Sophos Firewall v21.5 introduces an innovative industry first: Network Detection and Response (NDR) integrated with a firewall.
Why NDR is Important
Network Detection and Response (NDR) is a category of network security products designed to detect abnormal traffic behavior, helping identify active adversaries operating on the network.
Skilled attackers are very effective at evading detection, but they ultimately need to move across or communicate out of the network to carry out an attack.
NDR typically sits within the network, utilizing sensors that monitor and analyze network traffic moving both north-south (in and out) and east-west (laterally across the network) to identify suspicious activity.
NDR products have been around for many years, and Sophos NDR has been part of our MDR/XDR portfolio of products since early 2023. However, with SFOS v21.5, we are integrating NDR with Sophos Firewall, and industry first… and making it no extra charge for Sophos Firewall XGS Series customers with Xstream Protection.
Integrating NDR with a next-gen Firewall may seem like an obvious choice, but no one has done it before. The challenge is doing it in a way that doesn’t impact the performance of the firewall.
NDR requires significant processing power for its various AI traffic analysis engines. As a result, we’ve taken the novel approach of deploying an NDR solution in the Sophos Cloud to offload the heavy lifting from the firewall.
A new firewall era: detection and response
Until now, most firewalls have been focused on prevention – or keeping active adversaries and threats off the network. But we all know it’s a matter of when, not if, a threat will get through the perimeter defenses and start compromising the network.
In these situations, detection and response times are critical. However, most firewall solutions out there are simply unable to do anything. They have limited visibility into what’s traversing the internal network, and even if they discover a threat attempting to communicate out, they are ill-equipped to provide any kind of response.
This is what separates Sophos Firewall from the rest. Sophos has long been a pioneer in automated threat response with technology like Synchronized Security and Active Threat Response. Sophos Firewall also uniquely integrates threat intelligence from other Sophos products and multiple external sources to detect and identify threats sooner.
These threat feeds include our own Sophos X-Ops team, an MDR or XDR analyst, a third-party threat intelligence source, and now NDR. So, a Sophos Firewall has much broader and deeper detection, but more importantly, automated response capabilities that can shut down attacks dead in their tracks coordinating in real time with other Sophos products like endpoints, switches, and wireless access points.
Sophos Firewall is pioneering a new era of firewall capabilities ideally suited for XDR and MDR threat detection and response uses cases.
How Sophos Firewall and NDR work together
Sophos Firewall captures metadata from TLS-encrypted traffic and DNS queries and sends that information to our new NDR Essentials solution in the Sophos Cloud, where the data is analyzed using the AI-powered Domain Generation Algorithm (DGA) and Encrypted Payload Analysis (EPA) engines.
EPA is revolutionary in its ability to detect malicious encrypted payloads without performing TLS decryption – a very powerful innovation.
The vast majority of threats use encryption to communicate across and out of the network, yet only a small subset of organizations in the mid-market utilize TLS decryption to inspect this traffic.
This is because TLS inspection is intensive, can cause usability issues, and presents its own security challenges. As a result, most organizations are running blind to encrypted traffic.
That’s why the encrypted traffic analysis performed by NDR using an AI convolutional neural network (CNN) is so important, as it’s free of any compromises and takes the blinders off this traffic.
DGA detects new and unusual domains generated through algorithms that are often a key indicator of compromise. Malware will occasionally create multiple domains algorithmically once on the network and start to systematically test them to see which ones are available to communicate out. This will trigger a detection before the communications are even established.
Sophos Firewall makes NDR super easy: NDR Essentials detections are scored on a range from 1 (low risk) to 10 (highest risk) and returned to the Firewall via the threat feeds API, which is part of the firewall’s Active Threat Response capability.
The administrator decides which risk score sets the threshold for an alert based on their particular environment. The recommended default is high-risk (9-10).
All detections that are scored greater than or equal to 6 are logged, but only those meeting or exceeding the set threshold trigger notifications and are shown as alerts on the new Control Center dashboard widget (pictured). Detections scored less than 6 may be false positives and are not logged as a result.
No NDR Essentials detections are blocked at this time, but this may be an option in the future. All detections are fully accessible via the Active Threat Response report available both on-box and via Sophos Central Firewall Reporting.
The result: better detection and response times
The result of this innovative approach to integrating NDR with Sophos Firewall is that customers get quicker and deeper insights into active adversaries operating on their network in the early stages of an attack so they can shut them down before they become a serious problem.
The combination of Sophos NDR Essentials, Active Threat Response, and Synchronized Security with Sophos Firewall enables a potential response to an active threat in seconds or minutes compared to days with other solutions.
Sophos Firewall is once again pioneering new innovations with network security that create better cybersecurity outcomes for partners and customers – and delivering the ultimate value by offering these innovations at no extra charge.
Learn more
Watch this demo video for more insights into how NDR Essentials works with Sophos Firewall:
Learn more about what’s new with Sophos Firewall v21.5.
Leave a Reply