IT security vendor Sophos has raised the bar on unified security by bringing together an array of security technologies in a package that melds firewall intelligence with endpoint analytics.
The company brought its new security platform to market under the moniker “Sophos Security Heartbeat,” which describes a unifying technology that allows endpoints running Sophos security products to collaborate with the company’s security appliances to create a comprehensive system that’s all about keeping things secure.
Perhaps a better explanation lies in what security unification between the endpoint and a unified threat management (UTM) system means in the context of Sophos’s offering. In simple terms, an endpoint has its own local security application (anti-malware, anti-rootkit, etc.), which helps to protect the endpoint while also communicating with a central security appliance.
The two-way conversation excels in detecting anomalies, wherein the endpoint can inform the security appliance of something suspicious and the security appliance can vet that suspicious traffic, while also executing policy to contain the traffic.
What’s more, the security appliance can further analyze the traffic to measure the impact of suspicious traffic on the network, applications and services before using those results to detect suspicious behavior on other endpoints or other parts of the network. The security appliance’s unified view of traffic and activity across the network uses integrated machine learning capabilities to identify anomalies quickly and, more importantly, actually do something about those anomalies in real time.
Going Hands-On with the Sophos XG Series
Sophos XG is actually a family of NGFWs (Next Generation FireWalls) that share a common core feature set and include capabilities such as traffic shaping, policy-based rule execution, traffic anomaly detection, Web filtering, intrusion detection and intrusion prevention.
In essence, any member of the Sophos XG family functions as a UTM appliance and is designed around the concepts of ease of use and automation. Sophos gained the firewall and related threat-management technology through its acquisitions of Astaro and Cyberoam.
While there are many different models in the Sophos XG family, the primary difference is scale. For example, the entry-level XG85 is designed for small offices and includes just four GbE copper ports and is rated at 2Gbps throughput.
In contrast, the top-of-the-line XG750 is rated for 140Gbps throughput and sports as many as 64 GigE ports, as well as support for 10Gbps Ethernet. While the raw processing power and connectivity is vastly different between those two extremes, the underlying software is much the same, which means feature sets are universal across the whole product line.
I visited Sophos’s Vancouver office to test the XG’s capabilities and evaluate the feature set of the product line. Most of my testing was done on a Sophos XG 125W, which is rated for 5Gbps raw throughput, includes eight GbE copper ports and incorporates an 802.11b/g/n/ac 2.4/5 GHz Wi-Fi AP.
It is interesting to note that XG series devices that come with integrated Wi-Fi offer a complete set of Wi-Fi security controls and fully integrates NGFW capabilities into the Wi-Fi AP. I was able to test connectivity to a variety of endpoints, both wired and wireless, to evaluate how the XG 125W functioned in a simulated small enterprise environment.
Installation and Setup
Within just a few minutes of unpacking the device it became apparent that ease of use has been injected heavily into the XG product line, making the device almost plug-and-play simple to set up. I say “almost” only because anyone installing the device must have some basic understanding of network cabling and be adept at knowing how to change their management system’s IP address to launch the browser-based setup wizard.
That said, it is important to note that the XG family of devices default to an initial IP address of 172.16.16.16 instead of the all-too-common 192.168.0.1 that so many appliances do today.
That caveat aside, all setup and management of the device is accomplished using a browser-based GUI, which incorporates setup wizards to keep things surprisingly simple.
Sophos Unifies Edge, Endpoint Threat Management in Security Package
While some may miss the concept of a command line interface (CLI) and serial/telenet connection to configure a security appliance, most adopters of the XG product line probably would not even know what a CLI is. That is the actual point of the product: to make enterprise level security simple, effective and automatic.
Management and Administration
An extensive feature set of security technologies hides behind the product’s management console, which strives to keep things easy to understand and does a pretty good job of translating technical jargon into something understandable by people who aren’t security experts.
Take, for example, the main management dashboard, which is referred to as the “Network Security Control Center” and functions as a starting point for anything an administrator would look to do on a security appliance. Simple menus, colorful icons and graphical representations of activity make it very easy to comprehend network (and endpoint) security health at just a glance.
If an administrator wants to delve into the security posture of the network, for instance, a quick click on the reports section exposes details about risky applications, detected intrusion attempts and other elements that impact the overall security heath of the network components.
Other notable capabilities include the ability to quickly drill down to the esoteric details surrounding security policies, such as the number of user attempts to visit questionable Websites or the user threat quotient, which is a measurement of activity that relates to security exceptions encountered.
As with many security products, defining access policies proves to be a critical, yet complex setup consideration. However, Sophos goes one step further than many other security products by making policy definition very simple, thanks to a plethora of predefined policies and a wizard-driven interface that provides administrators with guided steps to create effective policies.
In practice, the Sophos Security Heartbeat gathers security statistical data from all monitored devices connected to the network and performs real-time analysis of the code being executed, the access profile being used and any related data. Using that information, the product is able to offer a visual representation of the security status of a given element on the network.
That visualization can be compared to a traffic light, where green is good, yellow means caution and red means stop. Actually in Sophos’ case, red means there is a problem. That information (or color) is represented as a “health status” and is directly tied into the product’s active remediation capabilities.
For example, the Sophos NGEP was able to automatically detect and remediate locally introduced well-known threats in seconds, changing the endpoint’s health status to red, and then back to green after remediation. The Security Heartbeat automatically notified the appliance of the endpoint’s change in health status, which triggered firewall-applied policies to isolate the endpoint from the network until the endpoint was remediated.
Automated isolation and remediation extends well beyond known threats. Sophos also is able to tackle complex, previously unseen threats that can impact a network. Case in point is the product’s ability to identify unknown malware by tracking network behavior.
When suspicious behavior is detected, the appliance blocks network access and uses the information provided by the Security Heartbeat to identify the endpoint, the user and the application. A series of automated processes then takes place, in which the user is notified of the issue immediately, the endpoint’s health state changes to red and automated remediation is attempted (the malware is stopped and removed).
Once remediated, the workstation’s health status returns to green and normal operation can resume. The entire process only takes a few seconds, and requires no administrator intervention.
Conclusions
The adoption of Sophos’s Security Heartbeat will bring much-needed automation and simplicity to SMEs seeking to prevent intrusions, malware and other threats from impacting user operations. What’s more, the process of synchronizing endpoint and network security into a unified management paradigm delivers additional value and makes Sophos’ security appliances much more intelligent and able to proactively deal with threats.