The latest version of Sophos Firewall v21 introduces external threat intelligence source integration for the Active Threat Response feature.
Initially launched in v20, Active Threat Response revolutionized threat management by introducing a flexible threat intelligence feed framework within Sophos Firewall. This feature allowed the firewall to autonomously react to incoming threats. Initially, it supported dynamic threat feeds from Sophos X-Ops and Sophos MDR, empowering the firewall to automatically block any identified threats.
While the existing functionality caters to the majority of users, there are specific industries or regions where tailored threat feeds are considered essential. There has been considerable interest from our partner network, SoC providers, and various clients for an adaptable threat feed system to integrate with their existing or future threat detection and response solutions.
To accommodate these diverse requirements, Sophos Firewall v21 expands the threat intelligence feed framework to accommodate third-party threat sources. This enhancement allows effortless inclusion of specialized or tailored threat feeds into the firewall, enabling it to monitor and respond automatically by restricting any suspicious activities across all security modules (IPS, DNS, Web, and AV) without necessitating additional firewall rules.
The incorporation of third-party threat feeds within Active Threat Response also triggers a unified Synchronized Security reaction identical to any other critical Security Heartbeat status. Your Sophos Firewall executes any firewall regulations associated with red Heartbeat conditions and coordinates Lateral Movement Protection with Sophos Endpoints. This ensures all healthy managed endpoint devices are notified of a compromised LAN host, prompting them to thwart traffic transmission from the affected device.
Watch the brief video below for a comprehensive demonstration on:
- Configuration of third-party threat feeds
- Operational functionality of Active Threat Response and lateral movement protection
- Utilizing the new dashboarding and reporting features
For further details, refer to the online documentation.
Various specialized and industry-specific threat feeds are supported, including those provided by security entities, industry groups, and community-driven or open-source threat intelligence platforms. A notable example is Greynoise, showcasing the Sophos Firewall integration on their platform.
Additional reputable sources include:
- Cisco Talos
- Abuse.ch / URLhaus
- Hakk Solutions
- OSINT (Open-source Intelligence) / DigitalSide
- CINS Score
- CrowdSec
- EclicticIQ
- Feodo Tracker
- And more!
Embrace the advanced capabilities of Sophos Firewall v21 by participating in the Early Access Program. Simply register for the program, follow the email link to download the firmware update package, and complete the installation on your Sophos Firewall.
About Author
