Presenting Proactive Threat Response for Sophos Switch/Sophos Wireless (AP6)
Active Threat Response comes with fresh features for our network access layer products, Sophos Switch and
Active Threat Response comes with fresh features for our network access layer products, Sophos Switch and Sophos Wireless (only AP6 Series).
The management of corporate networks has become increasingly complex due to the diverse range of both controlled and uncontrolled, wired and wireless devices connecting to them. Just monitoring the managed devices is no longer sufficient; being capable of blocking connectivity for potentially suspicious unmanaged hosts, such as IoT devices that might be targeted by botnets, is now essential.
Based on the first MSP Perspectives 2024 report commissioned by Sophos, the major perceived cybersecurity risks faced by Managed Service Providers (MSPs) are insecure wireless networking and a lack of cybersecurity skills/expertise.
Active Threat Response and our unified approach aim to mitigate both of these risks by streamlining security management and extending the security of wired and wireless networks beyond the capabilities of network infrastructure products.
Detection of Unauthorized Devices
The identification of unauthorized devices is a well-known concept in the wireless domain, typically associated with detecting rogue APs, where a rogue device is often defined as a device connected to a rogue AP. Rogue device detection can be prone to false alarms, so caution is advised when utilizing automation to avoid disruptions. Active Threat Response differs; access points and switches receive specific, verified threat data from distinct, trusted sources.
How the System Functions
A threat feed triggered by an API, containing the MAC addresses of potentially compromised hosts, can be transmitted to any Sophos Central account. Once activated, the threat feed is automatically disseminated throughout the network to update all Sophos switches and AP6 access points.
These devices react by isolating the compromised hosts, thereby cutting off their communication. Although MAC-based filtering cannot completely prevent MAC spoofing, it does provide time for mitigation and thwarts lateral movement, which is often the primary objective when unmanaged devices are targeted.
The source of the threat feed could be any of several Sophos solutions such as Sophos MDR, Sophos XDR, or Sophos NDR. Moreover, our public API extends this feature to customers using third-party security solutions.
Advantages
- Isolates both wired and wireless, managed, and unmanaged hosts
- Prevents lateral movement and allows time for remediation
- Source of detections can be diverse (Sophos or third-party solutions)
Active Threat Response for Sophos Switch and Sophos Wireless differs from the features provided by Sophos Firewall. The firewall offers distinct response actions and automation, partly relying on synchronized security functionality in conjunction with Sophos-managed endpoints.
Utilizing Active Threat Response on Sophos Switch, Sophos Wireless, and Sophos Firewall collectively guarantees superior protection at every network layer.
Enhancing the Sophos Ecosystem Narrative
Active Threat Response introduces a unique aspect to the Sophos ecosystem story, showcasing the advantages of consolidating security with a single provider and utilizing a unified management platform. This boosts our customers’ security stance and reinforces our channel partners’ ability to offer and support a wider array of solutions and services.
Requirements and Activation Process
For Active Threat Response to be operational, the Sophos Central account activating it must maintain a valid support subscription for each AP6 access point and/or Sophos switch. Customers can enable this feature for Sophos Wireless and Sophos Switch separately.
To receive threat feeds, the customer must also possess a supported Sophos solution/service or a third-party solution that can deliver threat information using the public API.
The API Framework
Customers who manage their own Sophos solutions will need some understanding of APIs in this preliminary release. The API is utilized to ingest threat feed data and also offers means to manage and update the list of isolated hosts. In forthcoming releases, additional management and configuration options will be integrated into Sophos Central, making this feature accessible to network administrators of all skill levels.
Availability Status
Active Threat Response is presently available for all Sophos AP6 Series and Switch customers who manage their devices via Sophos Central (and have a valid support subscription).
For more details regarding Active Threat Response, please visit our website at Sophos.com/Wireless or Sophos.com/Switch.
About Author
