Experience an innovative industry milestone with Sophos Firewall v21 by integrating Network Detection and Response (NDR) directly into your firewall.
Definition of NDR
Network Detection and Response (NDR) constitutes a category of network security solutions crafted to identify unusual traffic patterns, aiding in the detection of active threats operating within the network.
Adversaries adept in evading detection can still be traced as they maneuver across the network. NDR, nestled within the network, employs sensors to monitor and scrutinize network activity, flagging suspicious behavior effectively.
NDR products have existed for many years, and Sophos NDR has been a cornerstone of our MDR/XDR product suite since early 2023. With SFOS v21.5, we are pioneering the integration of NDR with Sophos Firewall – a groundbreaking move – at no extra cost for Sophos Firewall customers benefiting from Xstream Protection.
Merging NDR with a Next-Gen Firewall may seem like an evident choice. However, the challenge lies in executing this integration without compromising the firewall’s performance, given the significant processing power demanded by NDR traffic analysis. Thus, we’ve adopted an innovative strategy, deploying an NDR solution in the Sophos Cloud to relieve the firewall of this heavier workload.
Essentials of Sophos NDR
Unveiling in Sophos Firewall v21.5 is our latest cloud-based Network Detection and Response platform, NDR Essentials. Relying on cutting-edge AI detections, it detects active adversaries and communicates this information via the Sophos Firewall threat feeds API under Active Threat Response, keeping you abreast of detections and their associated risks.
View this brief demonstration video to witness its functionalities or continue reading for a comprehensive overview:
Operational Mechanism
Sophos Firewall captures metadata from TLS-encrypted traffic and DNS queries, sharing this data with NDR Essentials in the Sophos Cloud.
Subsequently, this data undergoes scrutiny by multiple AI engines, detecting malicious encrypted payloads without requiring TLS decryption and pinpointing new and unconventional domains generated through algorithms, often indicative of a security compromise.
Metadata extraction is executed by a new, lightweight engine embedded in the Xstream FastPath. Notably, this new capability is exclusively accessible on XGS Series hardware firewalls. Virtual, software, and cloud firewalls may receive NDR integration in the future releases, but not in v21.5.
NDR Essentials threat feed management parallels your other threat feeds (Sophos X-Ops, MDR, and third-party feeds) in the firewall’s Active Threat Response segment, depicted in the provided screenshot. Setting up is straightforward: activate it, choose internal interfaces for monitoring, set a minimum detection risk threshold, and you’re good to go!
Detections by NDR Essentials are graded from 1 (low risk) to 10 (highest risk). Users can set the alert threshold based on their environment, with the default recommendation being high-risk (9-10).
Detections scoring less than 6, often false positives, are not logged. Notifications and alerts are only triggered for those meeting or surpassing your predefined threshold and appear on the new Control Center dashboard widget.
No NDR Essentials detections are blocked currently, but this may be an option in the future. The entire set of detections is accessible via the Active Threat Response report, accessible both on-box and via Sophos Central Firewall Reporting.
Comparison: NDR Essentials vs. Sophos NDR
Essentially, Sophos NDR Essentials serves as a scaled-down version of Sophos NDR.
While Sophos NDR comprehensively monitors and identifies suspicious activity within the network, both external (north-south) and internal (east-west) flows, NDR Essentials, designed for gateway traffic inspection, lacks the same granular visibility at the network’s gateway.
Sophos NDR houses an array of five distinct AI detection engines. In the current iteration of NDR Essentials, we have implemented the two engines crucial for gateway traffic inspection: the Encrypted Payload Analysis engine and the Domain Generation Algorithm engine. This expanded engine set enables Sophos NDR to offer deeper coverage and enhanced detection capabilities compared to NDR Essentials.
In conclusion, NDR Essentials provides an invaluable additional security layer for Sophos Firewall, devoid of extra charges or performance sacrifices. Nevertheless, it cannot replace a full-fledged Sophos NDR deployment for customers leveraging our XDR platform or MDR service.
For advanced detection insights and threat hunting functionalities, exploring Sophos Extended Detection and Response (XDR) featuring the complete Sophos NDR and the all-new NDR Investigation Console is highly recommended.
Consider complementing your operations with our comprehensive 24/7 Managed Detection and Response service. These offerings synergize seamlessly with your Sophos Firewalls.
Commence Today
Embark on your journey with this groundbreaking capability in Sophos Firewall v21.5 by enrolling in the early access program. Simply register, follow the emailed link to download the firmware update package, and install it on your Sophos Firewall.
About Author
