where the endpoint sends a stream of information on a regular basis to the network devices,” Dan Schiappa, senior vice president of the end user security group at Sophos, told eWEEK.
As part of the synchronized security effort, Sophos is releasing a new series of Next Generation Firewall (NGFW) appliances dubbed the XG series. The XG series is the successor to Sophos’ current-generation SG series firewall and introduces new software that enables synchronized security. At the core of the XG appliances is a heavily customized and stripped-down version of Linux, Schiappa said. The XG benefits from technologies that Sophos from its acquisition of Cyberoam Technologies in 2014, he added.
Sophos’ endpoint protection software sends information to the XG firewalls via a proprietary bidirectionally encrypted direct channel. That information includes the health state of the endpoint. The information also identifies the user who is authenticated on a given endpoint at a particular point in time, as well as visibility into which endpoint process is generating network traffic.
The XG firewall now can set policy based on the health of a particular endpoint. So when suspicious traffic is seen by the firewall, thanks to the Security Heartbeat, the system is aware of which endpoint, process and user is responsible.
By having visibility into which process generated malicious traffic, the XG firewall can send a request to the endpoint to do a deeper inspection of the process and potentially identify a zero-day security issue.
“We can also take that intelligence and use it to proactively protect other endpoints in the environment,” Schiappa said.
The XG firewall works with the Sophos endpoint software and is managed by way of the Sophos cloud, which is a unified management capability.
With Security Heartbeat, an administrator now gets visibility into how many devices have a “beating heart” (that is, are transmitting heartbeat information), and are also given a green, yellow or red status. “Red is when we’ve detected the endpoint to be compromises, and yellow is when we have determined that an endpoint is either out of compliance or it has a suspicious process,” Schiappa said.
From a competitive perspective, multiple vendors including Symantec and Intel Security have recently introduced new technologies to provide end-to-end visibility and control. Symantec announced its new Advanced Threat Protection (ATP) service, while Intel Security announced its McAfee Endpoint Security 10.x platform.
Sophos, in Schiappa’s view, is taking a different approach with synchronized security than Symantec and Intel Security by connecting products directly together.
“The products speak to one another directly and provide actionable intelligence, which allows for automatic response,” Schiappa said. “Further, the information we pass from the endpoint to the XG firewall vastly increases the investigation time of a compromise because we are providing critical information in real time, such as device address, user and the process generating the network traffic.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.